[Oisf-users] Suricata Malware Capturing

Kevin Ross kevross33 at googlemail.com
Sat Sep 27 13:15:57 UTC 2014


Yes it can and has done so for a while

The question becomes what you want to extract really; it has to be defined
by signatures. Now you can extract any type of file so you could extract
all EXEs from network for instance, JARs whatever and then use scripts to
perform analysis on them.

What I do however is:
- Use various signatures in order to target extraction of files with
Suricata. While this has a false positive rate it is to cast a wide enough
net for interesting stuff without overloading me with alerts, I then run
analysis scripts on the extracted files.
- Using bro scripts check to see if Virustotal has seen files
- I use BRO IDS to extract all EXEs, Java files etc and to supplement my
NSM (although Suricata has many logs which can accomplish exact same thing
and act in a NSM approach; it is just what I decided locally best for me
using that combination). This is to keep alerting actually to a minimum in
Suricata front end and also because I feel when it is put into ELSA it is
easier to manage and I use various dashboards and searches in this to hunt
a bit better. https://www.youtube.com/watch?v=INRJZ3_Dsyc

Now while there is commercial systems which extract malware and analyses
en-mass like Lastline, Damballa, Fireeye etc along with all their other
features and that can be an interesting approach and combining scripts and
cuckoobox into this can be useful my aim is merely to make sure I have
copies of likely malicious files so I can look into them later if need be.
In this full packet captures such as using moloch, openfpc or even just a
simple writing of PCAPs to disk can be very useful both for incident
response (as I have found it very helpful to work out exact infection
chains or even if machine was likely compromised). I would recommend having
a look at books like Applied Network security monitoring for more on this
more complete approach.

Also you could look at cuckoobox if you have not already which can help you
to dynamically analyse malware and that could be automated if you wish.
Still I must say just seeing malware coming in is not enough and  you
should not react just because you see it; certanily the intelligence you
can gain from such capture can be immense but should only be counted as an
indication but if you have log data such as Suricata can provide too with
its HTTP logs and things or BRO.
(note this is a bias document given that it is a commercial company; take
all opinions from companies that say theirs is the best approach with
healthy scepticism until you can learn more about the product and make up
your own mind).

My point is basically binary capture, analysis etc is immensely useful but
should be combined with other intelligence, comparison etc to work out if
malware did infect the network. i.e you get malware binary, analyse it and
find indicators you can use such as network traffic (domains, IPs, packet
structure etc) and then make your indicators from that such as
Suricata/Snort sigs or even just looking through logs for historical signs
of successful infection (one reason I like to use ELSA is it makes this
process easier but could also be accomplish with greps and things against
log files. You could also look at Splunk or Logstash with Kibana interface.

Another thing is if you are looking for in wild malware capture look at
honeynet project and things like THUG honeyclient or nepenthes; these could
easily be run with honeydrive which puts many of the tools together

I hope that is informative for you.

Kind Regards,
Kevin Ross

On 27 September 2014 00:05, Muhammad Asif Ihsan <asifihsan.ihsan at gmail.com>

> Hi,
> I am new to suricata, I want to know that does suricata capture malwares
> and does it put together malware files in chunks and present us with the
> complete malware. I am keen to hear from you.
> Thank you.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140927/72f693d4/attachment-0002.html>

More information about the Oisf-users mailing list