Friday, October 09, 2015

HOWTO : ClamAV For Suricata

Suricata is an Intrusion Detection and Prevention System and it can work with ClamAV too. One of the features of Suricata is using MD5 hash with the file. We can use ClamAV signature MD5 hash for every file download inspection. We can also save the malicious file for further analysis.

Install and Configure of ClamAV

sudo apt-get update
sudo apt-get install clamav
sudo update-rc.d clamav-freshclam disable

We will not use ClamAV engine for Suricata but use ClamAV MD5 signature instead.

Prepare ClamAV MD5 Signature for Suricata

sudo nano /usr/bin/nsm_clamav_md5

sudo chmod +x /usr/bin/nsm_clamav_md5

Create cron job :

sudo crontab -e

0 03 * * * /usr/bin/nsm_clamav_md5

* The cron job will run the script (nsm_clamav_md5) at 0300 hours every day and it should be earlier than the Suricata rules update script/procedure.

Create your Suricata Local Rule

sudo nano /etc/suricata/rules/local.rules

Append the following to the file :

# rules for file extraction
# this rule drop all the file that matches the clamav md5 hash
drop http any any -> any any (msg:"LOCAL Malicious file - Clamav MD5 Hash"; flow:established; filestore; filemd5:blacklist_md5; classtype: suspicious-filename-detect; sid:1000000; rev:1;)

Configure suricata.yaml

sudo nano /etc/suricata/suricata.yaml

Make the following settings as the following :

* If you do not like to save the malicious file for further analysis, you can disable the "file-store" setting at suricata.yaml and remove the "filestore" keyword from the local.rules.

Make It To Work Together

sudo nsm_clamav_md5

Restart suricata or reboot the box. For Croissants, you can restart the Suricata by issuing the following command :

sudo restart suricata

The Suricata will block the malicious files from downloading when the MD5 hash is matched and the malicious files will be saved at /var/log/suricata/files for further inspection.

Known Issue

libhtp 0.5.x cannot handle the file download re-try with browser at the moment. It is recommended that all users should not re-try to download any file when it cannot be downloaded in the beginning. According to the developer of libhtp, 0.6.x can handle this problem.

Another limitation is that Suricata can detected the malicious files (MD5 hash) that known to ClamAV only.


Filemd5 and white or black listing with MD5 hashes

That's all! See you.