Introduction

From me reading https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/ and wanting a way for people to be able to quickly detect if you are compromised in your network, here a some Suricata rules to detect it.

Suricata Rules

Here are a few different rules that should cover all bases. I will be submitting these to ET Labs to hopefully get added into the ET open ruleset.

alert dns any any -> any any (msg:"Pytorch-nightly dependency chain malicious DNS Query to h4ck.cfd with Encrypted DNS"; dns.qry.name contains "h4ck.cfd"; dns.qry.using_tls == 1; sid:1000000; rev:1;)

This rule will match any DNS query to the domain h4ck.cfd that is using encrypted DNS (TLS).

alert dns any any -> any any (msg:"Pytorch-nightly dependency chain malicious DNS Query to h4ck.cfd with Encrypted DNS using wheezy.io DNS servers"; dns.qry.name contains "h4ck.cfd"; dns.qry.using_tls == 1; dns.qry.server == "wheezy.io"; sid:1000001; rev:1;)

This modified rule of the first rule will match any DNS query to the domain h4ck.cfd that is using encrypted DNS (TLS) and is sent to the wheezy.io DNS servers.

alert dns any any -> any any (msg:"Pytorch-nightly dependency chain malicious DNS Query to h4ck.cfd with Encrypted DNS using DoH"; dns.qry.name contains "h4ck.cfd"; dns.qry.using_tls == 1; dns.qry.proto == "https"; sid:1000001; rev:1;)

This modified rule of the first rule in this list will match any DNS query to the domain h4ck.cfd that is using encrypted DNS (TLS) and is sent using DNS over HTTPS.