Actions
Feature #7882
openicmp malware channel activity events in one sided flows
Effort:
Difficulty:
Label:
Needs Suricata-Verify test
Description
We have one way malware communication channel in the attached "single channel" pcap.
The responses are coming via another channel , not ICMP.
Full pcap is located here https://www.activecountermeasures.com/malware-of-the-day-c2-over-icmp-icmp-gosh/
I notified PFPT a while back ago about that malware and they developed rules that alert on that.
However Suricata does not seem to generate icmp event logs (alerts are generating fine) even with midstream enabled but this is just one side anyway.
Both Suri 8 and 7 master have the same behavior. Using async-oneside does not make any difference either.
So wondering if we can do something about that type of communication.
sudo rm logs/* -rf ; sudo suricata -S /dev/null -l logs/ -k none -r ICMP-DestUnreachable.pcapng -v --set "stream.midstream=true" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn
Notice: suricata: This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22) running in USER mode [LogVersion:suricata.c:1208]
Info: cpu: CPUs/cores online: 16 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2795]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:269]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: detect: No signatures supplied. [SigLoadSignatures:detect-engine-loader.c:461]
Info: pcap: Starting file run for ICMP-DestUnreachable.pcapng [ReceivePcapFileLoop:source-pcap-file.c:206]
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1982]
Info: pcap: pcap file ICMP-DestUnreachable.pcapng end of file reached (pcap err code 0) [PcapFileDispatch:source-pcap-file-helper.c:163]
Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2931]
Info: suricata: time elapsed 0.097s [SCPrintElapsedTime:suricata.c:1228]
Notice: pcap: read 1 file, 364 packets, 62431 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:414]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:869]
1 stats
sudo rm logs/* -rf ; sudo suricata -S "rules/*.rules" -l logs/ -k none -r ICMP-DestUnreachable.pcapng -v --set "stream.midstream=true" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn
Notice: suricata: This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22) running in USER mode [LogVersion:suricata.c:1208]
Info: cpu: CPUs/cores online: 16 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2795]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:269]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: detect: 55 rule files processed. 84234 rules successfully loaded, 0 rules failed, 0 rules skipped [SigLoadSignatures:detect-engine-loader.c:473]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1015]
Info: detect: 84237 signatures processed. 950 are IP-only rules, 13447 are inspecting packet payload, 69792 inspect application layer, 0 are decoder event only [SigPrepareStage1:detect-engine-build.c:1810]
Notice: mpm-hs: Rule group caching - loaded: 0 newly cached: 73 total cacheable: 73 [SCHSCacheRuleset:util-mpm-hs.c:852]
Info: pcap: Starting file run for ICMP-DestUnreachable.pcapng [ReceivePcapFileLoop:source-pcap-file.c:206]
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1982]
Info: pcap: pcap file ICMP-DestUnreachable.pcapng end of file reached (pcap err code 0) [PcapFileDispatch:source-pcap-file-helper.c:163]
Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2931]
Info: suricata: time elapsed 0.184s [SCPrintElapsedTime:suricata.c:1228]
Notice: pcap: read 1 file, 364 packets, 62431 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:414]
Info: counters: Alerts: 371 [StatsLogSummary:counters.c:869]
371 alert
1 stats
326 "ET MALWARE ICMP-GOSH Magic Bytes via ICMP Error"
9 "ET INFO Observed tasklist Command via Inbound ICMP"
9 "ET INFO Observed powershell Command via Inbound ICMP"
9 "ET INFO Observed netstat Command via Inbound ICMP"
9 "ET INFO Observed ipconfig Command via Inbound ICMP"
9 "ET INFO Observed dir Command via Inbound ICMP"
sudo rm logs/* -rf ; sudo suricata -S /dev/null -l logs/ -k none -r ICMP-DestUnreachable.pcapng -v --set "stream.midstream=true" --runmode=single ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn
Notice: suricata: This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22) running in USER mode [LogVersion:suricata.c:1208]
Info: cpu: CPUs/cores online: 16 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2795]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:269]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: detect: No signatures supplied. [SigLoadSignatures:detect-engine-loader.c:461]
Info: pcap: Starting file run for ICMP-DestUnreachable.pcapng [ReceivePcapFileLoop:source-pcap-file.c:206]
Notice: threads: Threads created -> W: 1 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1982]
Info: pcap: pcap file ICMP-DestUnreachable.pcapng end of file reached (pcap err code 0) [PcapFileDispatch:source-pcap-file-helper.c:163]
Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2931]
Info: suricata: time elapsed 0.019s [SCPrintElapsedTime:suricata.c:1228]
Notice: pcap: read 1 file, 364 packets, 62431 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:414]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:869]
1 stats
suricata --build-info
This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 14.3.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v8.0.1-dev
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Npcap support:
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
GeoIP2 support: yes
JA3 support: yes
JA4 support: yes
Hyperscan support: yes
Hwloc support: no
Libnet support: yes
liblz4 support: yes
Landlock support: yes
Systemd support: yes
Rust strict mode: no
Rust compiler path: /home/pevma/.cargo/bin/rustc
Rust compiler version: rustc 1.85.1 (4eb161250 2025-03-15)
Cargo path: /home/pevma/.cargo/bin/cargo
Cargo version: cargo 1.85.1 (d73d2caf9 2024-12-31)
Python support: yes
Python path: /home/pevma/.pyenv/shims/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: no, not bundled
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Plugins:
nDPI: no
Development settings:
Coccinelle / spatch: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /opt/suritest-master
Configuration directory: /opt/suritest-master/etc/suricata/
Log directory: /opt/suritest-master/var/log/suricata/
--prefix /opt/suritest-master
--sysconfdir /opt/suritest-master/etc
--localstatedir /opt/suritest-master/var
--datarootdir /opt/suritest-master/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native
PCAP_CFLAGS -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include
SECCFLAGS
Files
Updated by Victor Julien 10 days ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Peter Manev
- Label Needs Suricata-Verify test added
Can you create a SV test out of this?
Actions