Suricata Rule Development Part 1

Suricata rules are used to monitor network traffic for specific patterns or markers, often indicative of malicious behavior. These rules can provide critical insights into network activity, aid in threat detection, and contribute to proactive network security strategies.

Suricata Rule Anatomy

Here's an example of a basic Suricata rule:

action protocol from_ip port -> to_ip port (msg:"Known malicious behavior, possible X malware infection"; content:"some thing"; content:"some other thing"; sid:10000001; rev:1;)

Components of the Rule:

Header (action protocol from_ip port -> to_ip port):
- Action: Tells Suricata what to do when the rule matches:
  - alert: Generate an alert.
  - log: Log the packet without an alert.
  - drop: Block the packet (IPS mode).
- Protocol: Specifies the network protocol (tcp, udp, icmp, etc.).
- Traffic Direction:
  - -> for outbound, <- for inbound, and <-> for bidirectional.
- Ports: Define source and destination ports for evaluation.
Rule Message and Content:
- msg: Description shown when the rule triggers, often including malware info.
- content: Specific strings or values that Suricata searches for in the packet payload.
  - Example:
    content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip";
  - Content can be optimized with rule buffers, such as http.accept for matching only HTTP Accept headers.
Additional Options:
- nocase: Makes the rule case-insensitive.
- offset: Sets the starting position in the packet for matching.
- distance: Specifies the byte distance from the previous match.
- dsize: Matches on packet payload size (e.g., dsize:>10000 for large packets).
Metadata:
- sid: Signature ID for uniquely identifying each rule.
- rev: Revision number indicating rule updates.
- reference: A URL or identifier providing context or sources for the rule.

Example Rule Usage with PCRE

Perl Compatible Regular Expressions (PCRE) enhance detection flexibility. Here’s an example:

alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Apache Continuum <= v1.4.2 CMD Injection"; content: "POST"; http_method; content: "/continuum/saveInstallation.action"; offset: 0; depth: 34; http_uri; content: "installation.varValue="; nocase; http_client_body; pcre: !"/^\$?[\sa-z\\_0-9.-]*(\&|$)/iRP"; flow: to_server, established; sid: 10000048; rev: 1;)

PCRE: Allows complex pattern matching using regular expressions. It is wrapped in /.../ and can use flags like i for case insensitivity and RP for relative positioning.

IDS/IPS Rule Development Approaches

Signature-Based Detection: Matches known patterns (e.g., malware strings or packet structures). It’s precise for known threats but limited in detecting new ones.
Anomaly-Based Detection: Focuses on unusual network behaviors (e.g., data transfer patterns). It helps detect zero-day attacks but may yield false positives.
Stateful Protocol Analysis: Tracks protocol states to identify unusual transitions or behaviors, suitable for identifying protocol misuse.

Suricata Rule Development Examples

Example 1: Detecting PowerShell Empire

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PowerShell Empire Activity Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/"; http_uri; depth:1; pcre:"/^(?:login\/process|admin\/get|news)\.php$/RU"; content:"session="; http_cookie; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/CRi"; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|6.1"; http_user_agent; http_start; content:".php|20|HTTP|2f|1.1|0d 0a|Cookie|3a 20|session="; fast_pattern; http_header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; sid:2027512; rev:1;)

Detects HTTP GET requests from PowerShell Empire with specific URI patterns and base64-encoded cookies.
Matches on User-Agent and excludes headers like Referer.

Example 2: Detecting Covenant

alert tcp any any -> $HOME_NET any (msg:"detected by body"; content:"<title>Hello World!</title>"; detection_filter: track by_src, count 4 , seconds 10; priority:1; sid:3000011;)

Triggers on HTTP responses containing <title>Hello World!</title> at least four times within 10 seconds from the same source.

Example 3: Covenant Detection by Size and Counter

alert tcp $HOME_NET any -> any any (msg:"detected by size and counter"; dsize:312; detection_filter: track by_src, count 3 , seconds 10; priority:1; sid:3000001;)

Detects payloads of exactly 312 bytes sent at least three times within a 10-second window.

Example 4: Detecting Sliver C2 Implant

alert tcp any any -> any any (msg:"Sliver C2 Implant Detected"; content:"POST"; pcre:"/\/(php|api|upload|actions|rest|v1|oauth2callback|authenticate|oauth2|oauth|auth|database|db|namespaces)(.*?)((login|signin|api|samples|rpc|index|admin|register|sign-up)\.php)\?[a-z_]{1,2}=[a-z0-9]{1,10}/i"; sid:1000007; rev:1;)

Detects HTTP POST requests to URIs associated with Sliver, a C2 framework, using specific directory and PHP file patterns.

Additional Rule for Sliver Detection via Cookies

alert tcp any any -> any any (msg:"Sliver C2 Implant Detected - Cookie"; content:"Set-Cookie"; pcre:"/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)\=[a-z0-9]{32}\;/"; sid:1000003; rev:1;)

Detects cookies set with names like PHPSESSID or APISID and values matching a 32-character alphanumeric pattern, often associated with Sliver.

For further reference and advanced rule development techniques, explore Suricata’s official rule documentation.

PreviousQuestion NextSuricata Rule Development Part 2 (Encrypted Traffic)

Last updated 2 months ago

hashtagSuricata Rule Anatomy

hashtagComponents of the Rule:

hashtagExample Rule Usage with PCRE

hashtagIDS/IPS Rule Development Approaches

hashtagSuricata Rule Development Examples

hashtagExample 1: Detecting PowerShell Empire

hashtagExample 2: Detecting Covenant

hashtagExample 3: Covenant Detection by Size and Counter

hashtagExample 4: Detecting Sliver C2 Implant