[Oisf-users] Ransomware detection
amar countersnipe.com
amar at countersnipe.com
Fri Jun 30 18:17:23 UTC 2017
Hi Alexis
Its all about keeping ahead, in fact keeping up, with the game really.
You are right about the temporary point. In the commercial world what really happens is that businesses will have some sort of regular feed of rules and a mechanism for managing and enabling them. With that in place they can rely on the provider to push new rules out in line with the content changes you refer too. You will often find many rules for exactly the same problem with very slight variants. Therefore, in most cases, that maintains the security or protection from a changing attack. Of course awareness of such change is the key to getting new signatures out.
I am not an expert at writing rules, but I would agree with your point about the payload too. Here are a couple of links for you to get some more info from:
http://doc.emergingthreats.net/bin/view/Main/SuricataSnortSigs101
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html
You may already have come across them.
Since you say, you are new with these concepts, I am assuming you really do want to learn to "make the bread rather than someone else making it for you" so good luck with your rule writing and do please share your creations.
regards
Amar
> On June 30, 2017 at 11:48 AM Alexis Fredes Hadad <amfh2408 at gmail.com> wrote:
>
> Hello Amar!
>
> Thanks for your help! I am new at the rules field. I saw that the rule looks for binary content. I think that this solution is a temporary one because if the ransomware changes, the content changes too, so in that case the IDS will not able to detect the new variant. Am I right?
> Besides, I think that use pcre would be a better solution, but for that you need the payload of the ransomware. Please tell me if I am wrong. As I said before, I am new with these concepts. At present I am trying to create a rule for Petrwrap and I only have the hex content.
>
> Thanks,
> Alexis
>
> 2017-06-30 9:03 GMT-03:00 oisfhttp://countersnipe.com <oisf at countersnipe.com mailto:oisf at countersnipe.com >:
>
> > >
> > Hi Alexis
> >
> > Suricata in fact is very appropriate tool for ransomware and very effective one too.
> >
> > The rule category you need to look in is trojan-activity and there are thousands of rules in there. Please find below details of one such rule to do with the recent wannacry stuff. I have cut and pasted from a rule manager in order to show you all of the options more clearly.
> >
> > Hope it helps.
> >
> > regards
> >
> > Amar.
> >
> >
> > Summary https://demo1.countersnipe.com:8443/signature/signature?page=summary&signatureID=22541 View https://demo1.countersnipe.com:8443/signature/signature?page=view&signatureID=22541 Action https://demo1.countersnipe.com:8443/signature/signature?page=action&signatureID=22541
> >
> >
> > Suricata Rule: ACTION smb any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010"; sid:2024430; rev:2; classtype:trojan-activity; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; )
> >
> > Name: ET CURRENT_EVENTS Possible ETERNALBLUE Exploit M3 MS17-010
> > Sid: 2024430
> > Revision: 2
> > Classification: trojan-activity (High)
> > Group: trojan-activity https://demo1.countersnipe.com:8443/signature/signature?action=List&signatureGroupID=52
> > Protocol: smb
> > Source: any
> > Source Port: any
> > Direction: ->
> > Destination: $HOME_NET
> > Destination Port: any
> >
> > > > > On June 29, 2017 at 8:42 PM Alexis Fredes Hadad <amfh2408 at gmail.com mailto:amfh2408 at gmail.com > wrote:
> > >
> > > Hello everyone!
> > > I want to know if there is any rule for ransomware detection in Suricata. I know that Suricata is not the more appropiate tool for that kind of malware but I was investigating how to do a rule with pcre. Anyone knows if exist a rule for that? Or a rule set which contain that? At present I am using the free version of Emerging Threats and it has a file of rules for malware but I couldn't find nothing related to ransomware.
> > >
> > > Thanks,
> > > Alexis
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org mailto:oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ http://suricata-ids.org/support/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > > >
> > >
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
Kind regards
Amar Rathore
CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com <http://www.countersnipe.com/>
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/c244e777/attachment-0002.html>
More information about the Oisf-users
mailing list