Share
## https://sploitus.com/exploit?id=CFAE4595-1820-519E-8268-CF021790D959
# suricata-detections

Network IDS signature development grounded in packet-level traffic analysis.

This repo contains Suricata detection rules for CVE exploitation traffic, written by working from the pcap up โ€” observing actual network behavior first, then translating indicators into precise signatures with documented trade-off rationale.

**Current coverage:** CVE-2021-44228 (Log4Shell)

---

## Methodology

Each rule in this repo follows the same development process:

1. **Pcap analysis first.** Read captures of real or lab-reproduced exploitation traffic in Wireshark. Understand what the attack looks like at the packet level before writing a single line of rule syntax.
2. **Identify the reliable indicator.** What is present in malicious traffic that is absent (or rare enough) in benign traffic? What is the minimum specificity needed to catch the behavior without generating noise?
3. **Write the signature.** Ground the `content` match in observed byte patterns. Use PCRE only when content matching cannot handle the variant space. Set `fast_pattern` to keep MPM performance overhead low.
4. **Document the trade-offs.** What does the rule intentionally not catch? Where can it FP? What suppression approach is recommended? These decisions are as important as the rule itself.
5. **Test against positive and negative cases.** Every rule has a corresponding pcap that should fire it, and at least one that should not.

---

## Repository Structure

```
suricata-detections/
โ”œโ”€โ”€ rules/
โ”‚   โ””โ”€โ”€ log4shell.rules          # Suricata rules for CVE-2021-44228
โ”œโ”€โ”€ analysis/
โ”‚   โ””โ”€โ”€ log4shell_analysis.md    # Traffic analysis & detection rationale
โ”œโ”€โ”€ tests/
โ”‚   โ”œโ”€โ”€ generate_test_pcaps.py   # Generates synthetic test pcaps (zero deps)
โ”‚   โ””โ”€โ”€ test_rules.py            # Validates rules against pcaps via Suricata
โ”œโ”€โ”€ pcaps/                       # Generated by generate_test_pcaps.py
โ”‚   โ”œโ”€โ”€ positive_01_*.pcap       # Should trigger specific SIDs
โ”‚   โ””โ”€โ”€ negative_01_*.pcap       # Should trigger nothing
โ””โ”€โ”€ README.md
```

---

## CVE-2021-44228 โ€” Log4Shell

**CVSS:** 10.0 Critical | **MITRE:** T1190 (Exploit Public-Facing Application)

Log4Shell exploits Log4j2's JNDI message lookup substitution. Any user-controlled string that gets logged can trigger a remote JNDI lookup, resulting in remote code execution.

### Rules

| SID | Description | FP Risk |
|-----|-------------|---------|
| 9100001 | JNDI lookup string in HTTP headers | Very Low |
| 9100002 | JNDI lookup string in HTTP URI | Very Low |
| 9100003 | Obfuscated nested expression bypass | Low |
| 9100004 | JNDI protocol callback string (ldap/rmi/dns) | Low |
| 9100005 | Outbound LDAP callback (post-exploitation) | Medium |

Rules 1โ€“4 cover inbound exploitation attempts including obfuscated WAF-bypass variants. Rule 5 provides independent post-exploitation confirmation via network flow telemetry โ€” a different detection layer that doesn't depend on seeing the inbound payload.

### Test Coverage

```
Positive cases (should fire):
  โœ“ Basic JNDI in User-Agent header              โ†’ sid:9100001
  โœ“ JNDI in X-Forwarded-For header              โ†’ sid:9100001
  โœ“ JNDI in URI path                            โ†’ sid:9100002
  โœ“ Obfuscated: ${${lower:j}ndi:...}            โ†’ sid:9100003
  โœ“ Obfuscated: character substitution chain    โ†’ sid:9100003
  โœ“ RMI protocol variant                        โ†’ sid:9100001, 9100004
  โœ“ Outbound LDAP callback                      โ†’ sid:9100005

Negative cases (should NOT fire):
  โœ“ Benign HTTP request
  โœ“ JNDI string in server response (wrong direction)
  โœ“ Dollar-brace in URL parameter (not JNDI)
  โœ“ Legitimate internal LDAP connection
```

---

## Running the Tests

**Requirements:** Python 3.10+, Suricata (for live validation)

```bash
# 1. Generate test pcaps
python tests/generate_test_pcaps.py

# 2. Run validation (requires Suricata)
python tests/test_rules.py

# 3. CI mode โ€” exits 1 on any failure
python tests/test_rules.py --ci
```

If Suricata is not installed, the test harness runs in simulation mode and
validates that pcaps were generated correctly without live rule evaluation.

**Install Suricata:**
```bash
# Ubuntu/Debian
sudo apt install suricata

# macOS
brew install suricata
```

---

## Design Decisions

**Zero third-party Python dependencies.** The pcap generator writes raw binary
using only Python's `struct` and `socket` standard library modules. This is a
deliberate supply chain security decision โ€” no pip installs required to generate
test cases.

**`fast_pattern` on primary content.** Every rule with a `content` match
specifies `fast_pattern` to instruct Suricata's multi-pattern matcher to use
that string as the primary pre-filter. This keeps CPU overhead low at scale
even when many rules are loaded.

**`threshold` on high-volume rules.** Rules 1 and 2 include
`threshold:type limit, track by_src, count 1, seconds 60` to suppress alert
storms from mass-scanning sources. The detection still fires; it just doesn't
generate thousands of duplicate alerts for the same source IP.

**Benign classifier over rule suppression.** False positives from known security
scanners (Shodan, Censys, etc.) are noted in trade-off documentation but not
suppressed in the rules themselves. At sensor scale, this is better handled by
a known-scanner classification layer (e.g., GreyNoise tags) than by baking IP
allowlists into rule logic, which doesn't scale and creates maintenance debt.

---

## References

- [NVD CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- [LunaSec original disclosure](https://www.lunasec.io/docs/blog/log4j-zero-day/)
- [Log4Shell evasion patterns](https://github.com/back2root/log4shell-rex)
- [Malware Traffic Analysis (public pcap samples)](https://www.malware-traffic-analysis.net)
- [MITRE ATT&CK T1190](https://attack.mitre.org/techniques/T1190/)
- [Suricata rule documentation](https://docs.suricata.io/en/latest/rules/)