[Oisf-users] Ransomware detection

Brad Woodberg bwoodberg at proofpoint.com
Fri Jun 30 16:34:20 UTC 2017 

Hi Alexis,

It is true that changes to the malware *may* impact detection depending on the signature/change, but that’s why we monitor malware continuously and will release new signatures if/when this happens.  We also try to fingerprint many aspects of the malware/network activity.  Often you will see many different signatures trigger on a piece of malware so even with some changes you will often still trigger alerts; some malware specific and some more generic detection.

Best Regards,
Brad Woodberg l Group Product Manager, ETPro, Security Tools
Proofpoint, Inc.

E: bwoodberg at proofpoint.com<mailto:bwoodberg at proofpoint.com>
[id:image001.png at 01D285E1.0101B2B0]<http://www.proofpoint.com/>
threat protection l compliance l archiving & governance l secure communication

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>> on behalf of Alexis Fredes Hadad <amfh2408 at gmail.com<mailto:amfh2408 at gmail.com>>
Date: Friday, June 30, 2017 at 11:48 AM
To: "oisf countersnipe.com" <oisf at countersnipe.com<mailto:oisf at countersnipe.com>>
Cc: "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Subject: Re: [Oisf-users] Ransomware detection

Hello Amar!

Thanks for your help! I am new at the rules field. I saw that the rule looks for binary content. I think that this solution is a temporary one because if the ransomware changes, the content changes too, so in that case the IDS will not able to detect the new variant. Am I right?
Besides, I think that use pcre would be a better solution, but for that you need the payload of the ransomware. Please tell me if I am wrong. As I said before, I am new with these concepts. At present I am trying to create a rule for Petrwrap and I only have the hex content.

Thanks,
Alexis

2017-06-30 9:03 GMT-03:00 oisf countersnipe.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__countersnipe.com&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=uNZ4HQOpFF7XsRFK5fNM7Nap5x5IQqbaErLQWUbR87w&e=> <oisf at countersnipe.com<mailto:oisf at countersnipe.com>>:

Hi Alexis

Suricata in fact is very appropriate tool for ransomware and very effective one too.

The rule category you need to look in is trojan-activity and there are thousands of rules in there. Please find below details of one such rule to do with the recent wannacry stuff. I have cut and pasted from a rule manager in order to show you all of the options more clearly.

Hope it helps.

regards

Amar.


Summary<https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dsummary-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=oIgdS6YBhnGcVrpHs4DeyokaRFkTxztZrCkX4DqM5Eg&e=> View<https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dview-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=UeZp5VsDoqOb8pixpfeljatRXUNNaSo6VcVpEartRrE&e=> Action<https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Daction-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=x8cMvBP0ZHTVkoD-lYx6c_V5zLGZeYjcdMSzH1Ojupg&e=>


Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430; rev:2; classtype:trojan-activity; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; )

Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010
Sid: 2024430
Revision: 2
Classification: trojan-activity (High)
Group: trojan-activity<https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Faction-3DList-26signatureGroupID-3D52&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=F6k8ULKgPx6CrHb7vwoaRQoQcE0Eu2_qCmHJB1ym-zY&e=>
Protocol: smb
Source: any
Source Port: any
Direction: ->
Destination: $HOME_NET
Destination Port: any
On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <amfh2408 at gmail.com<mailto:amfh2408 at gmail.com>> wrote:

Hello everyone!
I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.

Thanks,
Alexis
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=vcnqJ4la2s1BCK7_s3tEJCRZxjhKb2x-1vLpjHkiOq0&e=> | Support: http://suricata-ids.org/support/<https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_support_&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=h7s-3xeBql_0l45G21tFV9L9D855ELVtbehi4XuHU9M&e=>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=J_avJXDTByqpIAYjnYQlHISuy6LV59Kk7Xpe4RPpNRU&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/512f1b09/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001[3].png
Type: image/png
Size: 10805 bytes
Desc: image001[3].png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/512f1b09/attachment-0002.png>

More information about the Oisf-users mailing list