Hey guys,
I am a CS student and new to the IDS domain.
I am currently trying to generate Suricata rules from NIDS datasets using ML algorithms. I know that suricata rules are often formulated by experts. Therefore, the generation might not necessarily be promising. However, it is only a proof of concept.
I mainly use the rule options flowbits
, flowint
, stream_size
, etc.
When I apply my generated rule set to a PCAP file, the precision of the classification is
significantly higher if I add the flow:established
option to each rule.
This is a simplified example:
alert ip any any <> any any (sid:102; flow:to_server; ttl:31; flowbits:set,sttl_is_31; flowbits:noalert;)
alert ip any any -> any any (sid:103; msg:"insert fancy alert msg"; flow:established; flowbits:isnotset,sttl_is_31;)
I have two questions:
- I read in the Suricata documentation that
flow:established
, for example, only considers
TCP flows with completed 3WHS. However, that doesn’t explain to me why it reduces
the number of false positives. Does anyone have a guess as to why my performance is changing? - Docs also say that flow:established is also for UDP, although the state is handled different. With the signature 103, I am only able to detect TCP flows. All UDP flows with ttl 31 are not detected.
Sorry if these questions sound stupid, but I’m new and trying to understand the workings of Suricata under the hood.
Thanks and Kind Regards
Eike