Support #2182
closedRootkit assessment with Suricata
Description
I wanted to do a rootkit assessment with Suricata on Windows.
The command used:
suricata -c suricata.yaml -i WIFI IP4 ADDRESS
The next day, I inspected the eve.json file contents and found no suspicious DNS or IP addresses.
Is that enough to know there is no hardware or OS rootkit or malware?
Do you recommend any other commands?
Thanks
Updated by Andreas Herz almost 7 years ago
- Assignee set to Anonymous
- Target version set to Support
We need more information, like suricata version and so on.
Also I doubt that you want to add the IP Address with -i, you need to add the device you want to liste nat.
Updated by Jessy L almost 7 years ago
Andreas Herz wrote:
We need more information, like suricata version and so on.
Also I doubt that you want to add the IP Address with -i, you need to add the device you want to liste nat.
It's the latest Windows version on this page https://suricata-ids.org/download/
Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?
Thanks
Updated by Robbie Tem over 6 years ago
I believe Andreas meant the following: In the configuration-file, the operating-systems are listed. You can add your IP-address behind the name of the operating system you make use of.
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd_right: []
old_linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Wait for her to answer your questions.
Updated by Andreas Herz over 6 years ago
Jessy L wrote:
It's the latest Windows version on this page https://suricata-ids.org/download/
Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?
Ok with Windows it's totally different, thus you added the IP instead of the device. You might want to show us your config and you might want to look into the logfiles if you see any traffic at all within suricata.
There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.
Robbie Tem wrote:
Wait for her to answer your questions.
His :)
Updated by Jessy L over 6 years ago
Andreas Herz wrote:
Jessy L wrote:
It's the latest Windows version on this page https://suricata-ids.org/download/
Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?
Ok with Windows it's totally different, thus you added the IP instead of the device. You might want to show us your config and you might want to look into the logfiles if you see any traffic at all within suricata.
There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.
Robbie Tem wrote:
Wait for her to answer your questions.
His :)
Is it right to use the suricata -c suricata.yaml -i WIFI IP4 ADDRESS command with Windows then?
There are about 20 connections listed for every 3 hours in the eve.json file if that's what you meant by you might want to look into the logfiles if you see any traffic at all within suricata?
I copied and pasted the suricata.yaml config file to https://pastebin.com/DJPpPfdh Are the rules good and settings good?
Thanks
Updated by Peter Manev over 6 years ago
Can you try -
suricata -c suricata.yaml -i ip_address_here
and attach the last update in the stats.log after a few hrs run ? (maybe you dont see that much traffic on the interface?)
Updated by Jessy L over 6 years ago
Peter Manev wrote:
Can you try -
suricata -c suricata.yaml -i ip_address_hereand attach the last update in the stats.log after a few hrs run ? (maybe you dont see that much traffic on the interface?)
Updated by Jessy L over 6 years ago
Andreas Herz wrote:
Jessy L wrote:
It's the latest Windows version on this page https://suricata-ids.org/download/
Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?
Ok with Windows it's totally different, thus you added the IP instead of the device. You might want to show us your config and you might want to look into the logfiles if you see any traffic at all within suricata.
There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.
https://pastebin.com/QeaLMv8q is what Peter asked for.
Is it right to use the suricata -c suricata.yaml -i WIFI IP4 ADDRESS command with Windows then?
I copied and pasted the suricata.yaml config file to https://pastebin.com/jF7CU9XM Are the rules good and settings good?
There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.
When I inspect the eve.json file contents I find no suspicious DNS or IP addresses, is that enough to know the chances are not that high?
Updated by Peter Manev over 6 years ago
@Jessy L - could you please attach the requested outputs as files as the pastebin links shared previously are no longer available anymore(outdated).
Updated by Victor Julien about 5 years ago
- Status changed from New to Closed
- Assignee deleted (
Anonymous) - Target version deleted (
Support)