[Oisf-users] Multiples filemd5 rules

Robin MARSOLLIER Robin.MARSOLLIER at conix.fr
Tue Feb 14 11:00:08 UTC 2017


I'm currently designing a ruleset. To match my requirements, it would be convenient for me to have multiple filemd5 rules like this :

alert [...] (msg:" ransomware md5 detected - "format c:" needed "; filemagic:"exe"; filemd5:!ransomwares_md5.txt; ....;)
alert [...] (msg:" some trojan md5 detected - investigation needed "; filemagic:"exe"; filemd5:!trojan_md5.txt; ....;)
alert [...] (msg:" some APT not-so-feared md5 detected - investigation needed "; filemagic:"exe"; filemd5:!not-so-apt_md5.txt; ....;)
alert [...] (msg:" some APT highly-feared md5 detected - escalate to crisis center"; filemagic:"exe"; filemd5:!apt_md5.txt; ....;)

The goal is to correlate them differently at the SIEM level and to have multiple possible procedures available for the SOC, according to the threat detected.

My question is simple : Does this kind of multiplication of filemd5 rules affect performances? (For let's say 30 like rules with over 30k md5 total) 

Robin Marsollier
CONIX | BU Sécurité des SI | Consultant Sécurité

More information about the Oisf-users mailing list