Understanding the `virustota-ioc.rules`
The `virustota-ioc.rules` file is a core component of your network's defense, allowing you to actively protect against known threats. This is a practical application of Cyber Threat Intelligence (CTI), which involves gathering and analyzing information about potential or current threats to improve an organization's security posture. The complete ruleset is available on GitHub: View Rules on GitHub.
What Are the Rules and What Do They Achieve?
Each rule in the file acts as an Indicator of Compromise (IoC), a forensic artifact that indicates a network intrusion has occurred. By integrating these rules into Suricata, your system can automatically detect and alert on attempts to communicate with known malicious domains.
Examples from the ruleset:
-
Rule for '303.consent-pref.trustarc.com'
This rule alerts on a DNS query for a domain that has been flagged as suspicious on VirusTotal. The goal is to detect potential malicious traffic from a host on your network to this specific domain. -
Rule for 'storage.googleapis.com'
This rule specifically flags a query to a Google-owned domain often abused for malware hosting. This helps in identifying a host that might be attempting to download malicious content from a compromised legitimate service. -
Rule for 'botnet-control-3.org'
This rule is a direct IoC for a known botnet C&C (Command & Control) server. The objective is to detect a compromised machine on your network attempting to communicate with its botmaster for instructions. -
Rule for 'malware-cdn.xyz'
This rule targets a domain used for distributing malware. Detecting this DNS query helps in identifying a host attempting to download malicious files and preventing the download from happening in the first place. -
Rule for 'ransomware-server.ru'
This rule alerts on a DNS query to a server associated with ransomware. The goal is to detect a machine that might be trying to connect to a C&C server to either get a decryption key or upload encrypted files.
My main objective is to use this system to transform a basic home network into a self-defending environment. By leveraging public CTI sources, my project can proactively identify and alert on threats that might otherwise go unnoticed. This not only enhances security but also provides valuable insights into the network's traffic and host behavior.