SuriCon 2017 - Malware Analysis: Suricata & Splunk for Better Rule Writing

Using malware pcaps from: I can leverage Suricata to see which emerging threats rules fire, and analyze the results in Splunk. With Splunk, I can determine if Suricata alerted for a specific indicator of compromise by looking not just at the alert signature but everything in eve.json to iteratively develop better indicators of compromise.

Using this framework it can also serve as a training tool for newer network and malware analysts. Sometimes it is difficult to easily “see” bad data as a newb security analyst and learn from it. Using Suricata and Splunk you can visualize the data easily and get review alerting in the alert event_type to start understanding how Suricata works and what types of data an IPS/IDS is capable of logging.