<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>Hi Alexis,</div>
<div><br>
</div>
<div>It is true that changes to the malware *<span style="font-weight: bold;">may</span>* impact detection depending on the signature/change, but that’s why we monitor malware continuously and will release new signatures if/when this happens. We also try to
fingerprint many aspects of the malware/network activity. Often you will see many different signatures trigger on a piece of malware so even with some changes you will often still trigger alerts; some malware specific and some more generic detection.</div>
<div><br>
</div>
<div>Best Regards, </div>
<div>
<div id="">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:Arial;color:#1D0E00">Brad Woodberg
</span></b><span style="font-family:Arial;color:#1D0E00">l<b> </b>Group Product Manager, ETPro, Security Tools</span><span style="font-size:16.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Arial">Proofpoint, Inc.</span><span style="font-family: 'MS 明朝', 'MS Mincho';">
</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Arial">E:
<a href="mailto:bwoodberg@proofpoint.com">bwoodberg@proofpoint.com</a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><a href="http://www.proofpoint.com/"><span style="font-family:Arial;color:blue;text-decoration:none"><img border="0" width="150" height="33" id="Picture_x005f_x005f_x005f_x0020_1" src="cid:A11AB8D2-2DE8-444F-88C6-24D5C4611E04" alt="id:image001.png@01D285E1.0101B2B0"></span></a><span style="font-size:16.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:Arial;color:#0F6B96">threat protection l compliance l archiving & governance l secure communication</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Oisf-users <<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>> on behalf of Alexis Fredes Hadad <<a href="mailto:amfh2408@gmail.com">amfh2408@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, June 30, 2017 at 11:48 AM<br>
<span style="font-weight:bold">To: </span>"oisf countersnipe.com" <<a href="mailto:oisf@countersnipe.com">oisf@countersnipe.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Oisf-users] Ransomware detection<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>Hello Amar! <br>
<br>
</div>
Thanks for your help! I am new at the rules field. I saw that the rule looks for binary content. I think that this solution is a temporary one because if the ransomware changes, the content changes too, so in that case the IDS will not able to detect the new
variant. Am I right?<br>
</div>
Besides, I think that use pcre would be a better solution, but for that you need the payload of the ransomware. Please tell me if I am wrong. As I said before, I am new with these concepts. At present I am trying to create a rule for Petrwrap and I only have
the hex content.<br>
<br>
</div>
Thanks,<br>
</div>
Alexis<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-06-30 9:03 GMT-03:00 oisf <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__countersnipe.com&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=uNZ4HQOpFF7XsRFK5fNM7Nap5x5IQqbaErLQWUbR87w&e=">
countersnipe.com</a> <span dir="ltr"><<a href="mailto:oisf@countersnipe.com" target="_blank">oisf@countersnipe.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div>
<p>Hi Alexis<br>
</p>
<p>Suricata in fact is very appropriate tool for ransomware and very effective one too.<br>
</p>
<p>The rule category you need to look in is trojan-activity and there are thousands of rules in there. Please find below details of one such rule to do with the recent wannacry stuff. I have cut and pasted from a rule manager in order to show you all of the
options more clearly.</p>
<p>Hope it helps.<br>
</p>
<p>regards<br>
</p>
<p>Amar.<br>
</p>
<table style="line-height:1em;margin:0.5em auto" class="m_5902090765713308647mce-item-table" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="text-align:left;border-bottom:1px solid #555555;padding:0.4em 1em;border-top:1px solid #555555" width="10" valign="top">
</td>
<td style="text-align:left;border-bottom:1px solid #555555;padding:0.4em 1em;border-top:1px solid #555555" valign="top">
<div class="m_5902090765713308647tabArea"><a class="m_5902090765713308647activetab" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dsummary-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=oIgdS6YBhnGcVrpHs4DeyokaRFkTxztZrCkX4DqM5Eg&e=" target="_blank">Summary</a><a class="m_5902090765713308647tab" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dview-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=UeZp5VsDoqOb8pixpfeljatRXUNNaSo6VcVpEartRrE&e=" target="_blank">
View</a> <a class="m_5902090765713308647tab" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Daction-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=x8cMvBP0ZHTVkoD-lYx6c_V5zLGZeYjcdMSzH1Ojupg&e=" target="_blank">
Action</a><br>
</div>
<br>
<p>Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430; rev:2; classtype:trojan-activity; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12;
content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative;
threshold: type both, track by_src, count 10, seconds 1; )</p>
Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010 <br>
Sid: 2024430 <br>
Revision: 2 <br>
Classification: trojan-activity (High)<br>
Group: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Faction-3DList-26signatureGroupID-3D52&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=F6k8ULKgPx6CrHb7vwoaRQoQcE0Eu2_qCmHJB1ym-zY&e=" target="_blank">
trojan-activity</a><br>
Protocol: smb <br>
Source: any <br>
Source Port: any <br>
Direction: -> <br>
Destination: $HOME_NET <br>
Destination Port: any</td>
</tr>
</tbody>
</table>
<blockquote type="cite">
<div>
<div class="h5">On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <<a href="mailto:amfh2408@gmail.com" target="_blank">amfh2408@gmail.com</a>> wrote:<br>
<br>
<div dir="ltr">
<div>
<div>
<div>Hello everyone!<br>
</div>
I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set
which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.<br>
<br>
</div>
Thanks,<br>
</div>
Alexis</div>
</div>
</div>
<span class="">______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">
oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=vcnqJ4la2s1BCK7_s3tEJCRZxjhKb2x-1vLpjHkiOq0&e=" target="_blank">
http://suricata-ids.org</a> | Support: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_support_&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=h7s-3xeBql_0l45G21tFV9L9D855ELVtbehi4XuHU9M&e=" target="_blank">
http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=J_avJXDTByqpIAYjnYQlHISuy6LV59Kk7Xpe4RPpNRU&e=" target="_blank">
https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
</span></blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span></span>
</body>
</html>