<div dir="ltr">Agree w/ Brad. <div><br></div><div>We try to write (and recommend writing) signatures that can detect various aspects of threats. In the example eternalblue signature that was shared, while that has been used recently by ransomware, it is also used by other threats which are not ransomware such as Adylkuzz.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 30, 2017 at 11:34 AM, Brad Woodberg <span dir="ltr"><<a href="mailto:bwoodberg@proofpoint.com" target="_blank">bwoodberg@proofpoint.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>Hi Alexis,</div>
<div><br>
</div>
<div>It is true that changes to the malware *<span style="font-weight:bold">may</span>* impact detection depending on the signature/change, but that’s why we monitor malware continuously and will release new signatures if/when this happens. We also try to
fingerprint many aspects of the malware/network activity. Often you will see many different signatures trigger on a piece of malware so even with some changes you will often still trigger alerts; some malware specific and some more generic detection.</div><span class="">
<div><br>
</div>
<div>Best Regards, </div>
<div>
<div id="m_-8161165776409853227">
<div class="m_-8161165776409853227WordSection1">
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:Arial;color:#1d0e00">Brad Woodberg
</span></b><span style="font-family:Arial;color:#1d0e00">l<b> </b>Group Product Manager, ETPro, Security Tools</span><span style="font-size:16.0pt"><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Arial">Proofpoint, Inc.</span><span style="font-family:'\00ff2d\00ff33 \00660e\00671d','MS Mincho'">
</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Arial">E:
<a href="mailto:bwoodberg@proofpoint.com" target="_blank">bwoodberg@proofpoint.com</a><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><a href="http://www.proofpoint.com/" target="_blank"><span style="font-family:Arial;color:blue;text-decoration:none"><img border="0" width="150" height="33" id="m_-8161165776409853227Picture_x005f_x005f_x005f_x0020_1" src="cid:A11AB8D2-2DE8-444F-88C6-24D5C4611E04" alt="id:image001.png@01D285E1.0101B2B0"></span></a><span style="font-size:16.0pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial;color:#0f6b96">threat protection l compliance l archiving & governance l secure communication</span><u></u><u></u></p>
</div>
</div>
</div>
</span></div>
<div><br>
</div>
<span id="m_-8161165776409853227OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri;font-size:12pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"><span class="">
<span style="font-weight:bold">From: </span>Oisf-users <<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@lists.<wbr>openinfosecfoundation.org</a>> on behalf of Alexis Fredes Hadad <<a href="mailto:amfh2408@gmail.com" target="_blank">amfh2408@gmail.com</a>><br>
</span><span style="font-weight:bold">Date: </span>Friday, June 30, 2017 at 11:48 AM<br>
<span style="font-weight:bold">To: </span>"oisf <a href="http://countersnipe.com" target="_blank">countersnipe.com</a>" <<a href="mailto:oisf@countersnipe.com" target="_blank">oisf@countersnipe.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.<wbr>openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.<wbr>openinfosecfoundation.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Oisf-users] Ransomware detection<br>
</div><div><div class="h5">
<div><br>
</div>
<span>
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>Hello Amar! <br>
<br>
</div>
Thanks for your help! I am new at the rules field. I saw that the rule looks for binary content. I think that this solution is a temporary one because if the ransomware changes, the content changes too, so in that case the IDS will not able to detect the new
variant. Am I right?<br>
</div>
Besides, I think that use pcre would be a better solution, but for that you need the payload of the ransomware. Please tell me if I am wrong. As I said before, I am new with these concepts. At present I am trying to create a rule for Petrwrap and I only have
the hex content.<br>
<br>
</div>
Thanks,<br>
</div>
Alexis<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-06-30 9:03 GMT-03:00 oisf <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__countersnipe.com&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=uNZ4HQOpFF7XsRFK5fNM7Nap5x5IQqbaErLQWUbR87w&e=" target="_blank">
countersnipe.com</a> <span dir="ltr"><<a href="mailto:oisf@countersnipe.com" target="_blank">oisf@countersnipe.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div>
<p>Hi Alexis<br>
</p>
<p>Suricata in fact is very appropriate tool for ransomware and very effective one too.<br>
</p>
<p>The rule category you need to look in is trojan-activity and there are thousands of rules in there. Please find below details of one such rule to do with the recent wannacry stuff. I have cut and pasted from a rule manager in order to show you all of the
options more clearly.</p>
<p>Hope it helps.<br>
</p>
<p>regards<br>
</p>
<p>Amar.<br>
</p>
<table style="line-height:1em;margin:0.5em auto" class="m_-8161165776409853227m_5902090765713308647mce-item-table" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="text-align:left;border-bottom:1px solid #555555;padding:0.4em 1em;border-top:1px solid #555555" width="10" valign="top">
</td>
<td style="text-align:left;border-bottom:1px solid #555555;padding:0.4em 1em;border-top:1px solid #555555" valign="top">
<div class="m_-8161165776409853227m_5902090765713308647tabArea"><a class="m_-8161165776409853227m_5902090765713308647activetab" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dsummary-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=oIgdS6YBhnGcVrpHs4DeyokaRFkTxztZrCkX4DqM5Eg&e=" target="_blank">Summary</a><a class="m_-8161165776409853227m_5902090765713308647tab" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dview-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=UeZp5VsDoqOb8pixpfeljatRXUNNaSo6VcVpEartRrE&e=" target="_blank">
View</a> <a class="m_-8161165776409853227m_5902090765713308647tab" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Daction-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=x8cMvBP0ZHTVkoD-lYx6c_V5zLGZeYjcdMSzH1Ojupg&e=" target="_blank">
Action</a><br>
</div>
<br>
<p>Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430; rev:2; classtype:trojan-activity; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12;
content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative;
threshold: type both, track by_src, count 10, seconds 1; )</p>
Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010 <br>
Sid: 2024430 <br>
Revision: 2 <br>
Classification: trojan-activity (High)<br>
Group: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Faction-3DList-26signatureGroupID-3D52&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=F6k8ULKgPx6CrHb7vwoaRQoQcE0Eu2_qCmHJB1ym-zY&e=" target="_blank">
trojan-activity</a><br>
Protocol: smb <br>
Source: any <br>
Source Port: any <br>
Direction: -> <br>
Destination: $HOME_NET <br>
Destination Port: any</td>
</tr>
</tbody>
</table>
<blockquote type="cite">
<div>
<div class="m_-8161165776409853227h5">On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <<a href="mailto:amfh2408@gmail.com" target="_blank">amfh2408@gmail.com</a>> wrote:<br>
<br>
<div dir="ltr">
<div>
<div>
<div>Hello everyone!<br>
</div>
I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set
which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.<br>
<br>
</div>
Thanks,<br>
</div>
Alexis</div>
</div>
</div>
<span>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">
oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=vcnqJ4la2s1BCK7_s3tEJCRZxjhKb2x-1vLpjHkiOq0&e=" target="_blank">
http://suricata-ids.org</a> | Support: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_support_&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=h7s-3xeBql_0l45G21tFV9L9D855ELVtbehi4XuHU9M&e=" target="_blank">
http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=J_avJXDTByqpIAYjnYQlHISuy6LV59Kk7Xpe4RPpNRU&e=" target="_blank">
https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
</span></blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span></div></div></span>
</div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><br></div>