Threat Research

Detection with Suricata IDS – ANY.RUN’s Cybersecurity Blog

AnyRun

ANY.RUN uses the Suricata NIDS (signature + anomaly) with external rulesets to detect and surface malicious network activity during sandboxed malware analysis. The platform highlights detections (e.g., Gh0st communicating with a C2 over encrypted channels), exposes packet streams, and links to signature and IOC details for investigation. #Gh0st #Suricata #ANY.RUN #Proofpoint

Keypoints

  • ANY.RUN integrates Suricata as a network IDS combining signature-based and anomaly-based detection with rulesets from providers like Proofpoint/Emerging Threats (ET Open).
  • Suricata inspects both application-layer protocols (SMB, FTP, HTTP) and transport-layer protocols (TCP, UDP, TLS, ICMP), enabling deep packet and protocol analysis.
  • Signatures in Suricata consist of Action, Header, and Rule-options; these rules trigger alerts and can be viewed in the platform’s signature tab (Hunter/Enterprise).
  • Suricata can extract files from network traffic for offline analysis, accelerating malware family identification during sandbox runs.
  • ANY.RUN’s Threats view lists Suricata detections with short messages, and threat details include source/destination IPs, ports, transport protocol, and links to external references.
  • Example case: a sample triggered a Suricata rule identifying Gh0st performing encrypted C2 communication; analysts can inspect packet streams via the Stream data tab.

MITRE Techniques

  • None mentioned – The article does not reference specific MITRE ATT&CK technique IDs directly.

Indicators of Compromise

  • [Malware] detection context – Gh0st (example malware detected communicating with a C2 server)
  • [Protocols] monitored – HTTP, TLS, SMB, FTP, UDP, TCP, ICMP (Suricata inspects and reports activity at these protocol levels)
  • [Network IOCs] UI shows IPs and ports – source and destination IP addresses and ports are displayed in threat details (no concrete IPs listed in the article)
  • [Rules/Signatures] detection sources – ET Open (Emerging Threats) and Proofpoint rule sets used to generate alerts
  • [Extracted files] analysis artifacts – Suricata/file extraction produces files for inspection (no filenames or hashes provided)

Suricata is deployed in ANY.RUN as a network-based IDS that applies both signature and anomaly detection using external rule feeds (Proofpoint / Emerging Threats). Rules are structured with Action, Header, and Rule-options and operate across application-layer protocols (SMB, FTP, HTTP) and transport-layer protocols (TCP, UDP, TLS, ICMP); this allows Suricata to flag known patterns, policy violations, and suspicious protocol behaviors in real time.

When a rule triggers, ANY.RUN surfaces the alert in the Threats view with a short message and links. Clicking a threat opens details showing the detected malware family (example: Gh0st), source/destination IPs and ports, transport protocol, and references to external resources. Analysts can switch to the Stream data tab to examine captured packets and use file extraction output to retrieve payloads for further static or dynamic analysis.

For users on Hunter and Enterprise plans, ANY.RUN exposes the Suricata rule tab so analysts can see exact signature content and correlate ET Open rules with observed network activity, improving detection validation and tuning during malware investigations.

Read more: https://any.run/cybersecurity-blog/detection-with-suricata-ids/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint