Re: [ossec-list] Ransomware.
I thought about doing this too. You could look for file extensions as mentioned before. But I struggled on how to make it effective, and then how to test it. To be realistic, I think you'd need a lab with a mirror of your environment (file share, ossec, etc) and actually run a variant of cryptolocker to see the results. I wasn't convinced that simply alerting on X number of files written within X number of seconds would be effective enough without some tuning and testing. It's a good idea!!! But I think a proper implementation would require lots of time and testing... and I realized it was the last thing on my list to do after employing all the other "best" (good) practices in cryptolocker prevention. In the end, I thought application whitelisting alone would yield a better return. :/ -Brent On Thursday, June 9, 2016 at 3:27:50 AM UTC-7, Nate wrote: > > Couldn't pass be used to monitor the frequency of files accessed or > rewritten on a share via the logs generated from those operations? It > might not be foolproof, but if the log shows a single account accessing > several files faster than a human might be able to, it could alert, or even > block. Maybe I'm missing something. > On Jun 7, 2016 13:58, "Kevin Wilcox"> wrote: > >> On 7 June 2016 at 13:29, Eero Volotinen >> wrote: >> >> > Well. This is impossible. There is no way to see difference between >> normal >> > file access and virus crypting all your files.. >> >> There are some common extensions for very common ransomware/crypto >> stuff that you can look for but be prepared for false positives, to >> add to the extensions list and for the list to change with new >> iterations of the malware. >> >> For example: >> >> >> https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/ >> >> You can also do things like script checking the entropy level of files >> in a directory and generate alerts based on that output. Now, though, >> we're talking about doing stuff well outside of OSSEC and just having >> OSSEC send alerts if is or isn't present. >> >> One quick-and-easy thing to do is to have a canary directory or file >> that nobody should ever access. If you see the access time change on >> the directory, write a file that triggers an alert. If a new file >> shows in the directory, trigger an alert. If anything in the directory >> changes, trigger an alert. >> >> As you said, the hard part of identifying virus behaviour is that it >> mimics things we do every day. >> >> kmw >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ransomware.
Couldn't pass be used to monitor the frequency of files accessed or rewritten on a share via the logs generated from those operations? It might not be foolproof, but if the log shows a single account accessing several files faster than a human might be able to, it could alert, or even block. Maybe I'm missing something. On Jun 7, 2016 13:58, "Kevin Wilcox"wrote: > On 7 June 2016 at 13:29, Eero Volotinen wrote: > > > Well. This is impossible. There is no way to see difference between > normal > > file access and virus crypting all your files.. > > There are some common extensions for very common ransomware/crypto > stuff that you can look for but be prepared for false positives, to > add to the extensions list and for the list to change with new > iterations of the malware. > > For example: > > > https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/ > > You can also do things like script checking the entropy level of files > in a directory and generate alerts based on that output. Now, though, > we're talking about doing stuff well outside of OSSEC and just having > OSSEC send alerts if is or isn't present. > > One quick-and-easy thing to do is to have a canary directory or file > that nobody should ever access. If you see the access time change on > the directory, write a file that triggers an alert. If a new file > shows in the directory, trigger an alert. If anything in the directory > changes, trigger an alert. > > As you said, the hard part of identifying virus behaviour is that it > mimics things we do every day. > > kmw > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ransomware.
On 7 June 2016 at 13:29, Eero Volotinenwrote: > Well. This is impossible. There is no way to see difference between normal > file access and virus crypting all your files.. There are some common extensions for very common ransomware/crypto stuff that you can look for but be prepared for false positives, to add to the extensions list and for the list to change with new iterations of the malware. For example: https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/ You can also do things like script checking the entropy level of files in a directory and generate alerts based on that output. Now, though, we're talking about doing stuff well outside of OSSEC and just having OSSEC send alerts if is or isn't present. One quick-and-easy thing to do is to have a canary directory or file that nobody should ever access. If you see the access time change on the directory, write a file that triggers an alert. If a new file shows in the directory, trigger an alert. If anything in the directory changes, trigger an alert. As you said, the hard part of identifying virus behaviour is that it mimics things we do every day. kmw -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ransomware.
Well. This is impossible. There is no way to see difference between normal file access and virus crypting all your files.. Eero 7.6.2016 6.31 ip. "Nate"kirjoitti: > We currently have samba file servers, which of course log access and > whatnot to the samba logs. > > I'm curious if I might be able to leverage ossec as a means to detect if a > system is attempting to lock up one of our shares due to a ransomware > infection. > > I could picture a rule that either detected a large amount of access from > a single client, or maybe a file name match on different extensions and > whatnot. The idea would be to detect this behavior and then block the > client before they get a chance to encrypt the share. > > Has anyone done something like this? I'm curious if it might be possible. > > > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ransomware.
We currently have samba file servers, which of course log access and whatnot to the samba logs. I'm curious if I might be able to leverage ossec as a means to detect if a system is attempting to lock up one of our shares due to a ransomware infection. I could picture a rule that either detected a large amount of access from a single client, or maybe a file name match on different extensions and whatnot. The idea would be to detect this behavior and then block the client before they get a chance to encrypt the share. Has anyone done something like this? I'm curious if it might be possible. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.