Add Suricata package for installation into the FLARE-VM

[jstrosch]

Details

I'd like to propose the inclusion of Suricata, primariy for the FLARE-VM. Suricata can run in offline mode, allowing for the consumption of PCAP to generate alerts or other network data (i.e. JA3/JA4,etc). This can be used in conjunction with tools like Fakenet, allowing for offline network generation and analysis.

Suricata provides an MSI installer: https://www.openinfosecfoundation.org/download/windows/Suricata-7.0.8-1-64bit.msi.

Rule sets will need to be added to the default rule path, which will be under C:\ProgramFiles\Suricata\rules. There are a few options for open-source/open license rule sets. ET Open is the largest and most popular: https://rules.emergingthreats.net/open/suricata-7.0.3/. AttackDetection is another: https://github.com/ptresearch/AttackDetection. And there are several options from AbuseCH: https://sslbl.abuse.ch/blacklist/.

To get an idea of how Suricata could be used in the FLARE-VM, I have a short video series on YouTube: https://www.youtube.com/playlist?list=PLHJns8WZXCdthheGdEpV4D_NdKTwcd_Xg. This would not only allow for increased detection opportunities, but the foundation of a custom rule writing workflow for those interested in creating their own rules. I hope this request found the right location and appreciate the consideration. Please let me know if you have any questions.

Thanks,
Josh

[PrajeetGuha]

Flare-VM is mainly made for reverse engineering malware and for simulating malware activity already package fakenet-ng is added. Suricata is tool more on the detection side of the work to check whether network behaviour of the malware is detected using the rule or not.
It will require some discussion. Thanks for idea.
@Ana06 will it be useful to add suricata to the package set?

[jstrosch]

yes, similar to how we use Yara and its rules to help detect capabilities, families, properties of different static artifacts, Suricata can apply rules to match in network traffic. The primary goal would be that those detections help an analyst more quickly identify malware family/capabilities, or add additional confidence to the static/dynamic analysis they are already doing. It does not need to run as a service (and therefore not become a resource concern), offline mode can be invoked on-demand and even a large rule set is relatively small in size (i.e. what it would consume on disk). Most major sandboxes include network detections (and many use Suricata), so I think it is a long overdue capability to have in the flare-vm :)

[Ana06]

Thanks for all the details @jstrosch! I have no experience with Suricata, but @jstrosch is an experienced reverse engineer and if he finds the tool useful, I see no issue in adding a package in VM-Packages for it. If the increase in size is not significant (not sure if the rules are too big), we should also be able to add this package to FLARE-VM default configuration.

[Ana06]

Because of the rules requirement, we need to create this package manually.

[PrajeetGuha]

👍👍working on it

[PrajeetGuha]

I am categorizing this package as Networking.

[jstrosch]

There are a few options for public rule sets, Emerging Threats Open is the largest. This would be my recommendation for the rule file to download: https://rules.emergingthreats.net/open/suricata-7.0.3/emerging-all.rules. One problem with this approach is that the Suricata configuration through the MSI needs tweaking. Particularly, the file needs to be downloaded to the default rule location, which is C:\Program Files\Suricata\rules and the name of the file added under the rules-files section. We could additionally comment out the rest of the *.rules entries, as those files will only be present if added by the user but will only generate warnings during runtime. It's possible that we work with the Suri team to see if we can get the default configuration in the MSI build changed.

I also have a script that facilitates processing pcaps in offline mode: https://gist.github.com/jstrosch/0001299e348d18fbff51bfa3837125b0. This would be helpful to automate alert generating/development. Sharing in case there is a convenient way to add to the package.

Let me know how I can help!

[PrajeetGuha]

@Ana06 observed a minor issue with the icon functionality

VM-Packages/packages/common.vm/tools/vm.common/vm.common.psm1

Line 1757 in 54f0d4f

$installedProducts = Get-CimInstance -Class Win32_Product | Where-Object { $_.Name -like $ProductName }

It takes the ProductName from toolName variable and in this case the toolName is Suricata but in CimInstance list of installed products the tool is registered with name Suricata IDS/IPS 7.0.8-1-64bit as a result unable to get icon.

[Ana06]

@PrajeetGuha what about relaxing the way we are looking for installed products to ensure it finds it? I think this code is only used in BinDiff, so as long as both keep working is ok. I recommend you send a PR, it is easier to discuss with the code. 😉