[Oisf-users] Ransomware detection

Alexis Fredes Hadad amfh2408 at gmail.com
Fri Jun 30 15:48:46 UTC 2017


Hello Amar!

Thanks for your help! I am new at the rules field. I saw that the rule
looks for binary content. I think that this solution is a temporary one
because if the ransomware changes, the content changes too, so in that case
the IDS will not able to detect the new variant. Am I right?
Besides, I think that use pcre would be a better solution, but for that you
need the payload of the ransomware. Please tell me if I am wrong. As I said
before, I am new with these concepts. At present I am trying to create a
rule for Petrwrap and I only have the hex content.

Thanks,
Alexis

2017-06-30 9:03 GMT-03:00 oisf countersnipe.com <oisf at countersnipe.com>:

> Hi Alexis
>
> Suricata in fact is very appropriate tool for ransomware and very
> effective one too.
>
> The rule category you need to look in is trojan-activity and there are
> thousands of rules in there. Please find below details of one such rule to
> do with the recent wannacry stuff. I have cut and pasted from a rule
> manager in order to show you all of the options more clearly.
>
> Hope it helps.
>
> regards
>
> Amar.
>
> Summary
> <https://demo1.countersnipe.com:8443/signature/signature?page=summary&signatureID=22541>
> View
> <https://demo1.countersnipe.com:8443/signature/signature?page=view&signatureID=22541>
> Action
> <https://demo1.countersnipe.com:8443/signature/signature?page=action&signatureID=22541>
>
> Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430; rev:2;
> classtype:trojan-activity; flow:to_server,established; content:"|ff|SMB|32
> 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00
> 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern;
> content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42
> 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34;
> isdataat:1000,relative; threshold: type both, track by_src, count 10,
> seconds 1; )
> Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010
> Sid: 2024430
> Revision: 2
> Classification: trojan-activity (High)
> Group: trojan-activity
> <https://demo1.countersnipe.com:8443/signature/signature?action=List&signatureGroupID=52>
> Protocol: smb
> Source: any
> Source Port: any
> Direction: ->
> Destination: $HOME_NET
> Destination Port: any
>
> On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <amfh2408 at gmail.com>
> wrote:
>
> Hello everyone!
> I want to know if there is any rule for ransomware detection in Suricata.
> I know that Suricata is not the more appropiate tool for that kind of
> malware but I was investigating how to do a rule with pcre. Anyone knows if
> exist a rule for that? Or a rule set which contain that? At present I am
> using the free version of Emerging Threats and it has a file of rules for
> malware but I couldn't find nothing related to ransomware.
>
> Thanks,
> Alexis
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/fe597fad/attachment-0002.html>


More information about the Oisf-users mailing list