I need to associate CVSS v3/v4 vectors to use as vulnerability and threat metrics in Suricata alert events and I usually find associations with application in CVE IDs. How can I associate the composition of CVSS vectors to Suricata IDs in the 3 metric bases that CVSS uses? could use Suricata ID + severity as strong key for clustering and apply CVSS vectors ? Thank you.
Many – not all – Suricata rules include CVE references with the rule – in the reference and metadata section.
Here’s an example from the Proofpoint/ET Open (free) Suricata ruleset that shows the CVE reference in the reference and metadata sections.
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; classtype:attempted-admin; sid:2008696; rev:6; metadata:created_at 2010_07_30, cve CVE_2008_4250, updated_at 2019_07_26;)
Here’s another rule that also includes the CVE reference in the rule msg:
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M5 (CVE-2024-36401)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geoserver/w"; fast_pattern; startswith; content:"s?"; distance:1; within:2; content:"valuereference"; nocase; distance:0; content:"exec|28|java.lang.Runtime.getRuntime|28 29 2c|"; nocase; within:40; reference:cve,2024-36401; reference:url,github.com/Mr-xn/CVE-2024-36401?tab=readme-ov-file; classtype:attempted-admin; sid:2055811; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state plaintext, created_at 2024_09_09, cve CVE_2024_36401, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_09; target:dest_ip;)
Is this what you’re looking for?
Thank you for your attention! It was very useful. However, analyzing a log file of events and with a minimal, basic configuration in suricata.yaml, without the possibility of changing the rules, I do not have the metadata information, but a use case, I would like to try to apply CVSS and by analogy, make some association with CVEs. I would like to adapt CVSS metrics to evaluate these logs. And thinking about accommodating indexing by Suricata ID (SID) + severity, perhaps? more protocol information? and associating it with a grouping to identify summarized sets of alerts by priority, vulnerabilities?
The default/minimal Suricata configuration doesn’t include the rule metadata in the alert.
Add this snippet to the alert section within outputs
types:
- alert:
metadata:
rule:
metadata: true
You can also make the association with the CVE-related rules by processing the alerts as they contain the signature id and access to the rules file.