Continuing with our previous posts describing why & how to alert on Indicators of Compromise with Suricata IDS using the Dataset feature, in this post, we will describe, how to alert on malicious files observed in the network.
For that, we will use a list of Malware hashes obtained from abuse.ch ThreaFox API, But first, why would you want to use hashes as IOCs knowing that attacker could easily change them?
Why hashes IOCs are still relevant today?
While solely depending on Malicious Files hashes IOCs to detect attackers presence in your network wont be a solid cyber defense strategy, using them as an additional detection angle will help, and some of the reasons are:
1. Hashes IOCs are everywhere
Most (if not all) of the commercial & free Threat Intelligence feeds providers publish Hashes IOCs in their feeds, traditionally they are integrated into EDR/AV solutions to block malicious files on the endpoints, and with the capabilities that Suricata IDS offers, you can now do the same on the network level, which can cover endpoints/servers/IOT devices…etc that don’t have EDR installed on them.
2. Not all attackers are really that advanced (the A in APT)
Once your system is on the internet, you should expect threats of all shapes and forms.
and while some of those might be coming from actual APT, the vast majority will be opportunistic attacks by cyber criminals.
Those opportunistic attackers will reuse malware and attack tools published on the internet and won’t necessarily have the know-how to alter the hashes of those tools before using them against your systems, and that will be a detection opportunity, remember, attackers aren’t invincible & we must use that to our advantage.
3. Hashes have no false positives
Unlike IDS Signatures that can produce many false positives for various reasons, the calculated hash of a file either matches one of the hashes in the list of known bad files, or not, no more, no less, and as long as you trust your IOCs feed, you will be sure that it is indeed that same malicious file.
How Suricata IDS/IPS Detect & alert on Hashes
Now that have discussed the Why, lets talk about the How.
Suricata IDS comes with a growing list of supported protocols, some of these protocols (eg: HTTP) are used to download/upload files, Suricata will extract the files exchanged over those protocols and will calculate their hashes (and store it for you if you want).
The calculated file hash will be available for us to use in Rules as a keyword, namely: filemd5 or filesha1 or filesha256, your choice of hash type depends on what is the type of the hashes IOCs are available to you in your feeds, in this post we will stick to sha256 hashes as they are becoming the industry standard today.
Used OS & Suricata Version
In this example, we will be using the latest version of Suricata (6.0.6 as of today) installed from the official Ubuntu PPA on an Ubuntu 20.04 (Focal) VM.
Preparing the Hashes IOCs file
Lets download the list of sha256 IOCs from ThreatFox API using the below curl request
curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "get_iocs", "days": 90 }' > iocs_list.json
For the next step, we will need to us jq command to parse and filter the iocs_list.json file, it dose not come installed on Ubuntu so lets install it
sudo apt install -y jq
Then, we filter the json data for sha256 IOCs using the jq linux command
cat iocs_list.json | jq -c -r '.data[] | select( .ioc_type == "sha256_hash") | .ioc' > sha256_iocs.list
now that we have our IOCs list ready in sha256_iocs.list, lets copy it to our suricata rules directory (note: please make sure you already installed Suricata)
sudo cp sha256_iocs.list /etc/suricata/rules/
Creating the Suricata IDS Rule
To alert on malicious files using hashes, we will create an IDS Rule, this rule will trigger the sha256 hash of the downloaded files to be calculated and Suricata will compare it against the list of hashes in sha256_iocs.list, generating an alert if a match is found.
The rules we will use is:
alert http any any -> any any (msg:"ThreatIntel: Malicious File Downloaded over Http"; flow: established; filesha256:/etc/suricata/rules/sha256_iocs.list; classtype: trojan-activity; sid:1; rev:1;)
In the above example, the rule will generate an alert when a file matching one of our hashes IOCs list is observed over HTTP protocol.
We then place the above rule in a new rules file named iocs.rule and configure Suricata IDS to load it by adding iocs.rules to the list of rules files
echo 'alert http any any -> any any (msg:"ThreatIntel: Malicious File Downloaded over Http"; flow: established; filesha256:/etc/suricata/rules/sha256_iocs.list; classtype: trojan-activity; sid:1; rev:1;)' | sudo tee /etc/suricata/rules/iocs.rules
We also need to configure Suricata IDS to load the new rules file “iocs.rules”, here is the updated suricata configuration section (from suricata.yaml) that dose that (Note: we changed the default-rule-path value)
default-rule-path: /etc/suricata/rules
rule-files:
- suricata.rules
- iocs.rules
Then we proceed to run suricata and make it listen to traffic in our testing VM (note: adjust your interface name as needed)
sudo suricata -c /etc/suricata/suricata.yaml -i enp0s3
Verifying that Alerting works
Now that we have Suricata IDS running and listening to traffic in our testing VM, we will verify that alerting against malicious hashes IOCs we obtained from ThreatFox API actually works.
The issue we face here, is that ThreatFox dose note give us a direct download url that we can download from into our VM to simulate a malware binary download, but rather provide a password-protected zip file over https, this file will have a different hash, thus the alerting wont work.
To overcome this, we will start a webserver in another VM that will have the malicious binary and we will download the file from there, to start lets obtain the malicious binary.
Downloading the malicious file to our local webserver
First lets get the first hash from our sha256_iocs.list file (note: you will probably get a different one but that is ok)
head -n 1 /etc/suricata/rules/sha256_iocs.list
af8d7c18fe97415d7ede0cba166dce004ebbe94eacd1af6f61d8d3527b015e22
The hash happened to be for NjRat malware, we can obtain the sample by searching in MalwareBazaar Database, remember to use sha256:hash syntax when searching, or simply search google.
Lets download our malware sample from MalwareBazar into another VM, unzip the file, and run a simple python webserver (note: ZIP password is “infected”)
sudo apt-get install -y p7zip-full
7z x af8d7c18fe97415d7ede0cba166dce004ebbe94eacd1af6f61d8d3527b015e22.zip
python3 -m http.server
Triggering the Suricata Alert
Then we will proceed to download the malware file from the Suricata IDS machine
sudo wget http://192.168.3.205:8000/af8d7c18fe97415d7ede0cba166dce004ebbe94eacd1af6f61d8d3527b015e22.exe
Viewing fast.log & eve.json to check if alerts were triggered shows that everything worked as expected
$ cat /var/log/suricata/fast.log
07/22/2022-13:35:25.071655 [**] [1:1:1] ThreatIntel: Malicious File Downloaded over Http [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.205:8000 -> 192.168.3.206:47128
$ cat /var/log/suricata/eve.json | jq
{
"timestamp": "2022-07-22T13:35:25.071655+0000",
"flow_id": 1807428129456394,
"in_iface": "enp0s3",
"event_type": "alert",
"src_ip": "192.168.3.205",
"src_port": 8000,
"dest_ip": "192.168.3.206",
"dest_port": 47128,
"proto": "TCP",
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 1,
"signature": "ThreatIntel: Malicious File Downloaded over Http",
"category": "A Network Trojan was detected",
"severity": 1
},
"http": {
"hostname": "192.168.3.205",
"http_port": 8000,
"url": "/af8d7c18fe97415d7ede0cba166dce004ebbe94eacd1af6f61d8d3527b015e22.exe",
"http_user_agent": "Wget/1.20.3 (linux-gnu)",
"http_content_type": "application/x-msdos-program",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 36864
},
"files": [
{
"filename": "/af8d7c18fe97415d7ede0cba166dce004ebbe94eacd1af6f61d8d3527b015e22.exe",
"sid": [],
"gaps": false,
"state": "CLOSED",
"sha256": "af8d7c18fe97415d7ede0cba166dce004ebbe94eacd1af6f61d8d3527b015e22",
"stored": false,
"size": 36864,
"tx_id": 0
}
],
"app_proto": "http",
"flow": {
"pkts_toserver": 17,
"pkts_toclient": 30,
"bytes_toserver": 1343,
"bytes_toclient": 39057,
"start": "2022-07-22T13:35:25.065802+0000"
}
}
As we can see, Suricata IDS successfully captured the downloaded file and alerted on it, this feature open an opportunity to add a new detection mechanism that you can use to monitor for malicious files, hacking tools…etc being downloaded to your network.
How IDSTower can help?
IDSTower not only will automatically setup & configure this features in Suricata IDS, it will also Integrate with Free & Commercial Threat Intelligence Feeds to download Malicious Files Hashes IOCs and push them to Suricata IDS Hosts, all with a single click!
If you are interested to learn more on how IDSTower can help you enhance your network security operations, please take a look at the Features that IDSTower offers & Download A free license now!