HOWTO : ClamAV For Suricata
Suricata is an Intrusion Detection and Prevention System and it can work with ClamAV too. One of the features of Suricata is using MD5 hash with the file. We can use ClamAV signature MD5 hash for every file download inspection. We can also save the malicious file for further analysis.
Install and Configure of ClamAV
We will not use ClamAV engine for Suricata but use ClamAV MD5 signature instead.
Prepare ClamAV MD5 Signature for Suricata
Create cron job :
* The cron job will run the script (nsm_clamav_md5) at 0300 hours every day and it should be earlier than the Suricata rules update script/procedure.
Create your Suricata Local Rule
Append the following to the file :
Configure suricata.yaml
Make the following settings as the following :
* If you do not like to save the malicious file for further analysis, you can disable the "file-store" setting at suricata.yaml and remove the "filestore" keyword from the local.rules.
Make It To Work Together
Restart suricata or reboot the box. For Croissants, you can restart the Suricata by issuing the following command :
The Suricata will block the malicious files from downloading when the MD5 hash is matched and the malicious files will be saved at /var/log/suricata/files for further inspection.
Known Issue
libhtp 0.5.x cannot handle the file download re-try with browser at the moment. It is recommended that all users should not re-try to download any file when it cannot be downloaded in the beginning. According to the developer of libhtp, 0.6.x can handle this problem.
Another limitation is that Suricata can detected the malicious files (MD5 hash) that known to ClamAV only.
Reference
Filemd5 and white or black listing with MD5 hashes
That's all! See you.
Install and Configure of ClamAV
sudo apt-get update
sudo apt-get install clamav
sudo update-rc.d clamav-freshclam disableWe will not use ClamAV engine for Suricata but use ClamAV MD5 signature instead.
Prepare ClamAV MD5 Signature for Suricata
sudo nano /usr/bin/nsm_clamav_md5sudo chmod +x /usr/bin/nsm_clamav_md5Create cron job :
sudo crontab -e
0 03 * * * /usr/bin/nsm_clamav_md5* The cron job will run the script (nsm_clamav_md5) at 0300 hours every day and it should be earlier than the Suricata rules update script/procedure.
Create your Suricata Local Rule
sudo nano /etc/suricata/rules/local.rulesAppend the following to the file :
# rules for file extraction
# this rule drop all the file that matches the clamav md5 hash
drop http any any -> any any (msg:"LOCAL Malicious file - Clamav MD5 Hash"; flow:established; filestore; filemd5:blacklist_md5; classtype: suspicious-filename-detect; sid:1000000; rev:1;)Configure suricata.yaml
sudo nano /etc/suricata/suricata.yamlMake the following settings as the following :
* If you do not like to save the malicious file for further analysis, you can disable the "file-store" setting at suricata.yaml and remove the "filestore" keyword from the local.rules.
Make It To Work Together
sudo nsm_clamav_md5Restart suricata or reboot the box. For Croissants, you can restart the Suricata by issuing the following command :
sudo restart suricataThe Suricata will block the malicious files from downloading when the MD5 hash is matched and the malicious files will be saved at /var/log/suricata/files for further inspection.
Known Issue
libhtp 0.5.x cannot handle the file download re-try with browser at the moment. It is recommended that all users should not re-try to download any file when it cannot be downloaded in the beginning. According to the developer of libhtp, 0.6.x can handle this problem.
Another limitation is that Suricata can detected the malicious files (MD5 hash) that known to ClamAV only.
Reference
Filemd5 and white or black listing with MD5 hashes
That's all! See you.