SuriCon 2017 - Malware Analysis: Suricata & Splunk for Better Rule Writing

The workflow starts with malware PCAPs from malware-traffic-analysis.net. Run Suricata against them, see which Emerging Threats rules fire, then load everything into Splunk.

The reason to look at all of eve.json rather than just the alert records is that the alerts tell you what Suricata already knows. What's more useful for writing better rules is everything Suricata logged around the alert — the flows, the DNS queries, the HTTP metadata, the connection timing. A signature fires on a specific indicator, but the surrounding context shows you the behavior that indicator is embedded in. That's what a better rule captures.

The same setup works as a training environment. One of the harder parts of starting in network security is that bad traffic doesn't announce itself. It looks like traffic. Using Suricata and Splunk together against known-malicious PCAPs gives newer analysts a way to see what bad data actually looks like — what the alert event_type shows, what the surrounding flow records look like, how an infected host's behavior differs from a clean one — before they're looking for it in a live environment where nothing is labeled.

---

Presented at SuriCon 2017