[Oisf-users] Record traffic as soon as a thread is detected
Duane Howard
duane.security at gmail.com
Fri Sep 29 16:18:32 UTC 2017
quick hack:
modify all rules with tag:session,x,[seconds,packets] and write to u2.
proper method, fullpcap:
https://github.com/google/stenographer
On Fri, Sep 29, 2017 at 8:43 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:
> Hi, as well as other suggestions like moloch for packet capture you can
> use bro ids now just called bro at bro.org.
>
> it will create logs on various things and also if internal you can enable
> smb logging and a quick search for bro ids ransomware and detection and you
> will find papars and script for ransomware share encryption, lateral
> movement etc. You can use elastic search filebeat to fire them off into
> elasticsearch.
>
> It provides excellent info, file extraction and with a plugin of xor
> obfuscated files to of even large key lengths etc. It is great tool to
> support suricata for extra logging and detection but has benefit of smaller
> logs but logging plenty detail.
>
> On 29 Sep 2017 10:21 a.m., "Jean-Michel Pouré" <jm at poure.com> wrote:
>
> Le jeudi 28 septembre 2017 à 16:18 -0600, Francis Trudeau a écrit :
> > For the record, that IP is a true positive:
> > https://ransomwaretracker.abuse.ch/ip/209.99.40.222/
>
> Thanks.
>
> I noticed that too. It was 2 days ago. Around 3:00 in the morning, I
> had Trojan ransomware onion domain lookups. This looks like a series of
> DNS lookups.
>
> This is quite surprising, as my local network is mostly composed of
> security devices, including OpenBSD, FreeBSD and some Linux. It could
> be a downloading of a ban list followed by DNS queries.
>
> Anyway, even if this is a home network, I need to monitor more closely
> what is going on. Detecting threats is not enough. You also need to
> analyse the traffic and logs ...
>
> Kind regards,
> Kellogs
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170929/df99353f/attachment-0002.html>
More information about the Oisf-users
mailing list