The objective of this workshop is to demonstrate how Suricata can be used to leverage network information when tracking malware.

With the logging of protocols transactions (NSM), Suricata provides an exhaustive view of network activity that can be used when the intrusion detection part of Suricata has failed detecting the malware. But did it really failed ? In a lot of cases, generic signatures are highlighting the activity of malware but they need to be look at and understood to be able to detect the malicious activity.

On top of that, some other techniques such as learning dataset can also be used to detect malware activity.

Once the network characteristics of the malware have been established, it is then time to determine which IOCs can be used and/or write signatures to have a detection dedicated to this malware.