Thursday, 31 October 2019

Suricata Cheat Sheet

** WILL FIX CODE HIGHLIGHtING LATER, grr so annoying**



Just some learnings.

Some Cheat sheets so I can organize my notes



To Run Suricata:


Reading a PCAP

sudo suricata -r PCAP
Sudo suricata -r <PCAP> -k none -l .
After running on a PCAP, search log
cat eve.json | jq -c 'select(.event_type="alert")'
cat eve.json | jq -c 'select(.event_type="tls")'
cat eve.json | jq -c  'select(.event_type="http")'
cat eve.json | jq -c  'select(.event_type="dns")'

For listing rules:


More /etc/suricata/rules/emerging-trojan/.rules

Ls -lah /etc/suricata/rules/



Config

enabled http-log, ssh, dns events within suricata.yaml

enable:


Load signatures from another file. Edit yaml

Change default-rule-path to /home/user

change rule-fles to customsig.rules

then save customsing.rules in folder


create rule and run in pcap:

sudo suricata -r /home/test/test.pcap -k none -l .



Main Log Formats:

Eve.json

jsn objects, timestamp, flow_id, event_type etc –> Use jq

Fast.log

logs alerts onle

Stats.log

self explanator

Logs stored:

root@test:/var/log/suricata#


Breaking down rules.

Summarizing: https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html

Main sections

Great help to break up the rule into 3 sections, as seen in the image above.

drop == ACTION: alert etc
tcp == PROTOCOL
any == port. [80,81] [80-101] !80
HOME_NET any –> EXTERNAL_NET any == direction of traffic
-> Will only match rule on first packet, no response.

Parts in BLUE:

These are high level key words:


eg: Flow Keywords

Flow matches on direction of the flow.
established to server: means on established connections for CLIENT TO SERVER

Flowbits

<action>:name of flowbit

flowbits: isset, name == generate alwer when rule mataches and condition is set in the flow



Reference == refer to where signature or information came from
MSG == text want to be displayed, no impact on Rule processing
SID ==  Signature ID (needs to be unique)
Rev == Just version number of SID

So breaking down this rule:
alert dns $HOME_NET any -> any any (msg:"Trojam DNS Query Observed" dns_query; content:"testlol.net"; isdataat:!1,relative; reference:url,threatintelprovider.com/trojanx; classtype:trojan-activity; sid:1; rev:1;)

This rule specifies to alert on DNS for any traffic from the internal network out. Specifically on the DNS protocol, any DNS queries for testlol.net. **The isdataat:!1 means it should match with nothing else after the last byte (being .net)** Then the classtype and reference, sid and rev are there

No comments:

Post a comment