Suricata Rule Development Part 2 (Encrypted Traffic)

Encrypted traffic presents challenges for network security analysis as SSL/TLS encryption hides packet contents. However, there are still identifiable features in encrypted traffic that we can leverage for detection, particularly through SSL/TLS certificates and JA3 fingerprinting.

Key Techniques for Detecting Encrypted Traffic Threats

1. SSL/TLS Certificates: During the SSL/TLS handshake, certificates exchange information such as issuer, subject, and domain, which remains unencrypted. Malicious actors may use certificates with unusual characteristics, enabling detection based on these anomalies.

2. JA3 Hashing: JA3 hashes provide a unique fingerprint of an SSL/TLS client by hashing specific attributes from the Client Hello message during the handshake. These hashes can help identify unique characteristics associated with certain malware families.

Suricata Rule Examples for Encrypted Traffic Detection

Example 5: Detecting Dridex (TLS Encrypted)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; sid:2023476; rev:5;)

• Purpose: Detects Dridex trojan SSL certificates based on specific patterns within the SSL/TLS handshake.

• Key Options:

  • Hex values: content:"|16|"; content:"|0b|"; within:8; for the handshake and certificate type.

  • Field identifiers: countryName (2-letter code) and commonName fields are checked.

  • OIDs: ASN.1 sequences representing countryName, localityName, organizationName, etc.

  • PCRE: Checks for patterns in commonName with additional structure matching.

To test this rule, uncomment it in local.rules and run Suricata on dridex.pcap.

Example 6: Detecting Sliver (TLS Encrypted)

alert tls any any -> any any (msg:"Sliver C2 SSL"; ja3.hash; content:"473cd7cb9faa642487833865d516e578"; sid:1002; rev:1;)

• Purpose: Detects Sliver C2 traffic by matching a known JA3 hash.

• Key Options:

  • ja3.hash: Looks for the specific JA3 hash associated with Sliver.

To obtain the JA3 hash, use the ja3 tool on the sliverenc.pcap file. Uncomment this rule in local.rules and run Suricata on sliverenc.pcap to validate detection.

For further information on Suricata’s SSL/TLS detection capabilities, explore additional resources on the Suricata documentation.