And signature like this alert krb5 any any -> any any (msg:"Kerberoasting attack with non-preauth"; krb5_msg_type:10; krb5_sname; content:!"krbtgt"; content:!"changepw"; sid:1;)
I want to match AS-REQ with sname not in [krbtgt, changepw], but this rule doesnot work for some reason
I also try like this and it does not work
alert krb5 any any -> any any (msg:"Kerberoasting attack with non-preauth"; krb5_msg_type:10; krb5_sname; content:"hacker"; sid:1;)
But trying to match just krb5_msg_type or krb5_sname works perfectly
Yeah, it seems they all work separately but not in combination.
suricata -S tmp.rules -l logs/ -k none -r sname-test.pcap -v --set "stream.midstream=true" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn
Notice: suricata: This is Suricata version 8.0.2 RELEASE running in USER mode
Info: cpu: CPUs/cores online: 16
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: detect: 1 rule files processed. 6 rules successfully loaded, 0 rules failed, 0 rules skipped
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 6 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 6 inspect application layer, 0 are decoder event only
Notice: mpm-hs: Rule group caching - loaded: 0 newly cached: 2 total cacheable: 2
Info: pcap: Starting file run for sname-test.pcap
Info: pcap: pcap file sname-test.pcap end of file reached (pcap err code 0)
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1 Engine started.
Notice: suricata: Signal Received. Stopping engine.
Info: suricata: time elapsed 0.090s
Notice: pcap: read 1 file, 14 packets, 4264 bytes
Info: counters: Alerts: 9
14 krb5
9 alert
7 flow
1 stats
1 anomaly
7 "Kerberoasting attack with non-preauth - 10"
1 "Kerberoasting attack with non-preauth - hacker"
1 "Kerberoasting attack with - kartunchikov "
cat tmp.rules
alert krb5 any any -> any any (msg:"Kerberoasting attack with non-preauth - 10/hacker"; krb5_msg_type:10; krb5.sname; content:"hacker"; sid:1;)
alert krb5 any any -> any any (msg:"Kerberoasting attack with non-preauth - hacker"; krb5.sname; content:"hacker"; sid:2;)
alert krb5 any any -> any any (msg:"Kerberoasting attack with - 10/kartunchikov"; krb5_msg_type:10; krb5.cname; content:"a.kartunchikov"; sid:3;)
alert krb5 any any -> any any (msg:"Kerberoasting attack with - kartunchikov "; krb5.cname; content:"kartunchikov"; sid:4;)
alert krb5 any any -> any any (msg:"Kerberoasting attack with non-preauth - 10"; krb5_msg_type:10; sid:5;)
alert krb5 any any -> any any (msg:"Kerberoasting attack with non-preauth - hacker/10"; krb5.sname; content:"hacker"; krb5_msg_type:10; sid:6;)
Can you please open a bug ticket for that on our redmine and point to the discussion here?
Suggestion: If you need to alert on both matches maybe you can utilize flowbits. Otherwise a regular SIEM query would highlight both - something like
krb5_msg_type:10 and krb5.sname:"hacker" and krb5.cname:"a.kartunchikov"
- something like