Suricata Havex rule is not working

Hello, I am trying to get these rule/s to trigger:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Havex RAT CnC Server Response"; flow:established,from_server; file_data; content:"|3c 21 2d 2d|havexhavex|2d 2d 3e|"; metadata: former_category MALWARE; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018243; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; file_data; content:"|3c|mega http|2d|equiv|3d|"; metadata: former_category MALWARE; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018244; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

You can find these rules in the emerging-trojan.rules file, if you have the emerging rules installed.

My definition for External and Home Net is as follows:
HOME_NET: "[169.254.208.208/16,192.168.0.11/24]"
EXTERNAL_NET: "!$HOME_NET"

I then sent and recorded these packets:

dump.pcap (275.2 KB)

I don’t understand why i don’t get an output to fast.log. For example, I believe packet number 193 should trigger the rule.

Any help appreciated.

The pcap is very strange. For the TCP “session” that packet 193 is supposed to be part of, we see that both request and the response have the same src_ip and dest_ip. So its like the client sent a request to the server and then also sent the response to the server, while the server didn’t respond. How did you generate the pcap?

I sent it using a Scapy script which replaces ALL the packets source address with my sending device’s source address and likewise for the destination address for the receiving device.

I don’t completely understand, but I can see that the pcap is invalid. In the real traffic you’re sending, do the SYN and SYN/ACK have the same src ip? Do they have the same dst ip? If so I think your script needs some work to create a proper TCP and HTTP session.

Here is the original script: havex.pcap (269.1 KB)

Here is the python code I used to modify and send the packets:

from scapy.all import *
from scapy.utils import rdpcap
#This code reads packet data from the pcap file supplied, and then edits the packets.
pkts = rdpcap("havex.pcap")
for pkt in pkts:
	print(pkt.show())
	pkt[Ether].src = "00:E0:4C:00:02:42"
	pkt[Ether].dst = "00:E0:4C:01:08:99"
	pkt[IP].src = "169.254.162.71"
	pkt[IP].dst = "169.254.208.208"
	pkt[IP].chksum = None
	pkt[IP].payload.chksum = None
	print("Sent!")
	wrpcap('dump.pcap', pkt,append=True)
	sendp(pkt, iface="Ethernet 4")  # sending packet at layer 2

Yeah so this breaks the TCP/HTTP as this removes the directionality from the pcap.

Will try again with an updated script, but could you go into more detail about how, in it’s current form, the TCP/HTTP is broken. I would like to know more.

Can confirm, I see 100 hits on the havex pcap w/ ETOPEN and 0 hits on the dump pcap

In the original you can see there is a client IP and a server IP and they talk back and forth. This is normal TCP/HTTP.

The script you use rewrites it to have just the (new) client IP talk to the (new) server IP. So there is no conversation anymore. The client IP now also pretends to be the server when it replies to its own request which it also sends to the new server IP.

I have made adjustments to my code, see below:

from scapy.all import *
from scapy.utils import rdpcap
#This code reads packet data from the pcap file supplied, and then edits the packets.
pkts = rdpcap("havex.pcap")
ORIGINAL_VICTiM_ADDRESS= "10.0.2.15"
ORIGINAL_ATTACKER_ADDRESS= "68.183.138.51"
for pkt in pkts:
	#If user is victim
	if pkt[IP].src == ORIGINAL_ATTACKER_ADDRESS:
		pkt[Ether].src = "00:E0:4C:00:02:42"
		pkt[Ether].dst = "00:E0:4C:01:08:99"
		pkt[IP].src = "169.254.162.71"
		pkt[IP].dst = "169.254.208.208"
	#If user is attacker
	if pkt[IP].src == ORIGINAL_VICTiM_ADDRESS:
		pkt[Ether].src = "00:E0:4C:01:08:99"
		pkt[Ether].dst = "00:E0:4C:00:02:42"
		pkt[IP].src = "169.254.208.208"
		pkt[IP].dst = "169.254.162.71"
	pkt[IP].chksum = None
	pkt[IP].payload.chksum = None
	print("Sent!")
	#wrpcap('dump.pcap', pkt,append=True)
	sendp(pkt, iface="Ethernet 4")  # sending packet at layer 2

This code produces this pcap file: dump.pcap (269.1 KB)

When suricata read this file, no rule violation occured ("nothing was written to the fast.log) When the files were sent as live packets, no rule violation occured ("nothing was written to the fast.log). I’m confused. I have noticed that not all the packets were changed to the updated IP addresses, but still, I don’t think that would have prevented a rule from triggering. Any help appreciated.

Both src and dst are part of the HOME_NET due to using a /16 instead of a /24.