Suricata 7 Keyword Updates from Suricata 5

Emerging Threats will be adding a Suricata 7 fork which will allow us to make more efficient rules using the latest available keywords and keyword options. We wanted to pass along some of the changes between versions so others are aware of the new options as well.

Suricata 5 to Suricata 6

The RFB (Remote Frame Buffer) protocol parser with the following keywords supported was added:

  • rfb.name - Match on the value of the RFB desktop name field
  • rfb.secresult - Match on the value of the RFB security result
  • rfb.sectype - Match on the value of the RFB security type field

reference: 7.26. RFB Keywords — Suricata 6.0.14 documentation

The MQTT (historically MQ Telemetry Transport) protocol parser with the following keywords supported was added:

  • mqtt.protocol_version - Match on the value of the MQTT protocol version field in the fixed header.
  • mqtt.type - Match on the MQTT message type
  • mqtt.flags - Match on a combination of MQTT header flags, separated by commas
  • mqtt.qos - Match on the Quality of Service request code in the MQTT fixed header
  • mqtt.reason_code - Match on the numeric value of the reason code
  • mqtt.connack.session_present - Match on the MQTT CONNACK session_present flag
  • mqtt.connect.clientid - Match on the self-assigned client ID in the MQTT CONNECT message
  • mqtt.connect.flags - Match on a combination of MQTT CONNECT flags, separated by commas
  • mqtt.connect.password - Match on the password credential in the MQTT CONNECT message
  • mqtt.connect.username - Match on the username credential in the MQTT CONNECT message.
  • mqtt.connect.willmessage - Match on the will message in the MQTT CONNECT message
  • mqtt.connect.willtopic - Match on the will topic in the MQTT CONNECT message
  • mqtt.publish.message - Match on the payload to be published in the MQTT PUBLISH message
  • mqtt.publish.topic - Match on the topic to be published to in the MQTT PUBLISH message
  • mqtt.subscribe.topic - Match on any of the topics subscribed to in a MQTT SUBSCRIBE message
  • mqtt.unsubscribe.topic - Match on any of the topics unsubscribed from in a MQTT UNSUBSCRIBE message

reference: 7.27. MQTT Keywords — Suricata 6.0.14 documentation

Transformations Added

Existing Keyword Updates

Misc Updates

Suricata 6 to Suricata 7

The Suricata 7 series introduced the following parsers and keywords:

The dhcp parser and keyword functionality was updated and added the keywords below:

  • dhcp.rebinding_time - Matches on the DHCP rebinding time

  • dhcp.renewal_time - Matches on the DHCP renewal time

  • dhcp.leasetime - Matches on the DHCP lease time

reference: 8.21. DHCP keywords — Suricata 7.0.1 documentation

The flow parser and keyword functionality was updated and added the keyword below:

  • flow.age - Match on flow age in seconds

reference: 8.11. Flow Keywords — Suricata 7.0.1 documentation

The QUIC protocol parser with the following keywords was added:

  • quic.cyu.hash - Matches on the CYU hash

  • quic.cyu.string - Matches on the CYU string

  • quic.version - Matches on the header version

reference: 8.34. Quic Keywords — Suricata 7.0.1 documentation

The Kerberos parser and keyword functionality was updated and added the keywords below:

  • krb5.ticket_encryption - Matches on Kerberos 5 encryption types

reference: 8.34. Quic Keywords — Suricata 7.0.1 documentation

The TLS parser and keyword functionality was updated and added the keywords below:

  • tls.random - Matches on the 32 bytes of the TLS random field

  • tls.random_time - Matches on the first 4 bytes of the TLS random field

  • tls.random_bytes - Matches on the last 28 bytes of the TLS random field

  • tls.cert_chain_len - Matches on the TLS certificate chain length

reference: 8.16. SSL/TLS Keywords — Suricata 7.0.1 documentation

The IKE (Internet Key Exchange) protocol parser with the following keyword support was added:

  • ike.init_spi - Match on an exact value of the Security Parameter Index (SPI) for the initiator

  • ike.resp_spi - Match on an exact value of the Security Parameter Index (SPI) for the responder

  • ike.chosen_sa_attribute - Match on an attribute value of the chosen Security Association (SA) by the Responder

  • ike.exchtype - Match on the value of the Exchange Type

  • ike.vendor - Match a vendor ID against the list of collected vendor IDs

  • ike.key_exchange_payload - Match against the public key exchange payload (e.g. Diffie-Hellman) of the server or client

  • ike.key_exchange_payload_length - Match against the length of the public key exchange payload (e.g. Diffie-Hellman) of the server or client

  • ike.nonce_payload - Match against the nonce of the server or client

  • ike.nonce_payload_length - Match against the length of the nonce of the server or client

reference: 8.32. IKE Keywords — Suricata 7.0.1 documentation

The SMB (Server Message Block) protocol parser was updated and added the keywords below:

  • smb.name_pipe - Match on SMB named pipe in tree connect

  • smb.share - Match on SMB share name in tree connect

  • smb.ntlmssp_user - Match on SMB ntlmssp user in session setup

  • smb.ntlmssp_domain - Match on SMB ntlmssp domain in session setup

reference: 8.26. SMB Keywords — Suricata 7.0.1 documentation

The snmp (Simple Network Management Protocol) parser was updated and the following keyword added:

  • snmp.usm - Matches on the SNMP User-based Security Model (USM) used in version 3. It corresponds to the user name.

reference: SNMP User-based Security Model (USM) is used in version 3. It corresponds to the user name.

Transformations Added

  • xor - take the content of a buffer and applies XOR decoding

reference: 8.9. Transformations — Suricata 7.0.1 documentation

Misc Updates

  • The JA3 parser functionality was updated to include logging and calculation of quic connection values

  • The stream_size keyword can now be used with prefilter keyword

  • The bsize keyword was updated to allow a zero value for empty buffers

  • The byte_jump keyword was updated allow variables to be used for nbytes values

  • The byte_test keyword was updated allow variables to be used for nbytes values

  • The byte_math keyword was updated allow variables to be used for nbytes values

  • The http2.header keyword was renamed to http.request_header and http.response_header

  • Multiple buffer matching for supported keywords (reference: 8.44. Multiple Buffer Matching — Suricata 7.0.1 documentation)

  • The file keywords updated to sticky buffers and dot notation (reference: 8.14. File Keywords — Suricata 7.0.1 documentation)

  • The file.data keyword was updated to support NFS and the HTTP PUT and POST methods

2 Likes