[Oisf-users] Suricata File Carving - Malware Detection

[Victor Julien]

On 04/09/2011 02:51 AM, Kevin Ross wrote:
> Stick with me with this. This is pescanner from the malware cookbook. I have
> modified it slightly to have more IAT alerts after reading this
> http://www.sans.org/reading_room/whitepapers/malicious/rss/_33649 as it has
> a big list of IATs at the end and their malware uses so I added them in (in
> this case I would say all those IATs look bad in combination). This was Zeus
> with the file carved out a pcap on openpacket.org. You can see the
> virtustotal report for the MD5 when I searched for it here
> http://www.virustotal.com/file-scan/report.html?id=2f59173cf3842b3a72ac04404ab045c339cbc6f021f24b977a27441ea881e95b-1295056538
> 
> Now what I was thinking is if they file_extract options were put into
> suricata as was mentioned after the last meeting would it be hard to have
> suricata or another tool check IATs, entropy, clamav scan possibly or
> checking the MD5 against virustotal, shadowserver etc to determine if is is
> possibly malicious? Even the IATs for their possible usage and risk and then
> a threshold to then determine if the file is likely bad. If the file was
> possible bad then a preprocessor style alert could be generated by suricata
> with the relevant information about the file and the possibly malicious file
> could be moved to a malicious folder or something to be stored while if the
> user wants executables or other files that are not detected as anything or
> suspicious could be deleted meaning you have a folder of likely samples for
> stuff entering your network. What do people think?

This analysis (mostly) requires the full file, right? In that case I
think it makes more sense for Suricata to drop the file to disk and let
a separate process do post inspection.

Cheers,
Victor


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------