** WILL FIX CODE HIGHLIGHtING LATER, grr so annoying**
Just some learnings.
Some Cheat sheets so I can organize my notes
To Run Suricata:
Reading a PCAP
sudo suricata -r PCAP
Sudo suricata -r <PCAP> -k none -l .
After running on a PCAP, search log
cat eve.json | jq -c 'select(.event_type="alert")'
cat eve.json | jq -c 'select(.event_type="tls")'
cat eve.json | jq -c 'select(.event_type="http")'
cat eve.json | jq -c 'select(.event_type="dns")'
For listing rules:
More /etc/suricata/rules/emerging-trojan/.rules
Ls -lah /etc/suricata/rules/
Config
enabled http-log, ssh, dns events within suricata.yaml
enable:
Load signatures from another file. Edit yaml
Change default-rule-path to /home/user
change rule-fles to customsig.rules
then save customsing.rules in folder
create rule and run in pcap:
sudo suricata -r /home/test/test.pcap -k none -l .
Main Log Formats:
Eve.json
jsn objects, timestamp, flow_id, event_type etc –> Use jq
Fast.log
logs alerts onle
Stats.log
self explanator
Logs stored:
root@test:/var/log/suricata#
Breaking down rules.
Summarizing: https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html
Main sections
Great help to break up the rule into 3 sections, as seen in the image above.
drop == ACTION: alert etc
tcp == PROTOCOL
any == port. [80,81] [80-101] !80
HOME_NET any –> EXTERNAL_NET any == direction of traffic
-> Will only match rule on first packet, no response.
Parts in BLUE:
These are high level key words:
eg: Flow Keywords
Flow matches on direction of the flow.
established to server: means on established connections for CLIENT TO SERVER
Flowbits
<action>:name of flowbit
flowbits: isset, name == generate alwer when rule mataches and condition is set in the flow
Reference == refer to where signature or information came from
MSG == text want to be displayed, no impact on Rule processing
SID == Signature ID (needs to be unique)
Rev == Just version number of SID
So breaking down this rule:
alert dns $HOME_NET any -> any any (msg:"Trojam DNS Query Observed" dns_query; content:"testlol.net"; isdataat:!1,relative; reference:url,threatintelprovider.com/trojanx; classtype:trojan-activity; sid:1; rev:1;)
This rule specifies to alert on DNS for any traffic from the internal network out. Specifically on the DNS protocol, any DNS queries for testlol.net. **The isdataat:!1 means it should match with nothing else after the last byte (being .net)** Then the classtype and reference, sid and rev are there