Terminal: Suricata-Regatta
Objective
Recover the Tolkien Ring
Task 5: Suricata Regatta
Difficulty: 3/5 Christmas Trees Description: Help detect this kind of malicious activity in the future by writing some Suricata rules. Work with Dusty Giftwrap in the Tolkien Ring to get some hints.
Terminal Details
Use your investigative analysis skills and the 'suspicious.pcap' file to help develop Suricata rules for the elves!
There's a short list of rules started in 'suricata.rules' in your home directory.
First off, the STINC (Santa's Team of Intelligent Naughty Catchers) has a lead for us.
They have dome Dridex indicators of compromise to check out.
First, please create a Suricata rule to catch DNS lookups for 'adv.epostoday.uk'.
Whenever there's a match, the alert message (msg) should read 'Known bad DNS lookup, possible Dridex infection'.
Add your rule to 'suricata.rules'
Once you think you have it right, run './rule_checker' to see how you've done!
As you get rules correct, rule_checker will ask for more to be added.
If you want to start fresh, you can 'exit' the terminal and start again or 'cp suricata.rules.backup suricata.rules'
Good luck, and thanks for helping save the North Pole!
Solution
First observe the existing rules that were added to suricata.rules
.
cat suricata.rules
alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel) (1)"; filemagic:"PNG image data, 1 x 1,"; sid:19; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible ELF executable sent when remote host claims to send a Text File"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/plain"; file.data; content:"|7f 45 4c 46|"; startswith; fast_pattern; isdataat:3000,relative; classtype:bad-unknown; sid:2032973; rev:1; metadata:updated_at 2021_05_18;)
alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; classtype:protocol-command-decode; sid:2200073; rev:2;)
alert ip [199.184.82.0/24,199.184.223.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:3398; metadata:updated_at 2022_10_06;)
alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (stickies .pro in DNS Lookup)"; dns.query; content:"stickies.pro"; nocase; sid:2025218; rev:4;)
alert tcp any any -> any any (msg:"SURICATA Applayer No TLS after STARTTLS"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260004; rev:2;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 total length smaller than header size"; decode-event:ipv4.iplen_smaller_than_hlen; classtype:protocol-command-decode; sid:2200002; rev:2;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
Based on these existing rules, a rule that catches DNS lookups for adv.epostoday.uk
would be:
alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection."; dns.query; content:"adv.epostoday.uk"; nocase; rev:1;)
Add this rule to the rules file.
echo 'alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection."; dns.query; content:"adv.epostoday.uk"; nocase; sid:2222220 rev:1;)' >> suricata.rules
Run rule_checker
to verify the first rule.
elf@89f2ead4b48a:~$ ./rule_checker
rm: cannot remove '/home/elf/logs/*': No such file or directory
10/12/2022 -- 19:49:57 - <Notice> - This is Suricata version 6.0.8 RELEASE running in USER mode
10/12/2022 -- 19:49:57 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started.
10/12/2022 -- 19:49:57 - <Notice> - Signal Received. Stopping engine.
10/12/2022 -- 19:49:57 - <Notice> - Pcap-file module read 1 files, 5172 packets, 3941260 bytes
First rule looks good!
STINC thanks you for your work with that DNS record! In this PCAP, it points to 192.185.57.242.
Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems over HTTP.
When there's a match, the message (msg) should read Investigate suspicious connections, possible Dridex infection
For the second indicator, we flagged 0 packet(s), but we expected 681. Please try again!
As seen in the pre-existing rules, the $EXTERNAL_NET
and $HOME_NET
variables appear to reference internal and external networks. Using these variables, the second rule should be:
alert http 192.185.57.242 any -> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection"; rev:1;)
Add this rule to the rules file. Both "addresses" have to be in the src and dst sections of the rule because the traffic can originate on either end.
echo 'alert http [$HOME_NET,192.185.57.242] any -> [$HOME_NET,192.185.57.242] any (msg:"Investigate suspicious connections, possible Dridex infection"; rev:1;)' >> suricata.rules
Run rule_checker
to verify the second rule.
elf@89f2ead4b48a:~$ ./rule_checker
10/12/2022 -- 20:13:51 - <Notice> - This is Suricata version 6.0.8 RELEASE running in USER mode
10/12/2022 -- 20:13:51 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started.
10/12/2022 -- 20:13:52 - <Notice> - Signal Received. Stopping engine.
10/12/2022 -- 20:13:52 - <Notice> - Pcap-file module read 1 files, 5172 packets, 3941260 bytes
First rule looks good!
Second rule looks good!
We heard that some naughty actors are using TLS certificates with a specific CN.
Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya.
When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection
For the third indicator, we flagged 0 packet(s), but we expected 1. Please try again!
The third rule should be:
alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content:"CN=heardbellith.Icanwepeh.nagoya"; sid:2222222; rev:1;)
Add this rule to the rules file.
echo 'alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content:"CN=heardbellith.Icanwepeh.nagoya"; sid:2222222; rev:1;)' >> suricata.rules
Run rule_checker
to verify the third rule.
elf@89f2ead4b48a:~$ ./rule_checker
10/12/2022 -- 20:19:33 - <Notice> - This is Suricata version 6.0.8 RELEASE running in USER mode10/12/2022 -- 20:19:33 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started.
10/12/2022 -- 20:19:33 - <Notice> - Signal Received. Stopping engine.
10/12/2022 -- 20:19:33 - <Notice> - Pcap-file module read 1 files, 5172 packets, 3941260 bytes
First rule looks good!
Second rule looks good!
Third rule looks good!
OK, one more to rule them all and in the darkness find them.
Let's watch for one line from the JavaScript: let byteCharacters = atob
Oh, and that string might be GZip compressed - I hope that's OK!
Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection
For the fourth indicator, we flagged 0 packet(s), but we expected 1. Please try again!
The http.response_body
content modifier will match on gzip decoded data just like file_data
does. The fourth rule should be:
alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection"; http.response_body; content:"let byteCharacters = atob"; sid: 2222223; rev:1;)
Add this rule to the rules file.
echo 'alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection"; http.response_body; content:"let byteCharacters = atob"; sid: 2222223; rev:1;)' >> suricata.rules
Run rule_checker
to verify the fourth rule.
elf@89f2ead4b48a:~$ ./rule_checker
As soon as rule_checker
is run, the terminal should close.
Back to the Tolkien Ring Area.