subject:"\[ossec\-list\] Ransomware."

Re: [ossec-list] Ransomware.

2016-06-14 Thread Brent Morris

I thought about doing this too.  You could look for file extensions as 
mentioned before.

But I struggled on how to make it effective, and then how to test it.  To 
be realistic, I think you'd need a lab with a mirror of your environment 
(file share, ossec, etc) and actually run a variant of cryptolocker to see 
the results.  I wasn't convinced that simply alerting on X number of files 
written within X number of seconds would be effective enough without some 
tuning and testing.

It's a good idea!!!  But I think a proper implementation would require lots 
of time and testing... and I realized it was the last thing on my list to 
do after employing all the other "best" (good) practices in cryptolocker 
prevention.

In the end, I thought application whitelisting alone would yield a better 
return. :/

-Brent



On Thursday, June 9, 2016 at 3:27:50 AM UTC-7, Nate wrote:
>
> Couldn't pass be used to monitor the frequency of files accessed or 
> rewritten on a share via the logs generated from those operations?  It 
> might not be foolproof, but if the log shows a single account accessing 
> several files faster than a human might be able to, it could alert, or even 
> block. Maybe I'm missing something.  
> On Jun 7, 2016 13:58, "Kevin Wilcox"  
> wrote:
>
>> On 7 June 2016 at 13:29, Eero Volotinen  
>> wrote:
>>
>> > Well. This is impossible. There is no way to see difference between 
>> normal
>> > file access and virus crypting all your files..
>>
>> There are some common extensions for very common ransomware/crypto
>> stuff that you can look for but be prepared for false positives, to
>> add to the extensions list and for the list to change with new
>> iterations of the malware.
>>
>> For example:
>>
>>
>> https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/
>>
>> You can also do things like script checking the entropy level of files
>> in a directory and generate alerts based on that output. Now, though,
>> we're talking about doing stuff well outside of OSSEC and just having
>> OSSEC send alerts if  is or isn't present.
>>
>> One quick-and-easy thing to do is to have a canary directory or file
>> that nobody should ever access. If you see the access time change on
>> the directory, write a file that triggers an alert. If a new file
>> shows in the directory, trigger an alert. If anything in the directory
>> changes, trigger an alert.
>>
>> As you said, the hard part of identifying virus behaviour is that it
>> mimics things we do every day.
>>
>> kmw
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ransomware.

2016-06-09 Thread Nate

Couldn't pass be used to monitor the frequency of files accessed or
rewritten on a share via the logs generated from those operations?  It
might not be foolproof, but if the log shows a single account accessing
several files faster than a human might be able to, it could alert, or even
block. Maybe I'm missing something.
On Jun 7, 2016 13:58, "Kevin Wilcox"  wrote:

> On 7 June 2016 at 13:29, Eero Volotinen  wrote:
>
> > Well. This is impossible. There is no way to see difference between
> normal
> > file access and virus crypting all your files..
>
> There are some common extensions for very common ransomware/crypto
> stuff that you can look for but be prepared for false positives, to
> add to the extensions list and for the list to change with new
> iterations of the malware.
>
> For example:
>
>
> https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/
>
> You can also do things like script checking the entropy level of files
> in a directory and generate alerts based on that output. Now, though,
> we're talking about doing stuff well outside of OSSEC and just having
> OSSEC send alerts if  is or isn't present.
>
> One quick-and-easy thing to do is to have a canary directory or file
> that nobody should ever access. If you see the access time change on
> the directory, write a file that triggers an alert. If a new file
> shows in the directory, trigger an alert. If anything in the directory
> changes, trigger an alert.
>
> As you said, the hard part of identifying virus behaviour is that it
> mimics things we do every day.
>
> kmw
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ransomware.

2016-06-07 Thread Kevin Wilcox

On 7 June 2016 at 13:29, Eero Volotinen  wrote:

> Well. This is impossible. There is no way to see difference between normal
> file access and virus crypting all your files..

There are some common extensions for very common ransomware/crypto
stuff that you can look for but be prepared for false positives, to
add to the extensions list and for the list to change with new
iterations of the malware.

For example:

https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/

You can also do things like script checking the entropy level of files
in a directory and generate alerts based on that output. Now, though,
we're talking about doing stuff well outside of OSSEC and just having
OSSEC send alerts if  is or isn't present.

One quick-and-easy thing to do is to have a canary directory or file
that nobody should ever access. If you see the access time change on
the directory, write a file that triggers an alert. If a new file
shows in the directory, trigger an alert. If anything in the directory
changes, trigger an alert.

As you said, the hard part of identifying virus behaviour is that it
mimics things we do every day.

kmw

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ransomware.

2016-06-07 Thread Eero Volotinen

Well. This is impossible. There is no way to see difference between normal
file access and virus crypting all your files..

Eero
7.6.2016 6.31 ip. "Nate"  kirjoitti:

> We currently have samba file servers, which of course log access and
> whatnot to the samba logs.
>
> I'm curious if I might be able to leverage ossec as a means to detect if a
> system is attempting to lock up one of our shares due to a ransomware
> infection.
>
> I could picture a rule that either detected a large amount of access from
> a single client, or maybe a file name match on different extensions and
> whatnot.  The idea would be to detect this behavior and then block the
> client before they get a chance to encrypt the share.
>
> Has anyone done something like this?  I'm curious if it might be possible.
>
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Ransomware.

2016-06-07 Thread Nate

We currently have samba file servers, which of course log access and
whatnot to the samba logs.

I'm curious if I might be able to leverage ossec as a means to detect if a
system is attempting to lock up one of our shares due to a ransomware
infection.

I could picture a rule that either detected a large amount of access from a
single client, or maybe a file name match on different extensions and
whatnot.  The idea would be to detect this behavior and then block the
client before they get a chance to encrypt the share.

Has anyone done something like this?  I'm curious if it might be possible.


Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ransomware.

Re: [ossec-list] Ransomware.

Re: [ossec-list] Ransomware.

Re: [ossec-list] Ransomware.

[ossec-list] Ransomware.

5 matches

Site Navigation

Mail list logo

Footer information