I get AI hits that say “Beacon detection
Suricata can analyze flow data, such as packet size, jitters, and repetition, to identify patterns that may indicate beacons. Analysts can also use default settings like beacon names and certificates to help with detection.”
I can’t find where it got that but I am guessing that may have come from some Suricata docs somewhere.
Any suggestions on how to best configure Suricata to detect C2 Beacons?
I have the Cobalt Strike rules and I have Pcaps that have Cobalt strike embedded. I can detect those using RITA but not Suricata even using Cobalt Strike rules against a pcap with embedded Cobalt Strike beacons.
It seems to be pretty simple. The pcap you provided doesn’t contain the content that triggers the rules, at least not in cleartext.
Load the pcap in Wireshark. Search by string for content in each rule, like
“Cyberspace”
“msdownload”
"Date: "
etc.
You will not get hits on those and others needed by the rules. There will be some matches but everything needs to be present.
To test general Cobalt Strike detection in Suricata, I loaded the pcap into Cloudshark, which has Suricata support. It lit up the rules in that system like a Christmas tree.
No problem. So Cloudshark is detecting a variety of alerts (including some Cobalt strike specific ones) in your pcap. But Cloudshark doesn’t use the rules you sent. Those rules will not fire on the pcap because the pcap doesn’t contain content that will trigger those rules.
OK So that is clear. Does Suricata standalone have a set of rules that would detect it in those PCAPs? The reason I am asking is that we (Leidos) use Suricata as a part of one of our application packages. Suricata is already in there so if we could detect not just Cobalt Strike beacons but other C2 beacons, that is a feature that our gov customer would be interested in.
Jeff,
Suricata rules language dose not have the semantics do describe a generic beacon detection logic, yes you have the threshold keyword, but it is pretty limited on what it can describe.
to be able to detect beacons, you will need to do post processing for Suricata NSM data (network transactions) and not alert data, Just like RITA does it.
This can be done using analytical solution (eg: Spark) or even a python script.