A sudden idea; why not have some sort of analysers to go over any flows, http logs etc collected by suricata investigating common indicative behaviours to eventually determine when to alarm on a possibly infected hosts. These examples are based on HTTP and all of these could be used to assign an infection value to a host, once it passes a threshold a detailed alert can be generated. I know there are many more indicators and some may not be but I am meaning to get the idea across. I am not saying this should be done realtime or even by the main processes in suricata; just analysers to go over collected logs to determine indicative behavior (this could also be done even if you had short term kept logs for things like flows, HTTP logs, DNS Logs, FTP logs - FTP to detect data uploads) etc). A combination of characteristics perhaps not across just HTTP logs or whatever but many could determine infection possibilities (i.e host looks up either known bad domains or more unique domains and those that indicate fast flux, then it uses repetitive HTTP checkins and occasionally may download updated binaries and so on).<br>
<br>Kevin<br><br>- Host makes REPETIVE GET or POST requests to more disparate hosts than other hosts possibly followed by an OK message from server, even without any data in the body followed by no further communication<br>
<br>- Host sends POST or get requests repeatedly with high percentage of repetition and frequency of values such as &os=, &mac=, &pid= and so on. Possibly this sort of message followed by repetitive checkin messages<br>
<br>- Host receives executables with minimal effort (i.e checkin, redirect, EXE download)<br><br>- Host uses new user-agents following possible malware download (EXE and so on).<br><br>- Host communicates with high frequency of HTTP servers without FQDN (such as 92.23.X.X/stat.html instead of <a href="http://www.iamok.com">www.iamok.com</a> or something and others, possibly displaying repetition).<br>
<br>- Communication flows are very small, short and show particular characteristics (i.e small bursts of similar length communications and possibly repetive time interval between bursts).<br><br>- Host communicates using suspicious HTTP headers (like the ETPRO sigs)<br>
<br>- Host POSTs short amount of data with (when things like gzip removed) have high entropy indicating encrypted communications with CnC<br>