0

I have Suricata 7.0.2 IDS installed on a Linux Ubuntu 20.04 virtual machine. In my virtual environment, I have two virtual networks. In the first network, I have a mail user agent (Attacker) that sends an email to a local Postfix mail server (attacker-mailServer, IP address 10.0.3.17) which then relays the sent mail to a receiver SMTP server (Target Mail Server, IP Address 10.0.2.1) using SMTP protocol over port 25. This email system model is displayed below:SMTP-Email System

I wish to configure Suricata to monitor the SMTP traffic relayed from the attacker-mailServer to Target Mail Server over port 25. I performed packet capture using WireShark to monitor the SMTP traffic which is displayed below: SMTP Packet Capture with WireShark

The SMTP traffic, as well as the source and destination IP addresses are visible showing that the SMTP traffic is flowing in the expected direction.

I wish to use Suricata IDS to detect the SMTP traffic as alerts for the protocol and log the resulting alerts to the Suricata output log file /var/log/suricata/eve.json as outlined in the Suricata documentation. I have written my own custom rules for my Suricata IDS below:

  • alert tcp any any -> [10.0.2.0/24] 25 (msg:"SMTP Relay Connection"; flow:to_server,established; sid: 9998088; rev:8;)
  • alert smtp any any -> [10.0.2.0/24] any (msg:"SMTP Protocol Activity"; flow:to_server,established; sid: 9900066; rev:2;)

I have added these rules to a new file and edited the Suricata configuration file to include this file under the "rule-files:" section. To support SMTP application layer detection and output logging to the eve-output file, I also edited the config file as follows under the sections "app_layer" and "outputs:eve-log:types". The configuration is as shown in the two screenshots:SMTP Traffic Detection SMTP Log Output

After editing the configuration file /etc/suricata/suricata.yaml, I ran the following commands:

sudo suricata -T -c /etc/suricata/suricata.yaml -v sudo systemctl restart suricata

These commands produced no errors which means there were no syntax errors with my custom Suricata rules and they loaded so there is no configuration errors.

Finally, to test the Suricata rule detection, I sent an email to a local user account in the target network, this email is relayed from the attacker mail server to the target mail server over port 25. With the current Suricata configuration, this should log an alert in the output log file /var/log/suricata/eve.json with the labelling signatures "SMTP Relay Connection" or "SMTP Protocol Activity" from my custom Suricata rules. But, it does not. Any help as to why this is would be very much appreciated?

Stephen Jacob
  • 1

1 Answers1

0

Suricata already contains smtp rules by default https://github.com/OISF/suricata/blob/master/rules/smtp-events.rules

But if you enable more sources and fetch/update those rules you get more smtp rules. For those sources and updates you need suricata-update https://suricata-update.readthedocs.io/en/latest/quickstart.html#list-enabled-sources

If you for example enable the source et/open(et=emerging threats) you get all these smtp rules https://rules.emergingthreats.net/open/suricata-5.0/rules/emerging-smtp.rules

Regarding your rule not loading what does your suricata.log say?

Have you also enabled the following in the suricata.yaml

Also try to enable this in your suricata.yaml

- smtp:
        #extended: yes 
        # enable this for extended logging information
        # this includes: bcc, message-id, subject, x_mailer, user-agent
        # custom fields logging from the list:
        #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
        #  x-originating-ip, in-reply-to, references, importance, priority,
        #  sensitivity, organization, content-md5, date
        #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
        custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc,
        reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
        x-originating-ip, in-reply-to, references, importance, priority,
        sensitivity, organization, content-md5, date]
        # output md5 of fields: body, subject
        # for the body you need to set app-layer.protocols.smtp.mime.body-md5
        # to yes
        md5: [body, subject]

Also checkout selks it has a solution of a suricata with the elk stack pre configured https://github.com/StamusNetworks/SELKS

Turdie
  • 2,945