Puh: 040-123 45 67
KringleCon is a christmas CTF (Capture the flag) game where one of the tasks this year was to write Suricata rules. Suricata is an open source intrusion detection system and an intrusion prevention system. In this assignment we were tasked with writing custom rules to stop a previously unknown threat in our system. In this walkthrough I will give both answers and their explanations to the questions of the task.
Suricata rules are made up of three parts. First part is called an action and it consists of commands like ”drop” and ”alert”. Second part is called a header and it specifies the protocol, networks and ports. Third part is called options and contains a unique options for each protocol.
Question 1
Create a rule to catch DNS lookups for adv.epostoday.uk. Whenever there is a match, the alert message should read “Known bad DNS lookup, possible Dridex infection”.
Answer 1
alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection";dns.query; content:"adv.epostoday.uk"; nocase;sid:6767;)
Explanation:
Options dns.query, content and nocase all work together. Content specifies the dns.query:s content and nocase means rule matches upper and lowercase.
Question 2
Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems over HTTP. When there’s match, the message should read ”Investigate suspicious connections, possible Dridex infection.
Answer 2
alert http 192.185.57.242 any <> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection";sid:43434;)
Question 3
Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya. When your rule matches, the message should read: Investigate bad certificates, possible Dridex infection
Answer 3
alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection"; tls.subject:"CN=heardbellith.Icanwepeh.nagoya";sid:43435;)
Question 4
Ok, one more to rule them all and in the darkness find them. Let’s watch for one line from Javascript: let byteCharacters = atob. Oh, and that string might be GZip compressed – I hope that is OK! Just in case they try this again alert on the HTTP data with message ”Suspicious Javascript function, possible Dridex infection.
Answer 4
alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection"; http.response_body;content:"let byteCharacters = atob"; sid:32343;)
Explanation:
Options http.response_body
and content work together to match string "let byteCharacters = atob"
in response_body.
Answering the fourth question correctly will complete the challenge.