[Oisf-users] Ransomware detection

Brad Woodberg bwoodberg at proofpoint.com
Fri Jun 30 01:33:19 UTC 2017

Hi Alexis,

There is probably hundreds of rules in ET Open for Ransomware, and probably thousands in ETPro to detect ransomware (and many many other types of malware / malicious activity.)  We typically write a rule for each unique fingerprint we can assign to a given malware/campaign/vector.  Often times, malware will trigger not only on the specific signatures, but also on other indicators of suspicious activity.

Currently, we’re releasing about 15:1 ETPro : ET Open signatures.  Any signatures submitted by the public or signatures that we write based upon public research goes into the Open ruleset which we curate/QA/package as a service to the community.  Any signatures that we develop based upon our own research / our own IP would go into ETPro (for both Snort and Suricata.)

If you have a specific question around the rules/ruleset we’ll be happy to address it.

Best Regards,
Brad Woodberg l Group Product Manager, ETPro, Security Tools
Proofpoint, Inc.

E: bwoodberg at proofpoint.com<mailto:bwoodberg at proofpoint.com>
[id:image001.png at 01D285E1.0101B2B0]<http://www.proofpoint.com/>
threat protection l compliance l archiving & governance l secure communication

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>> on behalf of Alexis Fredes Hadad <amfh2408 at gmail.com<mailto:amfh2408 at gmail.com>>
Date: Thursday, June 29, 2017 at 8:42 PM
To: "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Subject: [Oisf-users] Ransomware detection

Hello everyone!
I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/c3401a70/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001[87].png
Type: image/png
Size: 10805 bytes
Desc: image001[87].png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/c3401a70/attachment-0002.png>

More information about the Oisf-users mailing list