Detecting Steganography in Images

Hi all

Do you know of any scripts (or any other method) which enables Suricata to inspect images for steganography (hidden messages)?

For example, imagine some malware was using LSB steganography to exfiltrate data from our network inside innocent looking images. Is there a way for Suricata to flag these images as potentially containing hidden data?

Thanks for your time.



Hi @steveo !
Welcome to our forum. :slight_smile:

If you have the right rules in place for traffic like that, Suricata will be able to detect it. One such example that comes to mind is the IceID malware (Banking malware) that used steganographic payloads. Suricata was able to detect and fire alerts about it if the correct rules from ET (and other sources or self made) were in place.

Suricata provides the feature of file extraction for you to analyze any files that come into your network. Then, you can create a ruleset based on the information you gathered from your analysis for Suricata to detect any other such files.