Emerging Threats: Announcing Support for Suricata 5.0

October 15, 2019
Emerging Threats Research Team

Overview

Recently, Proofpoint announced its upcoming support for a Suricata 5.0 ruleset for both ETPRO and OPEN. With this rule fork, we are also announcing several other updates and changes that coincide with the 5.0 fork. The details of these changes were announced via a webinar hosted by members of the Emerging Threats team. This post details the content of the webinar. A recording is available here:

Where we've been

It has been over four and a half years since Proofpoint acquired the Emerging Threats team. Since then, we have observed an ever-changing landscape -- one in which we saw the decline of widespread exploit kit activity, the ebb and flow of ransomware, and the omnipresent threats of phishing and malicious documents. As the landscape changes, the team continues to change and innovate to keep up with what we are seeing. Since the Emerging Threats acquisition by Proofpoint, our threat data was enhanced, allowing us to tap into both the global network of Proofpoint customers as well as an expert threat research team helping us gain visibility into new and ongoing threats.

While this has made for creating more high-fidelity signatures, we know there have been some long-overdue updates that we have wanted to make to the ruleset. Forking to 4.0 was important, but it didn't solve some of the more significant concerns we had. There were various items within the rulesets needing a change that we have been aware of -- including things such as the categories "TROJAN" and "MALWARE" being confusing, the category "CURRENT_EVENTS" becoming a dumpsite for various sigs that didn't have a better home, and a known lack of documentation.

Unfortunately, with any change comes the necessary time, energy, and effort from a small team to pull it off well. Aspects like new category names and new classtype values were of the utmost priority in this release.

Where we are 

In the Suricata 5.0 rule fork, here are some of the changes made:

Engine information

  • There is now support for Suricata 5.0
  • Current supported engines are: Snort 2.9.x, Suricata 2, Suricata 4, and Suricata 5
  • Suricata 2 will be end-of-life at the end of Q1 2020
    • No new rules will be created for Suricata 2 after that date
       

Ruleset information (for Suricata 5 ruleset ONLY)

  • MALWARE category has been renamed to ADWARE_PUP
  • TROJAN category has been renamed to MALWARE
  • New categories
    • PHISHING (phishing.rules)
    • COINMINER (coinminer.rules)
    • JA3 (ja3.rules)
    • EXPLOIT_KIT (exploit_kit.rules)
    • HUNTING (hunting.rules)
  •  New classtypes
    • classtype:credential-theft; (phishing)
    • classtype:social-engineering;
    • classtype:command-and-control; (replacing lots of trojan-activity)
    • classtype:coin-mining;
    • classtype:external-ip-lookup;
    • classtype:domain-c2; (good for DNS and TLS/SSL sigs)
    • classtype:exploit-kit;
    • classtype:pup-activity; (possibly unwanted program)
    •  classtype:targeted-activity; (APT)

From a rule-writing syntax perspective, we now will have the full capabilities available to us in Suricata 5, which will provide some performance improvement. The biggest change utilized will be new sticky buffer keywords, but this should be considered a work in progress and under active development.

content:".php"; http_uri; isdataat:!1,relative; (old)

http.uri; content:".php"; endswith; (new)

Additionally, we will be able to support JA3 and JA3S hash based rules, new transforms, and XBits. Here are some examples of new rules available in the Suricata 5 ruleset:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Observed Malicious Hash (Trickbot CnC)"; flow:established,to_server; ja3_hash; content:"6734f37431670b3ab4292b8f60f29984"; classtype:command-and-control; sid:1; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing"; flow:established,to_client; file_data; compress_whitespace; content:"function CheckVersionFlash("; classtype:exploit-kit; sid:2; rev:1;)

alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Glupteba CnC Domain in DNS Query"; dns_query; content:"postnews.club"; bsize:13; nocase; classtype:domain-c2; sid:3; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:command-and-control; sid:4; rev:1;)

How to migrate to Suricata 5

“I am on a version of Suricata older than 2.”

You have not been getting updated rules and need to upgrade your engine.

"I am on Suricata 2."

You need to upgrade your Suricata engine by the end of Q1 2020 to Suricata 4 or 5 to continue getting rule updates.

“I am on Suricata 3.”

Support for the Suricata 3 engine is being handled by the Suricata 2 ruleset, which is being deprecated at the end of Q1 2020. You need to upgrade your engine before that time.

"I am on Suricata 4.”

If you're on Suricata 4 and you can't update, update when you can. This ruleset continues to get new rules. You will be missing out on bug fixes, new rule detection logic, and various new features such as JA3 detections.

"I want to Upgrade to Suricata 5."

Upgrade Suricata on your sensors and be sure to change your ruleset download links to point to the Suricata 5 download location:

  • OPEN: hxxps://rules.emergingthreats[.]net/open/suricata-5.0/
  • PRO: hxxps://rules.emergingthreatspro[.]com/[LICENSE_CODE]/suricata-5.0/

If you are only utilizing specific rulesets, you should re-evaluate which ones you are grabbing. For example, a rule which used to live in CURRENT_EVENTS might not still exist there as it may have been moved to the new categories like EXPLOIT_KIT. Rules that have migrated to other categories will retain the same Signature ID.

Moving forward

Our main intention with these updates is to provide more depth to the signatures we produce. As Suricata has evolved from an IDS/IPS to a robust Network Security Monitoring (NSM) tool,  the team wants to change the way we have been doing things to hopefully empower analysts and security teams to do more with what they see on their network. One goal was to make updates that hopefully take some of the "guesswork" out of our signatures so analysts can spend more time remediating and hunting. The community matters to our team, and hopefully, these changes reflect that. As always, we will continue to support the ET OPEN and PRO rulesets, including the ETPRO Telemetry edition within Opnsense [1].

Ultimately, to build a better ruleset, we need continued participation and feedback from the Emerging Threats community. So far, reports of false positives, new rules, and updates to current rules have kept us honest and moving forward with this project. We encourage everyone to reach out with any feedback, questions, or concerns, and we are happy to help. Here are some of the ways to get in touch with the team:

[1] https://docs.opnsense.org/manual/etpro_telemetry.html