## https://sploitus.com/exploit?id=CFAE4595-1820-519E-8268-CF021790D959
# suricata-detections
Network IDS signature development grounded in packet-level traffic analysis.
This repo contains Suricata detection rules for CVE exploitation traffic, written by working from the pcap up โ observing actual network behavior first, then translating indicators into precise signatures with documented trade-off rationale.
**Current coverage:** CVE-2021-44228 (Log4Shell)
---
## Methodology
Each rule in this repo follows the same development process:
1. **Pcap analysis first.** Read captures of real or lab-reproduced exploitation traffic in Wireshark. Understand what the attack looks like at the packet level before writing a single line of rule syntax.
2. **Identify the reliable indicator.** What is present in malicious traffic that is absent (or rare enough) in benign traffic? What is the minimum specificity needed to catch the behavior without generating noise?
3. **Write the signature.** Ground the `content` match in observed byte patterns. Use PCRE only when content matching cannot handle the variant space. Set `fast_pattern` to keep MPM performance overhead low.
4. **Document the trade-offs.** What does the rule intentionally not catch? Where can it FP? What suppression approach is recommended? These decisions are as important as the rule itself.
5. **Test against positive and negative cases.** Every rule has a corresponding pcap that should fire it, and at least one that should not.
---
## Repository Structure
```
suricata-detections/
โโโ rules/
โ โโโ log4shell.rules # Suricata rules for CVE-2021-44228
โโโ analysis/
โ โโโ log4shell_analysis.md # Traffic analysis & detection rationale
โโโ tests/
โ โโโ generate_test_pcaps.py # Generates synthetic test pcaps (zero deps)
โ โโโ test_rules.py # Validates rules against pcaps via Suricata
โโโ pcaps/ # Generated by generate_test_pcaps.py
โ โโโ positive_01_*.pcap # Should trigger specific SIDs
โ โโโ negative_01_*.pcap # Should trigger nothing
โโโ README.md
```
---
## CVE-2021-44228 โ Log4Shell
**CVSS:** 10.0 Critical | **MITRE:** T1190 (Exploit Public-Facing Application)
Log4Shell exploits Log4j2's JNDI message lookup substitution. Any user-controlled string that gets logged can trigger a remote JNDI lookup, resulting in remote code execution.
### Rules
| SID | Description | FP Risk |
|-----|-------------|---------|
| 9100001 | JNDI lookup string in HTTP headers | Very Low |
| 9100002 | JNDI lookup string in HTTP URI | Very Low |
| 9100003 | Obfuscated nested expression bypass | Low |
| 9100004 | JNDI protocol callback string (ldap/rmi/dns) | Low |
| 9100005 | Outbound LDAP callback (post-exploitation) | Medium |
Rules 1โ4 cover inbound exploitation attempts including obfuscated WAF-bypass variants. Rule 5 provides independent post-exploitation confirmation via network flow telemetry โ a different detection layer that doesn't depend on seeing the inbound payload.
### Test Coverage
```
Positive cases (should fire):
โ Basic JNDI in User-Agent header โ sid:9100001
โ JNDI in X-Forwarded-For header โ sid:9100001
โ JNDI in URI path โ sid:9100002
โ Obfuscated: ${${lower:j}ndi:...} โ sid:9100003
โ Obfuscated: character substitution chain โ sid:9100003
โ RMI protocol variant โ sid:9100001, 9100004
โ Outbound LDAP callback โ sid:9100005
Negative cases (should NOT fire):
โ Benign HTTP request
โ JNDI string in server response (wrong direction)
โ Dollar-brace in URL parameter (not JNDI)
โ Legitimate internal LDAP connection
```
---
## Running the Tests
**Requirements:** Python 3.10+, Suricata (for live validation)
```bash
# 1. Generate test pcaps
python tests/generate_test_pcaps.py
# 2. Run validation (requires Suricata)
python tests/test_rules.py
# 3. CI mode โ exits 1 on any failure
python tests/test_rules.py --ci
```
If Suricata is not installed, the test harness runs in simulation mode and
validates that pcaps were generated correctly without live rule evaluation.
**Install Suricata:**
```bash
# Ubuntu/Debian
sudo apt install suricata
# macOS
brew install suricata
```
---
## Design Decisions
**Zero third-party Python dependencies.** The pcap generator writes raw binary
using only Python's `struct` and `socket` standard library modules. This is a
deliberate supply chain security decision โ no pip installs required to generate
test cases.
**`fast_pattern` on primary content.** Every rule with a `content` match
specifies `fast_pattern` to instruct Suricata's multi-pattern matcher to use
that string as the primary pre-filter. This keeps CPU overhead low at scale
even when many rules are loaded.
**`threshold` on high-volume rules.** Rules 1 and 2 include
`threshold:type limit, track by_src, count 1, seconds 60` to suppress alert
storms from mass-scanning sources. The detection still fires; it just doesn't
generate thousands of duplicate alerts for the same source IP.
**Benign classifier over rule suppression.** False positives from known security
scanners (Shodan, Censys, etc.) are noted in trade-off documentation but not
suppressed in the rules themselves. At sensor scale, this is better handled by
a known-scanner classification layer (e.g., GreyNoise tags) than by baking IP
allowlists into rule logic, which doesn't scale and creates maintenance debt.
---
## References
- [NVD CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- [LunaSec original disclosure](https://www.lunasec.io/docs/blog/log4j-zero-day/)
- [Log4Shell evasion patterns](https://github.com/back2root/log4shell-rex)
- [Malware Traffic Analysis (public pcap samples)](https://www.malware-traffic-analysis.net)
- [MITRE ATT&CK T1190](https://attack.mitre.org/techniques/T1190/)
- [Suricata rule documentation](https://docs.suricata.io/en/latest/rules/)