Colbaltstrike Alert on Suricata
-
Found that alert on my suricata logs and dont this how to analyze it properly. I am new to log analysis and done this if this is an indication of activity that was blocked on an active indicator of compromise. any insight would be greatly appreciated.
alert-pf -> module initialized, pf-table=snort2c block-ip=both kill-state=on block-drops-only=off
25/1/2023 -- 08:30:28 - <Info> -- fast output device (regular) initialized: alerts.log
25/1/2023 -- 08:30:28 - <Info> -- http-log output device (regular) initialized: http.logalert-pf -> Firewall Interface IP Address Change monitoring thread has successfully started.
25/1/2023 -- 08:30:28 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content25/1/2023 -- 08:30:28 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_15693_mvneta0.4092/rules/suricata.rules at line 163
25/1/2023 -- 08:30:33 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)" from file /usr/local/etc/suricata/suricata_15693_mvneta0.4092/rules/suricata.rules at line 10121
-
These are neither blocks nor alerts. Those are rule parsing errors from the Suricata startup process. Those are expected when you use the Snort rules in Suricata. Snort has some rule syntax that Suricata does not support (nor understand). The reverse is also true.
These errors are normal. They occur during Suricata startup when it is loading and parsing the rules. In this case, those rules throwing the errors are ignored and discarded by Suricata.
Alerts and Blocks are viewed on the ALERTS and BLOCKS tabs in the Suricata GUI.
-
@bmeeks whew! Thank you for clarifying this
-
@cybersec_s said in Colbaltstrike Alert on Suricata:
@bmeeks whew! Thank you for clarifying this
The
suricata.log
file is where Suricata writes its startup messages, and any pertinent errors that occur. That log file is recreated each time Suricata is started. That is not where alerts and blocks are logged, though. Those are written to individual files located in subdirectories under/var/log/suricata/
for each configured interface. But it is far easier to view the alerts and blocks using the GUI tools available on the ALERTS and BLOCKS tab in Suricata.