Project

General

Profile

Actions

Feature #7372

open

Datajson: a dataset evolution

Added by Eric Leblond about 1 month ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Indicator of Compromises (IOCs) are a key element in Security Operating Center. Dataset
have been a huge step in getting alert on IOCs from Suricata. But produced alerts are
lacking contextualization. For example, if a IOC management software has a list of host
names, they will be linked to different threat actors but at ingestion in Suricata they will be
a simple list of strings. This list will be used via a rule like

alert tls any any -> any any (msg:"IOC hostname on TLS"; tls.sni; dataset:isset,hostname.lst,...; sid:1664;)
With this an alert will have a subject without information and a mapping will have to be done
at posteriori to see which IOC has hit. The pseudo algorithm to run is:
- Intercept the signature 1664
- Extract the tls.sni
- Check the tls.sni value in the IOC management software

This works but it is a bit like correlating Suricata alert with stripped application
layer metadata to Zeek logs to get enough context for alert understanding. It works but
you better walk than crawl.

To fix this issue, we need to be able to ingest the IOCs without loosing the contextual
information contained in the IOC management software.

Datajson is a proposed implementation that addresses this issue. Instead of injecting into
Suricata the value list we can attach to each value a JSON object that will end up into
the alert output.

The following example is alert on source and destination IP in dataset:

alert tls $HOME_NET any -> any any (msg:"Test dataset";
ip.src; datajson:isset,ip4list,type ipv6,load ip4-json.lst,key inventory; \
ip.dst; datajson:isset,actors_ip,type ipv6, load bad-json.lst, key bad_actors; sid:1;)

In ip4-json.lst, we have data from inventory:
10.7.5.5,{"user":"vjulien","rank": 1}

In bad-json.lst, we have data from the IOC management software:
185.117.73.76,["Bad Panda"]
144.217.50.240,["killer bear","LSD kitten"]

The result is an alert section that looks like:

"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 0,
"signature": "Test dataset",
"category": "",
"severity": 3,
"extra": {
"inventory": {
"user": "vjulien",
"rank": 1
},
"bad_actors": [
"Killer Bear",
"LSD kitten"
]
}
},

No data to display

Actions

Also available in: Atom PDF