Creating a custom suricata rule

Hello, I am new to Suricata.I am trying to create a custom rule to detect email (smtp) whose subject starts with PW_ but i am unable to create it . I tried content: subject: PW_ but it is not working.

Most email these days is sent over an encrypted connection (using TLS), so unless you are doing some type of man-in-the-middle proxy intercept and decryption, Suricata cannot see into packet payloads because of the encryption. That means your rule won’t work because the plaintext it is looking for does not exist in the raw encrypted packets seen by Suricata.

Hii ,thanks for your reply but i can see the email in clear text

There are several folks on this board with rule writing experience.

Perhaps you could show the rule(s) that you’ve tried to get some feedback?

ya sure alert smtp any any → any any (msg:“Agent Tesla malware Data exfil in clear text”; flow:established,to_server; content:“Subject|3a 20|PW” startswith; sid:1; rev:1)

Are you sure that rule is actually correct and loaded? I’m getting

Error: detect-parse: no terminating ";" found [SigParseOptions:detect-parse.c:850]
Error: detect: error parsing signature "alert smtp any any → any any (msg:“Agent Tesla malware Data exfil in clear text”; flow:established,to_server; content:“Subject|3a 20|PW” startswith; sid:1; rev:1)" from file smtp.rules at line 1 [DetectLoadSigFile:detect-engine-loader.c:182]
Warning: detect: 1 rule files specified, but no rules were loaded! [SigLoadSignatures:detect-engine-loader.c:358]

in the log, have you taken a look at yours?

The correct rule should be

alert smtp any any -> any any (msg:"Agent Tesla malware Data exfil in clear text"; flow:established,to_server; content:"Subject|3a 20|PW"; startswith; sid:1; rev:1;)

Note the semicolons at the end and before startswith.

yes ,but still its not working there were no alerts when i tried this on a pcap file

Could you share the pcap so we can try to reproduce?

+1, this would be most helpful.

i am sorry I cant share the pcap but I


can show the subject part via ss

If is unfortunate you can’t share a pcap because it makes it difficult to debug…
How are you running Suricata against the pcap? Maybe you need -k none to disable checksumming? If there’s no handshake for your session in the pcap, you might also need to enable midstream pickup in order to enable proper processing.
Can you see SMTP metadata output in your eve.json?

Yes,I can see smtp metadata in eve.json file.i have suricata installed in my server.i was just testing a single smtp pcap