[Oisf-users] Record traffic as soon as a thread is detected

Kevin Ross kevross33 at googlemail.com
Fri Sep 29 15:43:16 UTC 2017


Hi, as well as other suggestions like moloch for packet capture you can use
bro ids now just called bro at bro.org.

it will create logs on various things and also if internal you can enable
smb logging and a quick search for bro ids ransomware and detection and you
will find papars and script for ransomware share encryption, lateral
movement etc. You can use elastic search filebeat to fire them off into
elasticsearch.

It provides excellent info, file extraction and with a plugin of xor
obfuscated files to of even large key lengths etc. It is great tool to
support suricata for extra logging and detection but has benefit of smaller
logs but logging plenty detail.

On 29 Sep 2017 10:21 a.m., "Jean-Michel Pouré" <jm at poure.com> wrote:

Le jeudi 28 septembre 2017 à 16:18 -0600, Francis Trudeau a écrit :
> For the record, that IP is a true positive:
> https://ransomwaretracker.abuse.ch/ip/209.99.40.222/

Thanks.

I noticed that too. It was 2 days ago. Around 3:00 in the morning, I
had Trojan ransomware onion domain lookups. This looks like a series of
DNS lookups.

This is quite surprising, as my local network is mostly composed of
security devices, including OpenBSD, FreeBSD and some Linux. It could
be a downloading of a ban list followed by DNS queries.

Anyway, even if this is a home network, I need to monitor more closely
what is going on. Detecting threats is not enough. You also need to
analyse the traffic and logs ...

Kind regards,
Kellogs
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170929/a9bbbe29/attachment-0002.html>


More information about the Oisf-users mailing list