[Oisf-users] Suricata and flowint

Edward Fjellskål edwardfjellskaal at gmail.com
Mon Jan 9 16:13:47 UTC 2012

On 01/09/2012 03:43 PM, Martin Holste wrote:
> Trying to make sigs based on the dsizes of conversations seems like a
> lot of work for characteristics that change frequently.  Do you have
> reason to believe that the dsizes change less frequently between
> malware variants than the actual content?  That would be very
> interesting!

First off, the content is encrypted according to Dell Secureworks.
And if you look at it, it is always random to the human eye... So
there is no content to match on.

Second, if this was trivial to sig, I would guess someone had done it
all ready, as this was the Nr. 10 spambot back in 2009, and it seems
to be doing very well still, according to samples still ticking in.


"...Second, Gheg is one of the few botnets that encrypt traffic from the
command and control servers using a nonstandard SSL connection on port 443.

Third, Gheg has options in how it sends spam email. It can act as a
conventional proxy spambot. Or it can route spam messages through the
victim’s Internet provider’s mail server. Gheg has 60,000 members and
pushes out about 400 million spam emails daily, concentrating on
pharmaceutical spam."

I cant see any rules for it, so I made one for the blog post, but I
use this way of sigging on other stuff, that works well, and gives
no falses, and yes, for some reason, the packet-nr+dsize seems to be
very consistant in different malware "encrypted" traffic that I see.

> If you want to create alerts based on connection characteristics, I
> strongly recommend running Bro as well as Suricata, as it is much more
> suited for doing what you're trying to accomplish.  There have been a
> ton of examples and documentation added over at bro-ids.org, so I
> encourage you to take a look as I think it will be what you've been
> looking for.

I might privately share a pcap that you can look at, and tell me how you
will sig that with Bro. Would be good to see and to learn more about Bro.

The blog post was ment as a hack to get something done in suricata, that
has not been done before (and snort), to inspire people to think out of
the box and maybe use tools in a different way then "normal". And maybe
it is a good way to go or to have in an IDS.


> On Mon, Jan 9, 2012 at 2:25 AM, Edward Fjellskål
> <edwardfjellskaal at gmail.com> wrote:
>> Hi,
>> I wrote a blog post about one way to use flowint in suricata:
>> http://www.gamelinux.org/?p=403
>> Hope this can be inspiring and I hope other will share their use too.
>> --
>> Edward Bjarte Fjellskål
>> Senior Security Analyst
>> http://www.gamelinux.org/
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list