[Oisf-users] Ransomware detection

Jason Williams jwilliams at emergingthreats.net
Fri Jun 30 17:00:05 UTC 2017 

Agree w/ Brad.

We try to write (and recommend writing) signatures that can detect various
aspects of threats. In the example eternalblue signature that was shared,
while that has been used recently by ransomware, it is also used by other
threats which are not ransomware such as Adylkuzz.

On Fri, Jun 30, 2017 at 11:34 AM, Brad Woodberg <bwoodberg at proofpoint.com>
wrote:

> Hi Alexis,
>
> It is true that changes to the malware *may* impact detection depending
> on the signature/change, but that’s why we monitor malware continuously and
> will release new signatures if/when this happens.  We also try to
> fingerprint many aspects of the malware/network activity.  Often you will
> see many different signatures trigger on a piece of malware so even with
> some changes you will often still trigger alerts; some malware specific and
> some more generic detection.
>
> Best Regards,
>
> *Brad Woodberg *l Group Product Manager, ETPro, Security Tools
>
> Proofpoint, Inc.
>
> E: bwoodberg at proofpoint.com
>
> [image: id:image001.png at 01D285E1.0101B2B0] <http://www.proofpoint.com/>
>
> threat protection l compliance l archiving & governance l secure
> communication
>
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on
> behalf of Alexis Fredes Hadad <amfh2408 at gmail.com>
> Date: Friday, June 30, 2017 at 11:48 AM
> To: "oisf countersnipe.com" <oisf at countersnipe.com>
> Cc: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.
> openinfosecfoundation.org>
> Subject: Re: [Oisf-users] Ransomware detection
>
> Hello Amar!
>
> Thanks for your help! I am new at the rules field. I saw that the rule
> looks for binary content. I think that this solution is a temporary one
> because if the ransomware changes, the content changes too, so in that case
> the IDS will not able to detect the new variant. Am I right?
> Besides, I think that use pcre would be a better solution, but for that
> you need the payload of the ransomware. Please tell me if I am wrong. As I
> said before, I am new with these concepts. At present I am trying to create
> a rule for Petrwrap and I only have the hex content.
>
> Thanks,
> Alexis
>
> 2017-06-30 9:03 GMT-03:00 oisf countersnipe.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__countersnipe.com&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=uNZ4HQOpFF7XsRFK5fNM7Nap5x5IQqbaErLQWUbR87w&e=>
> <oisf at countersnipe.com>:
>
>> Hi Alexis
>>
>> Suricata in fact is very appropriate tool for ransomware and very
>> effective one too.
>>
>> The rule category you need to look in is trojan-activity and there are
>> thousands of rules in there. Please find below details of one such rule to
>> do with the recent wannacry stuff. I have cut and pasted from a rule
>> manager in order to show you all of the options more clearly.
>>
>> Hope it helps.
>>
>> regards
>>
>> Amar.
>>
>> Summary
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dsummary-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=oIgdS6YBhnGcVrpHs4DeyokaRFkTxztZrCkX4DqM5Eg&e=>
>> View
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Dview-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=UeZp5VsDoqOb8pixpfeljatRXUNNaSo6VcVpEartRrE&e=>
>> Action
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Fpage-3Daction-26signatureID-3D22541&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=x8cMvBP0ZHTVkoD-lYx6c_V5zLGZeYjcdMSzH1Ojupg&e=>
>>
>> Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET
>> CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430;
>> rev:2; classtype:trojan-activity; flow:to_server,established;
>> content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12;
>> content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2;
>> within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00
>> f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|";
>> distance:2; within:34; isdataat:1000,relative; threshold: type both, track
>> by_src, count 10, seconds 1; )
>> Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010
>> Sid: 2024430
>> Revision: 2
>> Classification: trojan-activity (High)
>> Group: trojan-activity
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__demo1.countersnipe.com-3A8443_signature_signature-3Faction-3DList-26signatureGroupID-3D52&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=F6k8ULKgPx6CrHb7vwoaRQoQcE0Eu2_qCmHJB1ym-zY&e=>
>> Protocol: smb
>> Source: any
>> Source Port: any
>> Direction: ->
>> Destination: $HOME_NET
>> Destination Port: any
>>
>> On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <amfh2408 at gmail.com>
>> wrote:
>>
>> Hello everyone!
>> I want to know if there is any rule for ransomware detection in Suricata.
>> I know that Suricata is not the more appropiate tool for that kind of
>> malware but I was investigating how to do a rule with pcre. Anyone knows if
>> exist a rule for that? Or a rule set which contain that? At present I am
>> using the free version of Emerging Threats and it has a file of rules for
>> malware but I couldn't find nothing related to ransomware.
>>
>> Thanks,
>> Alexis
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=vcnqJ4la2s1BCK7_s3tEJCRZxjhKb2x-1vLpjHkiOq0&e=>
>> | Support: http://suricata-ids.org/support/
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__suricata-2Dids.org_support_&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=h7s-3xeBql_0l45G21tFV9L9D855ELVtbehi4XuHU9M&e=>
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openinfosecfoundation.org_mailman_listinfo_oisf-2Dusers&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=rOVyB9ixExmyqAgEyDnrUtIQ2jlUiP4p_9Yb9cbBi4A&m=2kX3ARm7HHksL0bPeFc9sK94sufrhBbo_bciY3xD6lg&s=J_avJXDTByqpIAYjnYQlHISuy6LV59Kk7Xpe4RPpNRU&e=>
>>
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/4285aa45/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001[3].png
Type: image/png
Size: 10805 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/4285aa45/attachment-0002.png>

More information about the Oisf-users mailing list