HomeMalware Analysis
Detection with Suricata IDS
HomeMalware Analysis
Detection with Suricata IDS

Today we face a growing number of cyberattacks. Analysts can use the intrusion detection system to identify, minimize, and stop threats. In this post, we cover one of the industry’s leading IDS, along with a use case, so you can have a full picture of how ANY.RUN identifies malware. 

Intrusion Detection System

IDS is security software that checks the network for suspicious behavior. If something unusual happens, it sends a warning message about it. Moreover, the system allows being aware of possible malicious activities. 

Two popular types of IDS:

1.NIDS – Network Intrusion Detection System;

It includes the analysis of traffic, both in and out of the network. The system monitors if there are any malicious activities. NIDS’s goal is to detect and alert about it.

2.HIDS – Host Intrusion Detection System.

It monitors any differences in the file set in the system. If there are any changes, it gives an alert message. 

We should also mention the subsets of IDS: 

  • Signature-based

This system tries to find instances of familiar threats. Once a verdict of a file is set, then goes the analysis of special characteristics and as a result, appears a signature that belongs to that very attack. These types of systems compare the pattern with an existing database of signatures. This is how the type of threat is detected. Please note that constant updates and expansion of the library are necessary. 

  • Anomaly-based 

This subset monitors the network’s traffic for any suspicious behavior. First of all, it creates a normal model of the system’s activity. Then it compares it with other existing models to find anomalies. That’s the way to identify attacks for this type. 


Now as we know what IDS stands for, let’s talk about ANY.RUN choice of the system. The platform uses Suricata ruleset from different providers such as Proofpoint (Emerging Threats). 

Suricata is NIDS based on the signature and anomaly approaches. It utilizes externally developed rule sets to monitor network traffic in real-time and provides alerts to the system administrator when suspicious events occur. It helps to reveal the known threats, policy violations, and malicious behavior faster by using patterns. One of Suricata’s benefits is that it acquires smart and elaborate processing architecture.

A signature consists of the following:

  • Action
  • Header
  • Rule-options

The IDS collects data at the application layer. Suricata is able to monitor protocol activity at high levels: SMB, FTP, and HTTP and low levels: UDP, TLS, TCP, and ICMP.  Furthermore, with this IDS analysts can extract files and investigate them by themselves.

Determining the type of threat or a malware family using the Suricata rules much simplifies and speeds up the workflow of a cybersecurity professional during file analysis. Signatures from the Open Sandbox’s rulesets are available for the Community plan’s users. And at Searcher and Hunter subscriptions, you get access to more accurate and fresh Pro sets.

Suricata use case

Let’s have a look at one task that shows Suricata rules in action. 

The analyzed sample here establishes the connection. Then it triggers Suricata. The tool checks if there are any similar rules for this kind of traffic. 

For example, in this case, a user agent stands out. We can notice that Charon and Inferno are used. 

Suricata looks for a match in the rules. 

And in no time the IDS detects the LokiBot malware. 


IDS software has many benefits. Real-time detecting of threats, data monitoring within the network packets to identify hosts and devices. Suricata is one of the most popular representatives of this system, And that’s why you can successfully and fast identify malware with it in ANY.RUN. 

What do you think about this post?

2 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.