[Oisf-users] Suricata logs perfectly... and now ?!

Martin Holste mcholste at gmail.com
Mon Feb 27 22:46:27 UTC 2012


First off, you'll want to make sure that in addition to turning on
MALWARE you have TROJAN on as well--those are the bulk of the Zeus and
other sigs.  You will also want some of the POLICY sigs on, especially
the executable download sig.

As for the massive amount of log data:  That's something of a
specialty of mine.  I started the ELSA project to cope with exactly
the situation you describe.  Check it out here:
http://code.google.com/p/enterprise-log-search-and-archive/ .
Especially of note, ELSA will handle the HTTP logs that Suricata will
create, which really helps when you're reviewing alerts.

On Mon, Feb 27, 2012 at 4:17 PM, mc8647 <mc8647 at mclink.it> wrote:
>
> Ok, now Suricata runs and collect massive amounts of logs.... Thanks you
> to everybody for your help.
>
> I started to implement suricata because in January I found several
> strange connections in proxy logs. So I started to trace them down and
> we found Zeus installed on several PCs. More PCs were infected daily,
> with the av unable to stop them.
> So I collected all the samples I could, sent to av company etc etc,
> blocked the C&C/DROP IP at the firewall, cleaned the PCs...
>
> When I could trace the infections in proxy logs I found the same log
> lines: an advertising circuit, a couple of PDF downloads, .jar files
> (org.class, net.class, com.class...) and finally the payload... Seconds
> after the payload, a https connection to a hungarian IP (also hosting
> adult sites) started. The IP address is not listed in any "bot", "cc",
> malware-related list. Also the domain used were not blacklisted....
>
> Installing Suricata I was expecting to find a lot more infected PCs. I
> enabled only the "malware"/"botnet" related rules and I found several
> PCs with:
> ET MALWARE dialno Dialer User-Agent (dialno)
> ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
> ET MALWARE AskSearch Toolbar Spyware User-Agent (AskTBar)
> ET MALWARE Fun Web Products Agent Traffic
> ET MALWARE Simbar Spyware User-Agent Detected
> ET MALWARE Casalemedia Spyware
>
> I also found several DROP/C&C log lines (but I don't have them with me)
> but several of them were FP and infact updating ET rules some of the IPs
> were not listed anymore...
>
>
> Now I'd like to ask about my results:
> - is this a classic outcome of a Suricata network log ? I was expecting
> way more infected PCs  ! Or are the "free" rules not enough to catch in
> the wild malware ?
> - are these toolbar/spyware really really malware ?
>
> About the logs data:
> - how do you handle all this massive log data ?
> - how do you analyze it ?
>
> ok, I have tons of other questions but the message is already too long,
> so I can summarize with the message title:
> Suricata now works... and now what to do with all this data ?
>
> Thanks
> Francesco
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



More information about the Oisf-users mailing list