How to detect DDoS Attack by Suricata (or Snort) rules?

結論 Conclusion

Recently, I found that some malware targets IoT and network devices using botnets. For those who are not yet familiar with CVE injection point attack actions, you can set abnormal actions with specific protocols in Suricata (or Snort) rules, as shown in the rules below.

1. alert tcp any any -> any [22] (msg:”Excessive SSH connections detected”; flow:to_server,established; threshold: type limit, track by_src, count 5, seconds 10; classtype:attempted-admin; sid:1000001;)
   ___This alert would alarms when there are 5 SSH connections in 10 seconds. Usually, the real user would not do the ssh login quickly.
2. alert tcp any any -> any [23] (msg:”Excessive TELNET connections detected”; flow:to_server,established; threshold: type limit, track by_src, count 5, seconds 10; classtype:attempted-admin; sid:1000002;)
   ___This alert would alarms when there are 5 TELNET connections in 10 seconds. Usually, the real user would not do the telnet quickly.
   This alert would alarms when there are 5 TELNET connections in 10 seconds. Usually, the real user would not do the telnet quickly.

This case use suricata rules as a demo to detect DDoS attack

問題 Question

How to detect DDoS Attack by Suricata (or Snort) rules?

解說 Explanation

install the suricata in kali with root privilege

alert tcp any any -> any [22] (msg:"Excessive SSH connections detected"; flow:to_server,established; threshold: type limit, track by_src, count 5, seconds 10; classtype:attempted-admin; sid:1000001;)

alert tcp any any -> any [23] (msg:"Excessive TELNET connections detected"; flow:to_server,established; threshold: type limit, track by_src, count 5, seconds 10; classtype:attempted-admin; sid:1000002;)

These two alerts would be trigged when there are 5 SSH or TELNET connections in 10 seconds. Usually, the real user would not do the ssh or telnet login quickly. It would be happened when any botnet attacked your device.

customize your detect rules

copy your rules to right position

get default suricate.rules after suricata-update

Add the customize.rules to suricata.yaml (config) file

add the customize.rules to suricata.yaml (config) file

check the customize rule is match the suricata rule

run the suricata to check 1.pcapng with specific customize.rules

run with more rules

suricata -c suricata.yaml -r /home/kali/Downloads/suricata/1.pcapng

then it would run whole (default and your customize) rules to check 1.pcapng

The fast.log content will show which rule is detected. Fast.log would be the first one file to check after you run the suricata with your pcap or pcapng files.

fast.log show the two rules all been detected

eve.json will show the packet detail to let you know where’s the detected point.

eve.json show the port 22 connection matched the rule I set

eve.json show the port 23 connection matched the rule I set

eve.json show the port 22 connection matched the rule I set

If you have reviewed a lot of references about any malware IoCs or reports, you may also find some rules provided by others. However, it is usually a very restricted situation that triggers an alert. From my experience, I would recommend setting a looser but abnormal behavior (or string) in a Suricata (or Snort) rule.

有任何認知不正確的部分歡迎留言或至LinkedIn與小弟討論，感謝。

If there are any inaccuracies in my understanding, I welcome a discussion to correct them. Thank you.

備註：本文章及本部落格內容僅供教學參考使用，請勿侵犯著作權，切勿使用於違法意圖及手段。

Note: This article and the content within this blog are for educational reference purposes only. Please refrain from infringing upon copyrights and avoid using them for illegal intentions or means.