Integration Suricata and Cuckoo

The Alertflex project can integrate the Suricata NIDS with several types of Malware Analysis Sandboxes ( Cuckoo, Falcon, VMRay) in one solution to allow automatically check files extracted by Suricata IDS in Sandbox. Alertflex periodically accesses files via SFTP protocol and loaded them into Sandbox according to predefined parameters/filters. In case, sandbox determinates a suspicious file, Alertflex raises an alert.

Objective

Describer process of configuration and testing an Alertflex automation playbook for analysis of a file, extracted by Suricata IDS, in Cuckoo sandbox.

Pre-Conditions

Note: Alertflex solution is provided under Apache-2.0 License and Server Side Public License.

You need computers/VM with installed Suricata IDS, Cuckoo sandbox, and Alertflex Central Node. Possibility mirroring of network traffic to Suricata via a switch or other network devices. File with extension sample for testing in a sandbox. Below present a network diagram of the use case:

Setup Suricata IDS

1) Create file local.rules with Suricata IDS rule for extraction from network traffic files with extension sample (see examples of rule below)

alert http any any -> any any (msg:"FILE Sample file claimed"; fileext:"sample"; filestore; sid:11; rev:1;)
								

2) Set parameters in the config file of Suricata /etc/suricata/suricata.yaml according to values listed below

outputs:

  - files:
      force-magic: no   # force logging magic on all logged files
      # force logging of checksums, available hash functions are md5,
      # sha1 and sha256
      force-hash: [md5,sha256]
  
  - file-store:
      version: 2
      enabled: yes
      dir: files
      write-fileinfo: yes
      stream-depth: 0
      max-open-files: 1000
	  
default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules
  - local.rules
								

Setup the Alertflex management console

1) Open web-form Settings > Integrations of Alertflex management console and configure Cuckoo sandbox.

2) Open web-form Infrastructure > Credentials > Add of Alerflex management console and configure a credential account for SSH access to Suricata IDS host.

3) Open web-form Infrastructure > Hosts > Add of Alertflex management console and configure host account for SSH access to Suricata IDS host.

4) Create an automation playbook and set the time interval parameter in minutes to periodically invoke scan in the sandbox of extracted by Suricata files.

5) Open playbook workflow and create sandbox job.

5) Edit sandbox job parameters.

6) In web-form Automation > Playbook > Edit set enable checkbox.

Performing integration test

1) Transmit a file via HTTP protocol inside of the network segment that is monitored by Suricata. Check that Suricata extracts the file to folder /var/log/suricata/files. There is should be two files - extracted file itself and Suricata notification file with info about the transmitted file.

cd /var/log/suricata/files
find ./ -name "*"

./files/de
./files/de/de97dd35bf54bfff10def7d7e3c0d4fbdcc3146e73ee9499f280d77e42d1acc1.1635527482.1.json
./files/de/de97dd35bf54bfff10def7d7e3c0d4fbdcc3146e73ee9499f280d77e42d1acc1
./files/37



cat ./41/4156606e2e003b2a3b3a4998b26c218af8ef30731ee4f5390419bc5b3b0e8acf.1596924012.1.json
								

"timestamp":"2021-10-29T20:11:22.730664+0300",
"flow_id":1729163148563100,
"in_iface":"enp0s3",
"event_type":"fileinfo",
"src_ip":"192.168.1.20",
"src_port":80,
"dest_ip":"192.168.1.2",
"dest_port":21251,
"proto":"TCP",
"http":{
"hostname":"192.168.1.20",
"url":"/sample/xml-bad.sample",
"http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36",
"http_content_type":"application/octet-stream",
"http_refer":"http://192.168.1.20/",
"http_method":"GET",
"protocol":"HTTP/1.1",
"status":200,
"length":848260
},
"app_proto":"http",
"fileinfo":{
"filename":"/sample/xml-bad.sample",
"sid":[
11
],
"magic":"Microsoft Excel 2007+",
"gaps":false,
"state":"TRUNCATED",
"sha256":"de97dd35bf54bfff10def7d7e3c0d4fbdcc3146e73ee9499f280d77e42d1acc1",
"stored":true,
"file_id":1,
"size":848260,
"tx_id":0
}
}
								

2) Wait until the time interval to run the playbook is completed. As a result of executing the playbook, you should see in web-form Tools > Sandbox > View Tasks the status of the analysis file.

3) Check the status of the analysis of the file in Cuckoo Web UI.

4) If the status of the task is reported, check via the Alertflex management console an alert with the result of the file analysis.