Add Suricata package for installation into the FLARE-VM #1314
Comments
|
Flare-VM is mainly made for reverse engineering malware and for simulating malware activity already package fakenet-ng is added. Suricata is tool more on the detection side of the work to check whether network behaviour of the malware is detected using the rule or not. |
|
yes, similar to how we use Yara and its rules to help detect capabilities, families, properties of different static artifacts, Suricata can apply rules to match in network traffic. The primary goal would be that those detections help an analyst more quickly identify malware family/capabilities, or add additional confidence to the static/dynamic analysis they are already doing. It does not need to run as a service (and therefore not become a resource concern), offline mode can be invoked on-demand and even a large rule set is relatively small in size (i.e. what it would consume on disk). Most major sandboxes include network detections (and many use Suricata), so I think it is a long overdue capability to have in the flare-vm :) |
Details
I'd like to propose the inclusion of Suricata, primariy for the FLARE-VM. Suricata can run in offline mode, allowing for the consumption of PCAP to generate alerts or other network data (i.e. JA3/JA4,etc). This can be used in conjunction with tools like Fakenet, allowing for offline network generation and analysis.
Suricata provides an MSI installer: https://www.openinfosecfoundation.org/download/windows/Suricata-7.0.8-1-64bit.msi.
Rule sets will need to be added to the default rule path, which will be under C:\ProgramFiles\Suricata\rules. There are a few options for open-source/open license rule sets. ET Open is the largest and most popular: https://rules.emergingthreats.net/open/suricata-7.0.3/. AttackDetection is another: https://github.com/ptresearch/AttackDetection. And there are several options from AbuseCH: https://sslbl.abuse.ch/blacklist/.
To get an idea of how Suricata could be used in the FLARE-VM, I have a short video series on YouTube: https://www.youtube.com/playlist?list=PLHJns8WZXCdthheGdEpV4D_NdKTwcd_Xg. This would not only allow for increased detection opportunities, but the foundation of a custom rule writing workflow for those interested in creating their own rules. I hope this request found the right location and appreciate the consideration. Please let me know if you have any questions.
Thanks,
Josh
The text was updated successfully, but these errors were encountered: