suricata.yaml (75.0 KB)
Suricata version 6.0.10 RELEASE
In Suricata I have configured the following way. I share my yaml, my hash alert format. and the file containing the hash. I also share the way I get the file on my network.
I configure an IIS on another pc where I host the .exe of which I have its MD5 and SHA256 hash that I obtained with powershell with the Get-FileHash command.
I use:
wget http://pc-ip-on-network/mysql-connector-net-8.4.0.msi
sha256_iocs.list
0F3CC89418C459565471863B089F706DA0D1F84DE2C5AC1F4E51CD07F6B59925
one per line
md5_iocs.list
E09468A77C4D566BFA10A983DC4D84BF
one per line
I use this rule for SHA256
alert http any any → any any (msg:“Black list checksum match and extract SHA256”; filesha256:/var/lib/suricata/rules/rules/sha256_iocs.list; filestore; classtype:classtype-test; priority:1; sid:6; rev:1;)
and I use this rule for MD5
alert http any any → any any (msg:“Black list checksum match and extract MD5”; filemd5:/var/lib/suricata/rules/rules/md5_iocs.list; filestore; classtype:classtype-test; priority:1; sid:7; rev:1;)
I use that particular path, it is not an error.
“/var/lib/suricata/rules/rules/”
I am on a mirror port where I see all the network traffic, I used http to pass the file according to the rule. Can someone help me with the solution to my problem? thank you so much