4

I am trying to write a Suricata signature for testing purposes to alert every time it is triggered with a single PCAP file containing a single packet, but this is proving to be harder than I thought.

For instance, I have the following rule.

alert udp $HOME_NET any -> any 53 (msg:"Test A"; \
content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; \
content:"|05|testa|03|com"; fast_pattern; nocase; distance:0; \
classtype:trojan-activity; sid:1099906; rev:1;)

This is a simple UDP signature that looks for the hex 01 00 00 01 00 00 00 00 00 00 defining the UDP packet as a DNS lookup and the domain testa.com.

If I send a pcap with the following content using tcpreplay like this

tcpreplay -i eth0 testa.pcapng

where eth0 is the NIC that Suricata is monitoring and testa.pcapng is the PCAP containing the packet below. I can trigger the alarm once, but if I replay the PCAP, it won't alert until I replay it 3-5 times.

enter image description here

In this image, you can see the matching DNS parameters in yellow and the matching query in green.

If I add the following DNS response packet to the PCAP:

enter image description here

It seems to fire every time. This is strange, because nothing in the signature looks for a response so how can I write a signature that only needs one packet and fires every time?

Damian T.
  • 334
  • 1
  • 6
MikeSchem
  • 2,266
  • 1
  • 13
  • 33
  • Instead of running Suricata on the port and then using `tcpreplay`, try running Suricata with the `-r` option against the pcap and see if it fires every time. – Damian T. Jul 13 '18 at 15:38

0 Answers0