I thought about doing this too. You could look for file extensions as
mentioned before.
But I struggled on how to make it effective, and then how to test it. To
be realistic, I think you'd need a lab with a mirror of your environment
(file share, ossec, etc) and actually run a variant of
Couldn't pass be used to monitor the frequency of files accessed or
rewritten on a share via the logs generated from those operations? It
might not be foolproof, but if the log shows a single account accessing
several files faster than a human might be able to, it could alert, or even
block.
On 7 June 2016 at 13:29, Eero Volotinen wrote:
> Well. This is impossible. There is no way to see difference between normal
> file access and virus crypting all your files..
There are some common extensions for very common ransomware/crypto
stuff that you can look for but
Well. This is impossible. There is no way to see difference between normal
file access and virus crypting all your files..
Eero
7.6.2016 6.31 ip. "Nate" kirjoitti:
> We currently have samba file servers, which of course log access and
> whatnot to the samba logs.
>
> I'm
We currently have samba file servers, which of course log access and
whatnot to the samba logs.
I'm curious if I might be able to leverage ossec as a means to detect if a
system is attempting to lock up one of our shares due to a ransomware
infection.
I could picture a rule that either detected