Skip to content

Suricata Regatta

Suricata Regatta                                          Tolkien Ring                                          A picture containing clipart Description automatically generatedFitzy Shortstack

Help detect this kind of malicious activity in the future by writing some Suricata rules. Work with Dusty Giftwrap in the Tolkien Ring to get some hints.

Graphical user interface Description automatically generated

Text Description automatically generated

Hint from Dusty Giftwrap
https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html

Q1. First, please create a Suricata rule to catch DNS lookups for adv.epostoday.uk.

Whenever there's a match, the alert message (msg) should read Known bad DNS lookup, possible Dridex infection

Answer

  alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection";\
  dns_query; content:"adv.epostoday.uk"; depth:20; fast_pattern; endswith; nocase; classtype:pup-activity; sid:200; rev:2;)

Q2. Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems over HTTP. When there's a match, the message (msg) should read Investigate suspicious connections, possible Dridex infection

Answer

alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection";\
tls.subject:"CN=heardbellith.Icanwepeh.nagoya"; sid:400; rev:2;

Q3. We heard that some naughty actors are using TLS certificates with a specific CN.

Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya.

When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection

Answer:

  alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection";\ 
  tls.subject:"CN=heardbellith.Icanwepeh.nagoya"; sid:400; rev:2;)

Q4. Let's watch for one line from the JavaScript: let byteCharacters = atob

Oh, and that string might be GZip compressed - I hope that's OK!

Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection

Answer: 

  alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection";\ 
  file_data; content:"let byteCharacters = atob"; sid:500; rev:2;)

The objective is now completed, and we get 25 coins as well
Text Description automatically generated with low confidence

At this point we have recovered the Tolkien ring.