Detecting lateral movement

Nuno_Santos · August 17, 2021, 9:33pm

Hi there.

I though of how can we make Suricata efficient in detecting lateral movement.

As signatures are often written with the EXTERNAL_NET and HOME_NET variables, this means they won’t match if both sides of a flow are in the HOME_NET. So, as far as my understanding goes, the only way to detect this kind of movement is to change EXTERNAL_NET to “any” in Suricata configuration file?

syoc · August 18, 2021, 10:08am

I would recommend against changing EXTERNAL_NET to “any” for rules you don’t know.
Rules variables should be used intentionally, changing them might break detection logic or cause a lot of false positives.
You could look for lateral movement rules by grepping rulesets and enabling those rules for example.

IDSTower · August 19, 2021, 5:49pm

Dear Santos,
Yes indeed, you either have to change the value of EXTERNAL_NET in suricata.yaml or to apply a rule transformation that replace $EXTERNAL_NET with any in the rule files.

free version of IDSTower supports replacing EXTERNAL_NET with “any” rule transformation with a single click.

you can also use simple linux command to do the same.

Nuno_Santos · August 19, 2021, 6:54pm

What is that Linux command?

IDSTower · August 23, 2021, 7:03am

a simple sed command should do it

sed -i ‘s/old-text/new-text/g’ suricata.rules

Nuno_Santos · August 23, 2021, 10:51am

What i still cannot understand is the difference between this command and changing $EXTERNAL_NET value to “any” in the config file.

In my understanding, the sed command changes $EXTERNAL_NET value to any aswell on every rule.

So what is exactly the difference between the two?

IDSTower · August 23, 2021, 11:04am

There is no difference in the result, since the both scenarios will have “any” at the end.

However it is better in my opinion to change the rules instead of changing the config file since you might need to use the variable $EXTERNAL_NET in a different rules file…etc

Andreas_Herz · August 29, 2021, 7:24pm

Setting EXTERNAL_NET correct is important and sometimes not that easy. If you have several TAPs or Mirror Ports you might want to set it different depending on the position. For example if you have a client A, proxy B and target C you can have one mirror port between A and B and one between B and C and thus it might be worth to have B in EXTERNAL_NET for the first part and in HOME_NET for the second part. Best would be to use multi tenancy feature in Suricata or two instances.

Topic		Replies	Views
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	581	February 19, 2021
Outbound traffic Rules	1	658	October 28, 2021
Excluding VARS from HOME_NET & EXTERNAL_NET Rules	1	955	February 27, 2021
Extremely confused by default Suricata evaluation order Help	0	328	June 8, 2022
Suricata rules about network scan Rules rules	2	661	January 18, 2023

Detecting lateral movement

Related Topics