Analytics

Beacons and Sightings detection require a NDR license.

Beaconing

Beacons are recurring communications that are often used by Malware to exfiltrate data or check back with a Command and Control server if new instructions await.

Beaconing

Hint

Beacons detection difficulties come from detecting very slow beacons such as one connection every few days as most detection systems aren’t designed to deal with such low frequency.

Stamus Central Server is capable of detecting slow beacons using Machine Learning, including very slow beacons. Our algorithms don’t have time boundaries.

In practice, we have commonly observed malware sending few beacons per day or per week which our system is capable of detecting easily.

Beaconing - Serving IPs

Beacon Metric

Stamus Central Server computes a Beacon Metric which is a weighted score prioritizing TLS servers exhibiting behavior patterns typically associated with beaconing traffic. In other words, communications with clear periodicity or flat byte and specific packet profiles are highlighted by this mechanism.

For example, a command and control (C2) callback beacons are periodic outbound connections for maintaining persistence. They call home at specific intervals, though they can also be configured to vary that callback with predefined jitter. Most callbacks also deliver the same amount of data per request and response.

Our system first performs frequent item detection to profile the TLS traffic for your organization and exclude them from the beacon analysis.

Remaining connections are therefore infrequent, and have heightened risk of being a beacon. From these remaining connections, statistical measurements are collected for each potential beacon.

Stamus Central Server performs many statistical measurements, which taken individually, are not enough to characterize a beacon. However, the combination of these statistical measurements result in a beacon metric, a single unique value to sort the tracking table.

The beacon metric can range from 0 to 100. Entries at the top exhibit beaconing patterns more strongly than entries at the bottom.

Note that many legitimate communications often also exhibit beaconing patterns. For example, software updates, API calls, telemetry services, etc. Our system tries to deprioritize these entries by analyzing Server Name Indicators (SNI) to identify known services. Nevertheless, it is normal to see these in the beaconing tab because they may indicate policy violations or abnormal findings in the network.

This beacon metric being an indicator of likelihood, the best approach is to use it as a starting point for investigation (and then look at the SNI(s) for example in the details page).

The beacon metric is not a percentage that a particular entry is a beacon. It simply prioritizes more relevant entries for investigation.

For a potential beaconing entry:

  • Investigate TLS SNI values to identify if this is a malicious domain or a known service (for example, Microsoft update services vs a randomly generated domain)

  • Investigate TLS issuer, self-signed certificates or Let’s Encrypt are often used by malicious servers;

  • Investigate the traffic profile to see if connections occur at specific intervals or if the data profile is flat;

Important

In no way this beacon metric should be interpreted as a “percentage of chances” as this metric is a relative statistical measurement.

Sightings

Sightings detects new communication artifacts, never observed before in your environment, such as a HTTP User-Agent, a domain name, a JA3 hash, and so on.

The details page for each Sighting event will display:

  • The indicator observed (key/value pair)

  • The patient zero information (who generated this Sighting first)

  • The patient zero metadata (technical information related to this Sighting from patient zero)

  • The network metadata graph (a timeline of when this Sighting was observed)

  • The flow chart metadata visualization (all metadata from all hosts having contacted/used the same Sighting)

Sightings

Sightings are really handy and powerful when performing combined analysis. For example, one could cross check Sightings with potential beacons, hence discovering beacons to a never observed before TLS SNI (domain) for example. Similarly, we could hunt downloaded executables from never seen before domain names. We can also utilise Sightings to show if there are any new internal or external HTTP servers in the environment, new TLS issuers seen on the production network or new executable transferred or accessed via SMB.

The currently observed artifacts are:

  • dns.query.rrname

  • http.hostname

  • tls.ja3s.hash

  • tls.ja4.hash

  • tls.sni

  • tls.subject

  • tls.serial

  • tls.issuerdn

  • http.http_user_agent

  • ssh.client.software_version

  • ssh.server.software_version

  • smb.filename (samba protocol, transferred or accessed)

  • http.server (newly discovered internal or external HTTP servers)

Another effective way to review Sightings is by using the Sightings switcher in the Filters menu within the Hunting interface. This feature allows you to specifically filter and focus on Sightings data.

Sightings

For additional insights, you can utilize the Sightings Information cards available on the Dashboards page. These cards enable you to filter by Asset, Asset Net, Key, or Value, and provide options to explore related results or download the relevant information.

Sightings

To enable Sightings, simply go under Probe Management, edit a Network Probe or a Template, and check the option Logging of newly discovered values under the tab Filters.

Important

Advanced users might want to enable/disable Sightings at the fields level, or add new fields to be monitored. This is technically possible, please contact support@stamus-networks.com for scoping and guidance.

Hint

Sightings can be used by Policies. One can create a suppression or an escalation policy.

For example, the usage of a new HTTP User-Agent on a Domain Controller is something that shouldn’t be often observed in an environment, except after system upgrades.

This example can be achieved using a Sighting event (a newly observed HTTP User-Agent) and a Network Definition (Domain Controller) for example.

Another example would be the presence of new HTTP internal or external servers. In general internal HTTP servers should not be expected to be seen in regular clients areas. To list any such occurrences simply switch off Event type Detection Methods in the Dashboards view under the Hunting menu. Then observe for Newly discovered HTTP server Signature events. It can be even more powerful when combined with a Network Definition and set up as an automated escalation.

Sightings and multiple probes

As of U38, the current Sightings logic is on a per probe basis. This means, if an artifact such as a domain name like microsoft.com is first observed by one probe, a second probe will not have this knowledge. As a consequence, the first time the very same domain will be observed by the second probe, a new Sighting event will be generated, resulting in a total of 2 Sightings events in the summary table, one per probe.

Training period

When enabled, Sightings may generate some noise depending on your environment. This is why it is recommended to wait a week or so before drilling down into Sightings events, the time for actual traffic artifacts to be observed and added to the Sighting cache.

Buffer size

Each field monitored, such as dns.query, http.host, ja3s.hash, etc, have a dedicated cache. This cache, to simplify, is of 1 million entries (some specific fields have a smaller cache size).

There is no notion of time or expiration in this cache. Once an entry is added to the cache, it is there forever. Entries don’t expire.

If you absolutely need to make expire an entry, please contact support@stamus-networks.com

Rebooting a Network Probes, or pushing a new ruleset, doesn’t flush the cache. The cache is reboot persistent. In the worst case, if a Network Probe is dysfunctional, one may lose a few hundreds of entries (but you probably will have other issues first!)

To see the current number of entries in your cache, simply go to the Hunting / Dashboard page, and only select Sightings (discard Events). The first card should show you the number of entries per field.

Hint

Stamus Central Server whitelists the most common domains such as windowsupdate.com and alike. Cloud providers, despite being common, are not whitelisted as they can also be used by adversaries.

Note

To tweak this cache size if your environment requires it, contact support@stamus-networks.com

Detection and automation

An actual example of hands on hunting, detection and automation process can be reviewed in detail here on our blog - Hunting for Lateral Executable Transfers

Detection Methods

In any default installation on top of other built-in detection mechanisms (like ML beacon detection, SIGHTINGS, Homoglyphs and other) any Stamus Networks Probe comes with over 100k+ detection methods in addition to about 2-5 million IoCs that match on DNS domains, TLS certificates and HTTP hosts that can be enabled with the simple click of a button.

Variables

SCANNERS Variable

Different signature detection sets may require the admin to configure certain variables in the Stamus Network Probe Appliance settings.

This will depend upon the specific infrastructure of your organization.

One such configuration variable is SCANNERS. It should include IPs or networks of Vulnerability scanners, Infrastructure management servers (like SCCM), MS Terminal Servers and monitoring servers.

Note

It is highly recommended to use a correctly defined SCANNERS variable with the signature sets below.

To populate the variable, in the Administration menu, got to Appliances, select View on the respective appliance, click on Edit settings on the left hand side panel under Actions. Select the Settings tab, fill in the SCANNERS variable under neat the Address groups section.

Scanners Variable

Stamus signatures

This ruleset is enabled by default. This ruleset is specifically crafted by Stamus Networks to be used with Stamus appliances only and can not be utilised otherwise. Detection Methods: 25k+

Note

This is only available with Stamus NDR Licensing.

Proofpoint

This ruleset is enabled by default. Stamus Networks comes by default with Emerging threats PRO / PFPT Pro rulesest. Detection Methods: 65k+

Note

This is only available with Stamus NDR Licensing.

Lateral

This ruleset is not enabled by default. This ruleset is developed by Stamus Networks specifically to highlight lateral movement in Windows environments. The purpose of this detection set is to audit, highlight and make possible escalation of unexpected or unwanted activity. The events produced have two distinctive metadata information additions in the log events themselves.

signature_severity Informational providing useful information in Incident response and audit analysis:

"metadata": {
    "stamus_classification": [
    "lateral"
    ],
    "lateral_function": [
    "LsarEnumerateTrustedDomains"
    ],
    "source": [
    "smb_lateral"
    ],
    "updated_at": [
    "2023_01_26"
    ],
    "provider": [
    "Stamus"
    ],
    "created_at": [
    "2022_04_02"
    ],
    "signature_severity": [
    "Informational"
    ],
    "lateral_asset": [
    "src_ip"
    ],
    "lateral_key": [
    "dcerpc.iface"
    ]
}

and signature_severity Critical that highlights an active configurational or service - change, create, edit, addition, removal etc.

"metadata": {
    "stamus_classification": [
    "lateral"
    ],
    "lateral_function": [
    "RCreateServiceW"
    ],
    "source": [
    "smb_lateral"
    ],
    "updated_at": [
    "2023_01_26"
    ],
    "provider": [
    "Stamus"
    ],
    "created_at": [
    "2022_03_23"
    ],
    "signature_severity": [
    "Critical"
    ],
    "lateral_asset": [
    "src_ip"
    ],
    "lateral_key": [
    "dcerpc.iface"
    ]
}

This ruleset requires the SCANNERS variable to be properly defined.

This ruleset is specifically crafted by Stamus Networks to be used with Stamus appliances only and can not be utilised otherwise.

Additional information about the open-source (non-commercial) version of this ruleset can be found in this blog post: Open Ruleset for Detecting Lateral Movement in Windows Environments with Suricata

To enable the Lateral signature detection set: from the Stamus Administration menu, click on the sources Sources tab, Add Public Source, choose the stamus/ssp-lateral set and enable it. Make sure you also select the current and/or desired ruleset for adding it in.

Lateral scan

This ruleset is not enabled by default. This ruleset is developed by Stamus Networks specifically to highlight lateral movement via way of detecting lateral scanning. The purpose of this detection set is to highlight scanning activity not coming from the organization’s vulnerability scanners. This ruleset requires the SCANNERS variable to be properly defined.

This ruleset is specifically crafted by Stamus Networks to be used with Stamus appliances only and can not be utilised otherwise.

To enable the Lateral scan signature detection set: from the Stamus Administration menu, click on the sources Sources tab, Add Public Source, choose the stamus/lateral-scan set and enable it. Make sure you also select the current and/or desired ruleset for adding it in.

Performance rulesest

This ruleset is not enabled by default. This is a specific and curated ruleset designed to operate in ultra-hight performance, environments with minimal sacrifice to the breadth of threat detection. The ruleset is ideal for use in end user uncontrolled environments such as Internet service provider (ISP), university networks, hosting providers, etc. Please contact Stamus Networks support before adopting it.

To enable the Performance signature detection set: from the Stamus Administration menu, click on the sources Sources tab, Add Public Source, choose the stamus/performance set and enable it. Make sure you also select the current and/or desired ruleset for adding it in.

Newly Registered Domains (NRD)

With the introduction of Update 39 (U39), Stamus Networks began delivering six threat intelligence feeds focused on newly-registered domains to all Stamus Security Platform (SSP) users.

  • All NRD - A complete list of newly-registered domains. This set has between 5-12 million IoCs for a period of 30 days.

  • High Entropy NRDs - Newly-registered domains exhibiting high entropy, including those created by domain generation algorithms (DGAs). This set has between 3-8 million IoCs for a period of 30 days.

  • Phishing NRDs - Newly-registered domains that mimic popular domains, highly likely to be used in phishing campaigns. This set has between 5-200 thousand IoCs for a period of 30 days.

Those 3 main sources each have 2 time range variations (6 lists in total) - 14 and 30 days. For example, domains with high entropy are organized into 2 lists: a list that contains domains registered in the past 14 days and a list that contains domains registered in the last 30 days.

If your SSP detects DNS, TLS or HTTP communications containing a domain on the High Entropy NRDs or Phishing NRDs list, you would want to immediately investigate and check it out.

SSP detects communications with all variations of the NRD, including subdomain variations using the following protocol communication fields: dns.rrname, http.hostname and tls.sni

The All NRD list provides event logs that may be interesting to threat hunters due to the novelty of the domain - if, for example, we have a download from a NRD.

To enable the desired NRD list detection: from the Stamus Administration menu, click on the sources Sources tab, Add Public Source, choose which NRD list you would like, and enable it. Make sure you also select the current ruleset that would incorporate the NRDs.

Enable Newly Registered Domains

Hint

Consider enabling High Entropy NRD and Phishing NRDs 30 days list with any deployment that is also monitoring internet (North-South) traffic.

Attention

On the smallest Stamus Networks HW probe models - SN-VA-100M (100 mbps virtual model) only the Phishing NRDs list should be enabled. For the rest of the High Entropy NRDs or All NRD there must be minimum of 2.4Gb or 3.6GB additional RAM respectively available.

Detection and automation examples

An actual example of hands on hunting, detection and automation process can be reviewed in detail here on our blog - Threat Hunting for Unknown Actors & Threats using NRD and Sightings

A detailed hands on example of incorporating NRD into Stamus Security Platform can be reviewed in the blog article - Incorporating Newly-Registered Domains into Stamus Security Platform Workflow

Anatomy of a detection event

Stamus Security Platform produces many different types of events based on the different types and algorithms of detection.

Application layer

Besides other information, any alert or network protocol event would have its own application layer section as part of the JSON log. A few examples shown below are based on HTTP, TLS, File transactions and SMB.

The example below provides application layer information on HTTP based alert ("event_type":"alert") or http event ("event_type":"http"):

"http": {
    "protocol": "HTTP/1.1",
    "server": "nginx",
    "http_request_body_printable": "t_9Ezrf_RP62sviiKMicKRZ7gOrMXCShom_Z6FaemXlQ2VslAC0KzRRJA-E1NHf8UbTBhgkPNkw",
    "url": "http://dfnzp2l2nmjrm.cloudfront.net/jquery-3.3.2.min.js?__cfduid=ZItYSly-bXtSvGt6",
    "http_method": "POST",
    "user_agent": {
        "os_major": "10",
        "device": "Other",
        "patch": "3987",
        "os_version": "10",
        "os_name": "Windows",
        "os": "Windows",
        "os_full": "Windows 10",
        "minor": "0",
        "name": "Chrome",
        "version": "80.0.3987.87",
        "major": "80"
    },
    "http_refer": "http://code.jquery.com/",
    "length": 5543,
    "http_refer_info": {
        "subdomain": "code",
        "scheme": "http",
        "tld": "com",
        "resource_path": "/",
        "url": "http://code.jquery.com/",
        "domain": "jquery.com",
        "host": "code.jquery.com",
        "domain_without_tld": "jquery"
    },
    "http_content_type": "application/javascript",
    "hostname": "dfnzp2l2nmjrm.cloudfront.net",
    "status": 200,
    "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36",
    "http_response_body_printable": "obfuscated",
    "http_request_body": "obfuscated",
    "http_response_body": "obfuscated"
}

The example below provides application layer information on a file transaction based alert ("event_type":"alert") or a file transaction event ("event_type":"fileinfo") based on SMB(1/2/3), HTTP(2), FTP, SMTP, NFS protocols:

"files": [
    {
    "filename": "/",
    "magic": "ASCII text, with very long lines (956), with no line terminators",
    "gaps": false,
    "state": "CLOSED",
    "md5": "26b8bdfdd284aaf232837f7060ec30c1",
    "sha1": "03f74c435981774c779f8ec2edd7032b6d4bb391",
    "sha256": "2552a4f715eb93fcd38167428bc032e016084c8f23360532ab394c9d914b5010",
    "stored": false,
    "size": 5362,
    "tx_id": 1
    }
]

The example below provides application layer information on SMB based alert ("event_type":"alert") or SMB event ("event_type":"smb"), in this case - remotely scheduled task(tsch):

"smb": {
    "tree_id": 1,
    "command": "SMB2_COMMAND_IOCTL",
    "dcerpc": {
        "request": "REQUEST",
    "req": {
        "stub_data_size": 264,
        "frag_cnt": 1
    },
    "response": "UNREPLIED",
    "call_id": 2,
    "endpoint": "SASetAccountInformation",
    "opnum": 0,
    "interface": {
        "version": "1.0",
        "name": "sasec",
        "uuid": "378e52b0-c0a9-11cf-822d-00aa0051e40f"
    }
    },
    "ext_status": {
        "text": "STATUS_PENDING",
        "severity": "SUCCESS",
        "short_code": "0x103",
        "customer": 0,
        "facility": "UNDEFINED"
    },
    "id": 10,
    "session_id": 17607151321153,
    "status": "STATUS_PENDING",
    "status_code": "0x103",
    "dialect": "3.11"
}

The example below provides application layer information on TLS based alert ("event_type":"alert") or tls event ("event_type":"tls"):

"tls": {
    "cipher_security": "recommended",
    "ja3s": {
    "hash": "3653a20186a5b490426131a611e01992",
    "string": "771,52392,65281-0-11-35-16-23"
    },
    "cipher_suite": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "issuerdn": "C=US, O=Let's Encrypt, CN=R3",
    "ja3": {
    "hash": "079a675ceca1f8734937943fd4dd2caa",
    "string": "771,4867-4865-4866-52393-52392-49195-49199-49196-49200-49171-49172-156-157-47-53,0-16-27-13-5-23-17513-10-65281-45-11-18-51-35-43,29-23-24,0"
    },
    "notbefore": "2023-08-28T13:48:43",
    "notafter": "2023-11-26T13:48:42",
    "version": "TLS 1.2",
    "subject": "CN=02cscosgbuzl.top",
    "fingerprint": "3f:ac:d7:68:0c:b8:6d:db:b1:67:7f:90:a7:ee:6c:b0:1d:de:0a:11",
    "sni": "confirm.02cscosgbuzl.top",
    "serial": "03:5F:7E:0E:0D:03:EB:EE:9C:45:EB:F1:41:4A:1F:B3:D5:EB"
}

Flow_id

In each JSON event log produced by the detection engine, there will be a key present called flow_id. It has per flow unique value that allows to correlate the network protocol data and evidence logs of that flow - to an alert event and that alert’s metadata. flow_id is also present in non alerting flows/sessions and their respective logs.

"flow_id":1150967870383777

Flow section

Each alert event ("event_type":"alert") has a flow: section. In this section there is typical flow information at the time that the alert triggered. In that specific section there is also src_ip and dest_ip. Those represent what IP source started talking first on the network medium towards what destination IP. This can be different than the alerts source or destination IP which is relevant to the actual signature that triggered the alert. This flow section is also valid for the SIGHTINGS and Stamus events.

"flow":{
    "pkts_toclient":3
    "start":"2023-11-01T14:53:33.654215+0100"
    "src_ip":"10.7.1.101"
    "dest_ip":"72.21.91.29"
    "dest_port":80
    "bytes_toserver":734
    "pkts_toserver":4
    "bytes_toclient":815
    "src_port":49614
}

In the example above, the IP that initiated the connection is 10.7.1.101.

Note

This is different and not to be confused with ("event_type":"flow")

Metadata section (flowbits)

Each event type produced by the detection engine has a metadata section. This section represents the different markings/labels of a flow or record based on flowbits usage in the different detection methods. One of the real benefits is, that it allows for streaming and continuous matching with flow labeling. This provides more context than simply correlating events to flows and protocol logs. These labels can be inserted into different flows and protocol transaction logs when producing the logs. This allows for much more elaborate detection logic based on queries in SIEMs.

"metadata":{
    "flowbits":[
        0:"smb.sambaclient"
        1:"ET.smb.binary"
        2:"ET.smbdcerpc.endians"
        3:"stamus.scmr.service.ROpenSCManagerW"
        4:"stamus.scmr.service.ROpenServiceW"
        5:"smb.servicecreate"
        6:"stamus.scmr.service.RCreateServiceW"
        7:"smb.servicestart"
        8:"stamus.scmr.service.RStartServiceW"
    ]
}

The example above is from a SMB based alert. The metadata fowbits will be present in every log produced from that flow - "event_type":"flow", "event_type":"alert" (if present), "event_type":"smb", "event_type":"fileinfo" or "event_type":"anomaly" (if present).

FQDN breakdown for HTTP, TLS and DNS

Every event based on application layer transactions from the following protocols: HTTP, TLS, DNS will also have the following (breakdown) enrichment added to its JSON log based on http hostname, tls sni and the dns query respectively - subdomain, tld, domain, host and domain_without_tld. Example:

"hostname_info":{
    "subdomain":"tss-geotrust-crl"
    "tld":"com"
    "url":"tss-geotrust-crl.thawte.com"
    "domain":"thawte.com"
    "host":"tss-geotrust-crl.thawte.com"
    "domain_without_tld":"thawte"
}

This enrichment will be present in the following event types: "event_type":"http", "event_type":"alert" (if present), "event_type":"http", "event_type":"tls".

Tagging and Classification

Any classified/tagged alert event ("event_type":"alert") will have its corresponding tag inserted in its JSON log. The tag values can be informational and relevant.

"tag":"relevant"

SMTP Enrichment

SMTP enrichment provides for embedded url/link analysis.

{
"has_exe_url": false,
"url": [
    "https://outlook.com/",
    "https://linkedin.com/",
    "https://facebook.com/",
    "https://amazon.com/"
],
"to": [
    "info@ledcenter.by"
],
"status": "PARSE_DONE",
"has_ipv4_url": false,
"has_ipv6_url": false,
"from": "oppong@expertsconsultgh.co"
}

The example enrichment above will be present where relevant in any SMTP based alert event ("event_type":"alert") or SMTP event ("event_type":"smtp").

Source and Target

The source and target information present in alert events ("event_type":"alert") can be used to tell which side of a flow triggering a signature is the target. If this key is present then related events are enhanced to contain the source and target of the attack. Example:

"source":{
    "net_info":[
        0:"Internet"
    ]
    "port":80
    "net_info_agg":"internet"
    "ip":"52.239.193.100"
}
"target":{
    "net_info":[
        0:"Private class A"
        1:"Internet"
    ]
    "port":49733
    "net_info_agg":"hq.2ndfloor.Site.Amsterdam"
    "ip":"10.5.7.101"
}

Organisational Context

If Network Definitions are configured, every event will have additional enrichment based on those definitions/organizational context. Example:

"net_info":{
    "src_agg":"hq-2ndfloor.clients.intranet"
        "dest":[
            0:"US"
            1:"PROD"
            2:"DC"
            3:"Intranet"
    ]
        "src":[
            0:"HQ-2ndfloor"
            1:"CLIENTS"
            2:"Intranet"
    ]
    "dest_agg":"us.prod.dc.intranet"
}

MAC address

Ethernet / MAC (Media Access Control) address enrichment is available as part of the standard JSON log of every event where available. Example:

"ether":{
    "src_mac":"58:97:bd:7a:71:40"
    "dest_mac":"70:ea:1a:28:fe:2d"
}

FQDN additions

If enabled, FQDN enrichment is available as part of the standard JSON log of every event. Example:

"fqdn": {
    "src": "fn-lmservice-63a.corp.com",
    "dest": "jksas1077.corp.com"
}

This allows to insert the FQDN resolved to its corresponding IP.

Discovery info

Every SIGHTINGS event from "event_type":"alert" will have a discovery subsection as part of the standard JSON log which shows the asset, asset’s role and the specific discovery key/value:

"discovery":{
"asset":"10.5.27.184"
    "asset_role":[]
"asset_net":"user.vyhar.org.affected-users"
"key":"smb.filename"
"value":"k.exe"
}

In the example above, the executable named k.exe was first seen transferred over SMB to 10.5.27.184.

GeoIP

Each event, wherever possible will have GeoIP enrichment subsection as part of the standard JSON log. Example:

"geoip": {
  "location": {
    "lon": 24.4167,
    "lat": 43.0167
  },
  "country": {
    "geoname_id": 732800,
    "name": "Bulgaria",
    "is_in_european_union": true,
    "iso_code": "BG"
  },
  "subdivisions": [
    {
      "geoname_id": 729560,
      "name": "Lovech",
      "iso_code": "11"
    }
  ],
  "provider": {
    "autonomous_system_number": 50360,
    "autonomous_system_organization": "Tamatiya EOOD"
  },
  "coordinate": [
    24.4167,
    43.0167
  ],
  "latitude": 43.0167,
  "continent": {
    "code": "EU",
    "geoname_id": 6255148,
    "name": "Europe"
  },
  "country_code3": "BG",
  "timezone": "Europe/Sofia",
  "city_name": "Sopot",
  "city": {
    "geoname_id": 726975,
    "name": "Sopot"
  },
  "postal": {
    "code": "5571"
  },
  "ip": "91.191.220.104",
  "country_code2": "BG",
  "continent_code": "EU",
  "country_name": "Bulgaria",
  "longitude": 24.4167,
  "registered_country": {
    "geoname_id": 732800,
    "name": "Bulgaria",
    "is_in_european_union": true,
    "iso_code": "BG"
  }
}

TLS Cipher analytics

Any TLS based alert or TLS protocol event (even TLS 1.3 with full encryption) will have Cipher analytics subsection as part of the standard JSON log. The following fields would be added cipher_security, cipher_suite Example:

{
"ja3": {
    "hash": "2201d8e006f8f005a6b415f61e677532",
    "string": "769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,65281-0-5-10-11,23-24,0",
    "agent": [
    "MSIE 10.0 Trident/6.0, Malware Test FP: blackhole-ek-traffic, sweet-orange-ek-post-infection-traffic, sweet-orange-ek-traffic, styx-ek-traffic"
    ]
},
"sni": "1jskidelt2pg0238du.ohtheigh.cc",
"notbefore": "2013-05-14T19:32:22",
"cipher_suite": "TLS_RSA_WITH_AES_256_CBC_SHA",
"issuerdn": "C=GB, ST=Yorks, L=York, O=MyCompany Ltd., OU=IT, CN=localhost",
"notafter": "2014-05-14T19:32:22",
"cipher_security": "insecure",
"version": "TLSv1",
"serial": "00:C5:A4:39:20:05:58:D6:82",
"subject": "C=GB, ST=Yorks, L=York, O=MyCompany Ltd., OU=IT, CN=localhost",
"ja3s": {
    "hash": "91589ea825a2ee41810c85fab06d2ef6",
    "string": "769,53,65281"
},
"fingerprint": "90:5e:f2:18:82:ba:67:b4:44:5a:3c:c2:51:3c:6c:36:66:40:b1:23"
}

This enrichment will be present in the following event types: SIGHTINGS, "event_type":"alert" if TLS based and "event_type":"tls".

TLS JA4

Any TLS based alert or TLS protocol event (even TLS 1.3 with full encryption) will have TLS JA4 subsection as part of the standard JSON log. The following fields would be added ja4.hash, ja4.agent Example:

"tls": {
  "subject": "C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googleapis.com",
  "issuerdn": "C=US, O=Google Trust Services, CN=Google Internet Authority G3",
  "serial": "17:E1:46:B0:38:54:10:79:F3:BB:60:C1:C3:B7:9A:C7",
  "fingerprint": "c6:3e:93:ab:25:2b:06:11:2f:f9:d3:61:fb:2e:89:28:91:2c:27:46",
  "sni": "www.googleapis.com",
  "version": "TLS 1.2",
  "notbefore": "2019-06-11T12:22:17",
  "notafter": "2019-09-03T12:20:00",
  "ja3": {
    "hash": "bc6c386f480ee97b9d9e52d472b772d8",
    "string": "771,49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-10,65281-0-23-35-13-5-18-16-11-10,29-23-24,0",
    "agent": [
      "Chrome Version 60/61.0.3163, Google Chrome"
    ]
  },
  "ja4": {
    "hash": "t12d1310h2_8b80da21ef18_e69ac49eb88f",
    "agent": [
      "Chrome Version 60/61.0.3163, Google Chrome"
    ]
  },
  "ja3s": {
    "hash": "06dc1d6aa358d0a305c7d6ce6b132be5",
    "string": "771,49195,23-65281-11-35-16-18"
  },
  "alpn_ts": [
    "h2",
    "http/1.1"
  ],
  "alpn_tc": "h2",
  "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "cipher_security": "recommended"
}

This enrichment will be present in the following event types: SIGHTINGS, "event_type":"alert" if TLS based, "event_type":"flow" if TLS based and "event_type":"tls".

TLS ALPN

The TLS Application-Layer Protocol Negotiation (ALPN) is an extension of the TLS protocol that allows the client and server to negotiate which application protocol to use during the TLS handshake. This negotiation happens early in the connection process, allowing for a more efficient setup by avoiding additional round trips to determine the protocol after the connection is established.

It can be useful in identifying and monitoring the specific application protocols (such as HTTP/2, HTTP/1.1) being used in encrypted traffic. This helps in quickly recognizing protocol usage patterns, detecting potential policy violations, and ensuring that only approved protocols are in use.

Any TLS based alert or TLS protocol event (even TLS 1.3 with full encryption) will have TLS JA4 subsection as part of the standard JSON log. The following fields would be added tls.alpn_tc, tls.alpn_ts

Example:

"tls": {
  "subject": "C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googleapis.com",
  "issuerdn": "C=US, O=Google Trust Services, CN=Google Internet Authority G3",
  "serial": "17:E1:46:B0:38:54:10:79:F3:BB:60:C1:C3:B7:9A:C7",
  "fingerprint": "c6:3e:93:ab:25:2b:06:11:2f:f9:d3:61:fb:2e:89:28:91:2c:27:46",
  "sni": "www.googleapis.com",
  "version": "TLS 1.2",
  "notbefore": "2019-06-11T12:22:17",
  "notafter": "2019-09-03T12:20:00",
  "ja3": {
    "hash": "bc6c386f480ee97b9d9e52d472b772d8",
    "string": "771,49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-10,65281-0-23-35-13-5-18-16-11-10,29-23-24,0",
    "agent": [
      "Chrome Version 60/61.0.3163, Google Chrome"
    ]
  },
  "ja4": {
    "hash": "t12d1310h2_8b80da21ef18_e69ac49eb88f",
    "agent": [
      "Chrome Version 60/61.0.3163, Google Chrome"
    ]
  },
  "ja3s": {
    "hash": "06dc1d6aa358d0a305c7d6ce6b132be5",
    "string": "771,49195,23-65281-11-35-16-18"
  },
  "alpn_ts": [
    "h2",
    "http/1.1"
  ],
  "alpn_tc": "h2",
  "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "cipher_security": "recommended"
}

Another Example:

"tls": {
  "alpn_ts": [
    "http/0.9",
    "http/1.0",
    "http/1.1",
    "spdy/1",
    "spdy/2",
    "spdy/3",
    "h2",
    "h2c",
    "hq"
  ],
  "ja3": {
    "hash": "03a3ad27040f733ee5c9915e0903d028",
    "string": "771,49170-49159-52244-4865-4866-52393-49267-49266-49196-49327-49325-49188-49162-49195-49326-49324-49187-49161-49160-154-196-136-190-69-159-49315-49311-107-57-158-49314-49310-103-51-22,0-23-1-65281-10-11-35-16-13-51-45,29-23-24-25,0"
  },
  "alpn_tc": "h2",
  "ja3s": {
    "hash": "a583e1ea2d5d7a4ac06aa7bfe8140364",
    "string": "771,158,65281-0-1-35-16-23"
  },
  "sni": "zahtmyhyoi.duckdns.org",
  "session_resumed": true,
  "ja4": {
    "hash": "t12d3511h9_66c735deec94_52c4d8bb91c9"
  },
  "version": "TLS 1.2",
  "cipher_suite": "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
  "cipher_security": "degraded"
}

This enrichment will be present in the following event types: SIGHTINGS, "event_type":"alert" if TLS based, "event_type":"flow" if TLS based and "event_type":"tls".

DCERPC function name mappings

Any DCERPC event will have enrichment in the form of a name mapping subsection as part of the standard JSON log. In the example below the uuid is translated to name: sasec which is translating Microsoft’s uuid to its name. Example:

"smb": {
  "command": "SMB2_COMMAND_WRITE",
  "status_code": "0x0",
  "id": 8,
  "tree_id": 1,
  "dcerpc": {
    "request": "BIND",
    "response": "BINDACK",
    "call_id": 2,
    "interfaces": [
      {
        "version": "1.0",
        "ack_result": 2,
        "ack_reason": 0,
        "name": "sasec",
        "uuid": "378e52b0-c0a9-11cf-822d-00aa0051e40f"
      },
      {
        "version": "1.0",
        "ack_result": 0,
        "ack_reason": 0,
        "name": "sasec",
        "uuid": "378e52b0-c0a9-11cf-822d-00aa0051e40f"
      },
      {
        "version": "1.0",
        "ack_result": 3,
        "ack_reason": 0,
        "name": "sasec",
        "uuid": "378e52b0-c0a9-11cf-822d-00aa0051e40f"
      }
    ]
  }

The following event types will have that enrichment "event_type":"alert" (where relevant), "event_type":"smb" and "event_type":"dcerpc".

Number of transactions in a flow

Any protocol event will have enrichment in the form tx_id as part of the standard JSON log. This allows to tell how many transactions are there in that specific session. In turn it allows for query based searches covering use cases such as too many ACCESS DENIED transactions in the same SMB flow/session which is an indicator for brute forcing. Example:

"tx_id": 650,
"smb": {
  "share_type": "UNKNOWN",
  "command": "SMB2_COMMAND_TREE_CONNECT",
  "status_code": "0xc0000022",
  "id": 66,
  "tree_id": 0,
  "share": "\\\\share.network\\candy$",
  "ext_status": {
    "text": "STATUS_ACCESS_DENIED",
    "facility": "UNDEFINED",
    "customer": 0,
    "short_code": "0x22",
    "severity": "ERROR"
  },
  "status": "STATUS_ACCESS_DENIED",
  "dialect": "3.11",
  "session_id": 1703757132
}

Any event type would have that field.

SSH hassh, client and server software

Any SSH protocol event will have by default the ssh client and server software and version as part of its log. Further more the event will contain a unique hash of both the client and server side hassh allowing for further analytics and uniquely identifying ssh communications and flows. Example:

"ssh": {
  "client": {
    "software_version": "libssh_0.7.4",
    "proto_version": "2.0",
    "hassh": {
      "string": "curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc;hmac-sha2-256,hmac-sha2-512,hmac-sha1;none",
      "hash": "e37f354a101aff5871ba233aa82b84ec"
    }
  },
  "server": {
    "software_version": "OpenSSH_7.4",
    "proto_version": "2.0",
    "hassh": {
      "string": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com",
      "hash": "6832f1ce43d4397c2c0a3e2f8c94334e"
    }
  }
}

The following event types will have that enrichment "event_type":"ssh".

Additional resources

Further reading and ideas around the data analytics topic can be found in our free book, Suricata for Analysts the world’s first practical guide to threat detection and hunting using Suricata.