Can Security Onion (Snort) detect a file based on the MD5 hash?
1,385 views
Skip to first unread message
JoeJustice
Nov 26, 2014, 10:57:43 AM11/26/14
to securit...@googlegroups.com
I am looking to build a rule to detect the new Regin virus and I don't believe ET has released a rule for it yet. Maybe I am wrong here.
As part of the white paper these MD5's were listed as files associated with the compromise. Could I write a rule to detect these hashes?
2c8b9d2885543d7ade3cae98225e263b
4b6b86c7fec1c574706cecedf44abded
187044596bc1328efa0ed636d8aa4a5c
06665b96e293b23acc80451abb413e50
d240f06e98c8d3e647cbf4d442d79475
6662c390b2bbbd291ec7987388fc75d7
ffb0b9b5b610191051a7bdf0806e1e47
b29ca4f22ae7b7b25f79c1d4a421139d
1c024e599ac055312a4ab75b3950040a
ba7bb65634ce1e30c1e5415be3d1db1d
b505d65721bb2453d5039a389113b566
b269894f434657db2b15949641a67532
bfbe8c3ee78750c3a520480700e440f8
As part of the white paper these MD5's were listed as files associated with the compromise. Could I write a rule to detect these hashes?
2c8b9d2885543d7ade3cae98225e263b
4b6b86c7fec1c574706cecedf44abded
187044596bc1328efa0ed636d8aa4a5c
06665b96e293b23acc80451abb413e50
d240f06e98c8d3e647cbf4d442d79475
6662c390b2bbbd291ec7987388fc75d7
ffb0b9b5b610191051a7bdf0806e1e47
b29ca4f22ae7b7b25f79c1d4a421139d
1c024e599ac055312a4ab75b3950040a
ba7bb65634ce1e30c1e5415be3d1db1d
b505d65721bb2453d5039a389113b566
b269894f434657db2b15949641a67532
bfbe8c3ee78750c3a520480700e440f8
David Vasil
Nov 26, 2014, 11:59:35 AM11/26/14
to securit...@googlegroups.com
-dave
Heine Lysemose
Nov 26, 2014, 12:03:27 PM11/26/14
to securit...@googlegroups.com
+1 for Bro
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Garanews
Nov 26, 2014, 12:08:11 PM11/26/14
to securit...@googlegroups.com
I also suggest Bro.
Have a look here:
https://github.com/sethhall/bro-apt1
You can reuse this module and add MD5 you need.
Andrea
Doug Burks
Nov 26, 2014, 2:33:02 PM11/26/14
to securit...@googlegroups.com
Also see:
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html
"securityonion-bro-scripts also creates a new directory called
/opt/bro/share/bro/intel/ that makes it easy for you to add intel to
the Bro Intel framework."
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html
"securityonion-bro-scripts also creates a new directory called
/opt/bro/share/bro/intel/ that makes it easy for you to add intel to
the Bro Intel framework."
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Jamie Murdock
Aug 27, 2015, 2:19:28 PM8/27/15
to security-onion
Joel Esler
Aug 27, 2015, 2:32:05 PM8/27/15
to securit...@googlegroups.com
The file preprocessor in Snort can deal with SHA256s, not md5s. Which for those files (not in order btw —) is —
9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f
7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926
a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355
a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669
8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db
b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513
4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9
f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe
5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823
e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902
40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b
7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926
a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355
a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669
8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db
b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513
4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9
f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e
a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe
5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823
e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902
40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b
--
| |||
Reply all
Reply to author
Forward
0 new messages