[Oisf-users] Record traffic as soon as a thread is detected
Victor Julien
lists at inliniac.net
Fri Sep 29 16:45:08 UTC 2017
On 29-09-17 18:18, Duane Howard wrote:
> quick hack:
> modify all rules with tag:session,x,[seconds,packets] and write to u2.
Eve supports this now (in 4.0) as well btw. IIRC someone had a script to
turn EVE base64 packets into a pcap again.
Cheers,
Victor
> proper method, fullpcap:
> https://github.com/google/stenographer
>
>
> On Fri, Sep 29, 2017 at 8:43 AM, Kevin Ross <kevross33 at googlemail.com
> <mailto:kevross33 at googlemail.com>> wrote:
>
> Hi, as well as other suggestions like moloch for packet capture you
> can use bro ids now just called bro at bro.org <http://bro.org>.
>
> it will create logs on various things and also if internal you can
> enable smb logging and a quick search for bro ids ransomware and
> detection and you will find papars and script for ransomware share
> encryption, lateral movement etc. You can use elastic search
> filebeat to fire them off into elasticsearch.
>
> It provides excellent info, file extraction and with a plugin of xor
> obfuscated files to of even large key lengths etc. It is great tool
> to support suricata for extra logging and detection but has benefit
> of smaller logs but logging plenty detail.
>
> On 29 Sep 2017 10:21 a.m., "Jean-Michel Pouré" <jm at poure.com
> <mailto:jm at poure.com>> wrote:
>
> Le jeudi 28 septembre 2017 à 16:18 -0600, Francis Trudeau a écrit :
> > For the record, that IP is a true positive:
> > https://ransomwaretracker.abuse.ch/ip/209.99.40.222/
> <https://ransomwaretracker.abuse.ch/ip/209.99.40.222/>
>
> Thanks.
>
> I noticed that too. It was 2 days ago. Around 3:00 in the morning, I
> had Trojan ransomware onion domain lookups. This looks like a
> series of
> DNS lookups.
>
> This is quite surprising, as my local network is mostly composed of
> security devices, including OpenBSD, FreeBSD and some Linux. It
> could
> be a downloading of a ban list followed by DNS queries.
>
> Anyway, even if this is a home network, I need to monitor more
> closely
> what is going on. Detecting threats is not enough. You also need to
> analyse the traffic and logs ...
>
> Kind regards,
> Kellogs
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> <https://suricata-ids.org/training/>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> <https://suricata-ids.org/training/>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list