Suricata Alerts and PCAP

Purpose and Scope

Intrusion detection systems like Suricata generate alerts based on signature matches against network traffic. Understanding how to investigate these alerts, validate findings, and extract additional indicators from packet captures is essential for network defense.

Prerequisites

• Suricata or Snort deployment: IDS sensors with alerts flowing to SIEM
• PCAP access: Full packet capture for detailed analysis
• Analysis tools: Wireshark, tcpdump, tshark, or similar
• Rule understanding: Familiarity with Suricata/Snort rule syntax

Suricata Alert Structure

Key fields in Suricata EVE JSON alerts:

• timestamp: Alert time
• src_ip, dest_ip: Source and destination addresses
• src_port, dest_port: Ports involved
• proto: Protocol
• alert.signature: Rule name that triggered
• alert.signature_id: Unique rule SID
• alert.category: Alert classification
• alert.severity: Priority level
• alert.action: Alert, drop, or reject
• flow_id: Links to related flow records
• payload: Base64 encoded packet payload (if enabled)
• payload_printable: ASCII representation

Alert Categories

Common Suricata alert categories:

• Attempted Admin: Privilege escalation attempts
• Trojan Activity: Known malware communication
• Malware CnC: Command and control traffic
• Exploit Kit: Drive by download infrastructure
• Network Scan: Port scanning or reconnaissance
• Policy Violation: Traffic violating security policy
• Potentially Bad Traffic: Suspicious but not confirmed
• Not Suspicious: Informational or low severity

Alert Investigation Workflow

1. Triage the Alert

• Review alert signature and category
• Check signature severity and confidence
• Identify source and destination hosts
• Look up hosts in asset inventory

2. Understand the Rule

Read the rule that triggered:

• What pattern is it matching?
• What behavior is it designed to detect?
• Is this rule known for false positives?
• Check rule references for context

3. Review Related Alerts

• Search for other alerts involving same hosts
• Look for related SIDs in the same timeframe
• Check for escalation pattern (recon to exploit to C2)

4. Extract and Analyze PCAP

• Pull packet capture for the alert timeframe
• Filter to the specific conversation
• Examine the full session context
• Extract files or artifacts

5. Validate or Dismiss

• Confirm malicious activity or identify false positive
• Document findings and reasoning
• Update tuning rules if needed
• Escalate confirmed incidents

Reading Suricata Rules

Example rule structure:

alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"ET MALWARE Suspicious User Agent";
  flow:established,to_server;
  http.user_agent; content:"Mozilla/4.0";
  classtype:trojan-activity;
  sid:2001234; rev:3;
)

• Action: alert, drop, pass, reject
• Protocol: http, dns, tcp, udp, etc.
• Direction: Source to destination networks
• msg: Human readable description
• flow: Connection state and direction
• content: Pattern to match
• classtype: Alert category
• sid: Signature ID
• rev: Rule revision

PCAP Analysis with Wireshark

Basic Workflow

1. Open PCAP file in Wireshark
2. Apply display filter for relevant traffic
3. Follow TCP or HTTP stream for full conversation
4. Export objects (files, images, etc.) if present
5. Note indicators: IPs, domains, URLs, hashes

Useful Wireshark Filters

• ip.addr == 192.168.1.100 Traffic to/from IP
• tcp.port == 443 Traffic on port
• http.request HTTP requests only
• dns.qry.name contains "evil" DNS queries
• tcp.stream eq 5 Specific TCP stream
• frame contains "malware" String in packet

Following Streams

• Right click a packet, Follow > TCP Stream
• Shows full conversation in order
• Reveals HTTP headers, request/response bodies
• Export as text or raw data

Extracting Files

• File > Export Objects > HTTP (or DICOM, SMB, etc.)
• Lists all transferred files
• Save for malware analysis
• Calculate hashes for threat intel lookup

PCAP Analysis with tshark

Command line analysis for automation and large files:

# Extract HTTP hosts
tshark -r capture.pcap -Y http.request -T fields -e http.host | sort -u

# Extract DNS queries
tshark -r capture.pcap -Y dns.qry.name -T fields -e dns.qry.name | sort -u

# Extract TLS SNI
tshark -r capture.pcap -Y tls.handshake.extensions_server_name -T fields -e tls.handshake.extensions_server_name

# Filter and save subset
tshark -r capture.pcap -Y "ip.addr == 10.1.1.100" -w filtered.pcap

Common False Positive Patterns

• Generic signatures: Rules matching common strings
• Outdated rules: Signatures for old threats matching new benign software
• Protocol anomalies: Legitimate but unusual implementations
• Security tools: Vulnerability scanners and penetration testing
• Development traffic: Testing and debugging activity

Rule Tuning

• Suppress alerts by source IP for known scanners
• Threshold rules to reduce noise from chatty signatures
• Disable rules with unacceptable false positive rates
• Create exceptions for authorized activity
• Document all tuning decisions

Indicator Extraction

From validated alerts and PCAP, extract:

• IP addresses (C2 servers, scanners, malware hosts)
• Domain names (phishing, malware distribution)
• URLs (exploit kit landing, payload delivery)
• File hashes (malware samples, dropped files)
• User agents (malware signatures)
• JA3 fingerprints (malicious TLS clients)

Escalation Guidance

Escalate to incident response when:

• Alert confirms known malware C2 communication
• PCAP reveals successful exploitation
• Data exfiltration is observed
• Multiple hosts show related malicious activity
• Lateral movement indicators are present

References

• Suricata Documentation: docs.suricata.io
• Emerging Threats Rules: rules.emergingthreats.net
• Wireshark User Guide: wireshark.org/docs
• SANS PCAP Analysis Cheat Sheet
• MITRE ATT&CK: Exfiltration Over C2 Channel (T1041)