Detect against sha256 hashes

noob_17 · October 27, 2023, 12:08pm

Hi,

I am currently using the latest stable version of Suricata with Ubuntu 18.04.

Is it possible to have some kind of alerting against file that are downloaded via web browser? Like, having a rule that uses a sha256 dataset and alert is any downloaded file has a corresponding sha256 malicious hash?

I read about filestore, but is it possible to do this without having to download any files?

Thanks!

Andreas_Herz · October 30, 2023, 4:49pm

You can use the 8.14. File Keywords — Suricata 7.0.3-dev documentation for that, for example the filesha256 and unless you enable filestore the files are not stored.

noob_17 · October 30, 2023, 5:03pm

Ok, thanks for your reply.

I activated the “fileinfo” event log but when i download for example a pdf file, i cannot see any record of that in my suricata logs. Do i need to make any special config?

Thanks in advance

Andreas_Herz · October 30, 2023, 5:05pm

See 19. File Extraction — Suricata 7.0.3-dev documentation if you also enabled that in your logging output. The docs have an example for the EVE output.

noob_17 · October 31, 2023, 1:01pm

I enabled fileinfo as the dcoumentation shows, but still cannot get any info when i download a pdf in the browser

Andreas_Herz · October 31, 2023, 1:15pm

Hard to tell without more details about your setup, how you run it, and so on.
Provide your suricata config, version, run command and log file examples at least.

noob_17 · October 31, 2023, 3:07pm

I am running the latest Suricata version. here is the config file.

suricata.yaml (84.2 KB)

I am using AF-packet mode. I tested with a FTP server and after downloaded the file the “fileinfo” logging does not show anything related to the file that i downloaded although i can see other events like flows and FTP related to that interaction.

Even if i download a file via web browser through HTTP the results are the same.

Thanks

Andreas_Herz · October 31, 2023, 3:28pm

So you’re running 7.0.2?

Can you also post the stats.log and some eve.json examples?
Are there any fileinfo events at all?
Can you post the related http and flow events for the tests you did?

noob_17 · October 31, 2023, 4:23pm

Right now i cannot send the stats.log. But i can send some examples of flows, ftp events and fileinfo events for the same source IP

I noticed that in regard the FTP event the “flow” type of logs are shown for the private and NAT/public address but the “FTP” type event only shows for the NAT/public address of the tested machine.

I think that a downloaded file through FTP should generate a log type “fileinfo” that shows that a file was downloaded but that does not happen.


FTP

{"timestamp":"2023-10-31T14:47:22.275229+0000","flow_id":1520613805559668,"in_iface":"enp2s0f1","event_type":"ftp","vlan":[x],"src_ip":"x.x.x.x","src_port":10000,"dest_ip":"44.241.66.173","dest_port":21,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:yePni5ClwUx84075Q3q421ykBWI=","tx_id":22,"ftp":{"command":"RETR","command_data":"newfile.txt","command_truncated":false,"completion_code":["150","226"],"reply":["Opening BINARY mode data connection for newfile.txt (33 bytes).","Transfer complete."],"reply_received":"yes","reply_truncated":false}}


FLOW

{"timestamp":"2023-10-31T14:54:01.535926+0000","flow_id":1520613805559668,"in_iface":"enp2s0f1","event_type":"flow","vlan":[x],"src_ip":"x.x.x.x","src_port":10000,"dest_ip":"44.241.66.173","dest_port":21,"proto":"TCP","app_proto":"ftp","app_proto_tc":"failed","flow":{"pkts_toserver":72,"pkts_toclient":66,"bytes_toserver":4743,"bytes_toclient":5477,"start":"2023-10-31T14:45:33.091901+0000","end":"2023-10-31T14:53:54.032360+0000","age":501,"state":"closed","reason":"timeout","alerted":false},"community_id":"1:yePni5ClwUx84075Q3q421ykBWI=","tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed","ts_max_regions":1,"tc_max_regions":1}}



Fileinfo example

{"timestamp":"2023-10-31T13:25:23.618577+0000","flow_id":953608882538264,"in_iface":"enp2s0f1","event_type":"fileinfo","vlan":[x],"src_ip":"x.x.x.x","src_port":10000,"dest_ip":"104.18.38.233","dest_port":80,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:zcPiP8f2grng8RHRFSjdPjWoq5M=","http":{"hostname":"geant.ocsp.sectigo.com","url":"/","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","http_content_type":"application/ocsp-response","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":727},"app_proto":"http","fileinfo":{"filename":"/","magic":"data","gaps":false,"state":"CLOSED","md5":"858baa8dbeb0699ca786499417e84b96","sha1":"38c3dd4110eb9d8e0f4494278921d7c53d5d9ccc","sha256":"4c7500dd7b72fe047b730105b1571ee8fa78aeba694cb11e67bc96e528caa73e","stored":false,"size":83,"tx_id":0}}

Andreas_Herz · October 31, 2023, 9:57pm

At least the fileinfo feature itself seems to work as you have events on that. Try to capture a pcap for a test, so we could investigate it.

Topic		Replies	Views
The "drop.log" file Help	9	2248	October 16, 2020
Suricata 6.0.9 on Ubuntu 22.04 not getting traffic at all Help	11	798	December 24, 2022
Suricata + tool for malware analysis, like yara or capa Help suricata	3	260	September 11, 2023
These logs showing any attacks or misconfiguration? Help	3	2465	August 24, 2020
Empty Suricata log file Help	1	427	February 9, 2022

Detect against sha256 hashes

Related Topics