[Oisf-users] Multiples filemd5 rules
Robin MARSOLLIER
Robin.MARSOLLIER at conix.fr
Tue Feb 14 11:00:08 UTC 2017
Hello,
I'm currently designing a ruleset. To match my requirements, it would be convenient for me to have multiple filemd5 rules like this :
alert [...] (msg:" ransomware md5 detected - "format c:" needed "; filemagic:"exe"; filemd5:!ransomwares_md5.txt; ....;)
alert [...] (msg:" some trojan md5 detected - investigation needed "; filemagic:"exe"; filemd5:!trojan_md5.txt; ....;)
alert [...] (msg:" some APT not-so-feared md5 detected - investigation needed "; filemagic:"exe"; filemd5:!not-so-apt_md5.txt; ....;)
alert [...] (msg:" some APT highly-feared md5 detected - escalate to crisis center"; filemagic:"exe"; filemd5:!apt_md5.txt; ....;)
The goal is to correlate them differently at the SIEM level and to have multiple possible procedures available for the SOC, according to the threat detected.
My question is simple : Does this kind of multiplication of filemd5 rules affect performances? (For let's say 30 like rules with over 30k md5 total)
Regards.
Robin Marsollier
CONIX | BU Sécurité des SI | Consultant Sécurité
More information about the Oisf-users
mailing list