[Oisf-users] Ransomware detection

oisf countersnipe.com oisf at countersnipe.com
Fri Jun 30 12:03:47 UTC 2017 

Hi Alexis

Suricata in fact is very appropriate tool for ransomware and very effective one too.

The rule category you need to look in is trojan-activity and there are thousands of rules in there. Please find below details of one such rule to do with the recent wannacry stuff. I have cut and pasted from a rule manager in order to show you all of the options more clearly.

Hope it helps.

regards

Amar.

  	
Summary https://demo1.countersnipe.com:8443/signature/signature?page=summary&signatureID=22541 View https://demo1.countersnipe.com:8443/signature/signature?page=view&signatureID=22541 Action https://demo1.countersnipe.com:8443/signature/signature?page=action&signatureID=22541


Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430; rev:2; classtype:trojan-activity; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; )

Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010
Sid: 2024430
Revision: 2
Classification: trojan-activity (High)
Group: trojan-activity https://demo1.countersnipe.com:8443/signature/signature?action=List&signatureGroupID=52
Protocol: smb
Source: any
Source Port: any
Direction: ->
Destination: $HOME_NET
Destination Port: any

> On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <amfh2408 at gmail.com> wrote:
> 
>     Hello everyone!
>     I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.
> 
>     Thanks,
>     Alexis
>     _______________________________________________
>     Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>     Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>     List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/aa26a9cd/attachment-0002.html>

More information about the Oisf-users mailing list