<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>Hi Alexis,</div>
<div><br>
</div>
<div>There is probably hundreds of rules in ET Open for Ransomware, and probably thousands in ETPro to detect ransomware (and many many other types of malware / malicious activity.) We typically write a rule for each unique fingerprint we can assign to a given
malware/campaign/vector. Often times, malware will trigger not only on the specific signatures, but also on other indicators of suspicious activity. </div>
<div><br>
</div>
<div>Currently, we’re releasing about 15:1 ETPro : ET Open signatures. Any signatures submitted by the public or signatures that we write based upon public research goes into the Open ruleset which we curate/QA/package as a service to the community. Any signatures
that we develop based upon our own research / our own IP would go into ETPro (for both Snort and Suricata.)</div>
<div><br>
</div>
<div>If you have a specific question around the rules/ruleset we’ll be happy to address it.</div>
<div><br>
</div>
<div>Best Regards,</div>
<div>
<div id="">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-family:Arial;color:#1D0E00">Brad Woodberg
</span></b><span style="font-family:Arial;color:#1D0E00">l<b> </b>Group Product Manager, ETPro, Security Tools</span><span style="font-size:16.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Arial">Proofpoint, Inc.</span><span style="font-family: 'MS 明朝', 'MS Mincho';">
</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Arial">E:
<a href="mailto:bwoodberg@proofpoint.com">bwoodberg@proofpoint.com</a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><a href="http://www.proofpoint.com/"><span style="font-family:Arial;color:blue;text-decoration:none"><img border="0" width="150" height="33" id="Picture_x005f_x005f_x005f_x0020_1" src="cid:6A61D1A2-F6A3-4D04-9D55-A8B8281ABB0F" alt="id:image001.png@01D285E1.0101B2B0"></span></a><span style="font-size:16.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:Arial;color:#0F6B96">threat protection l compliance l archiving & governance l secure communication</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Oisf-users <<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>> on behalf of Alexis Fredes Hadad <<a href="mailto:amfh2408@gmail.com">amfh2408@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, June 29, 2017 at 8:42 PM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br>
<span style="font-weight:bold">Subject: </span>[Oisf-users] Ransomware detection<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>Hello everyone!<br>
</div>
I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set
which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.<br>
<br>
</div>
Thanks,<br>
</div>
Alexis</div>
</div>
</div>
</span></span>
</body>
</html>