Hello Sir!
I am currently working on analyzing PCAP files focusing on rule-triggering behavior. I have encountered an interesting situation.
I have attached two PCAP files with my yaml file and rule for your review:
alert http any any → any any (msg:“testing SHA256 key word”; filesha256:sha256_iocs.list; sid:04;)
The first file, PDF.pcap, was downloaded from the internet(File store of suricata ). After extracting the SHA256 hash from Suricata’s EVE JSON output and adding it to my IOC.list file, I tested the above rule that successfully triggered an alert.
However, when I performed the same process with the Cerber.pcap file, I encountered a different result. Despite extracting a different SHA256 hash from the Cerber.pcap file’s EVE JSON output and adding it to my IOC.list file, the same rule did not trigger an alert.
I conducted additional tests on two more files, extracting their SHA256 hashes using the ‘sha256sum’ command for both ‘.exe’ and ‘.pdf’ files. I added these SHA256 hashes to my IOC.list and tested the rule again.
However, I encountered an issue where the rule did not trigger any alerts. Upon reviewing the EVE JSON output, I noticed that it generated different SHA256 hashes compared to the ones I had extracted using the ‘sha256sum’ command.
In an attempt to resolve this inconsistency, I copied both sets of SHA256 hashes from the EVE JSON output and pasted them into my IOC list. Unfortunately, even after this adjustment, the rule still did not trigger any alerts.
I am currently uncertain about the reason behind this discrepancy. The EVE JSON output shows different hashes from what I extracted externally using ‘sha256sum,’ yet the rule fails to alert as expected. Any insights or guidance on this matter would be greatly appreciated.
(the version of suricata is 7.0.0)
Regards,
suricata.yaml (69.5 KB)
pdf_http_467659.pcap (12.3 KB)
cerberTest12.pcap (698.5 KB)