<div dir="ltr"><div><div><div><div>Hello Amar! <br><br></div>Thanks for your help! I am new at the rules field. I saw that the rule looks for binary content. I think that this solution is a temporary one because if the ransomware changes, the content changes too, so in that case the IDS will not able to detect the new variant. Am I right?<br></div>Besides, I think that use pcre would be a better solution, but for that you need the payload of the ransomware. Please tell me if I am wrong. As I said before, I am new with these concepts. At present I am trying to create a rule for Petrwrap and I only have the hex content.<br><br></div>Thanks,<br></div>Alexis<br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-06-30 9:03 GMT-03:00 oisf <a href="http://countersnipe.com">countersnipe.com</a> <span dir="ltr"><<a href="mailto:oisf@countersnipe.com" target="_blank">oisf@countersnipe.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><p>Hi Alexis<br></p><p>Suricata in fact is very appropriate tool for ransomware and very effective one too.<br></p><p>The rule category you need to look in is trojan-activity and there are thousands of rules in there. Please find below details of one such rule to do with the recent wannacry stuff. I have cut and pasted from a rule manager in order to show you all of the options more clearly.</p><p>Hope it helps.<br></p><p>regards<br></p><p>Amar.<br></p><table style="line-height:1em;margin:0.5em auto" class="m_5902090765713308647mce-item-table" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="text-align:left;border-bottom:1px solid #555555;padding:0.4em 1em;border-top:1px solid #555555" width="10" valign="top"> </td><td style="text-align:left;border-bottom:1px solid #555555;padding:0.4em 1em;border-top:1px solid #555555" valign="top"><div class="m_5902090765713308647tabArea"><a class="m_5902090765713308647activetab" href="https://demo1.countersnipe.com:8443/signature/signature?page=summary&signatureID=22541" target="_blank">Summary</a> <a class="m_5902090765713308647tab" href="https://demo1.countersnipe.com:8443/signature/signature?page=view&signatureID=22541" target="_blank">View</a> <a class="m_5902090765713308647tab" href="https://demo1.countersnipe.com:8443/signature/signature?page=action&signatureID=22541" target="_blank">Action</a><br></div><br><p>Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430; rev:2; classtype:trojan-activity; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; )</p>Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010 <br> Sid: 2024430 <br> Revision: 2 <br> Classification: trojan-activity (High)<br> Group: <a href="https://demo1.countersnipe.com:8443/signature/signature?action=List&signatureGroupID=52" target="_blank">trojan-activity</a><br> Protocol: smb <br> Source: any <br> Source Port: any <br> Direction: -> <br> Destination: $HOME_NET <br> Destination Port: any</td></tr></tbody></table><blockquote type="cite"><div><div class="h5">On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <<a href="mailto:amfh2408@gmail.com" target="_blank">amfh2408@gmail.com</a>> wrote:<br><br><div dir="ltr"><div><div><div>Hello everyone!<br></div>I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.<br><br></div>Thanks,<br></div>Alexis</div></div></div><span class="">______________________________<wbr>_________________<br>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a><br>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br></span></blockquote></div>
</blockquote></div><br></div>