• Hi Andrey,

    we are facing problem in the script, The script will execute and a "ransomware.txt" will be created with the output, but after that the script is creating the files in the location specified i the script "/dev/${syslog_proto}/${syslog_server}/${syslog_port}" could you please help me on this.



  • Punith,

    Did you create the (file )connector and point it to the file the script creates?


  • Hi Punith,

    This bash script is used for downloading and sending information about ransomware sites/ip`s to your Arcsight ESM.

    You can run it on any Linux host, which have access to port 443 and network access to syslog connector.

    Detailed description:

    1) Make directory on this Linux server: for example /root/ransomware_script:

    # mkdir /root/ransomware_script

    2) Copy script to this directory:


    3) Open this script with any text editor, for example vi:

    vi /root/ransomware_script/

    Change editor mode to INSERT - use Ins button on your keyboard

    Make changes on syslog_server, syslog_port, syslog_proto variables. You need to set correct values of Syslog Destination, for example, your Syslog Smart connector daemon works on IP and listen 514 TCP port:




    Save changes: Put Esc button on keyboard and  combination  :wq! and Enter.

    Note: /dev/${syslog_proto}/${syslog_server}/${syslog_port} - all messages sends to destination  using Linux network socket. More detailed info about using sockets in Linux described .

    4) Schedule script to run every six minutes. Open /etc/crontab file on your Linux server(where script was installed) and add crontab string:

    vi /etc/crontab

    */6 * * * * /root/ransomware_script/

    Save your changes.

    Please contact me if you need any help.

    Regards, Alex Verbniak

  • Hi Alex,

    Thanks for the detailed update.

    I have done all the above steps as you suggested.

    I am able to execute the script, But the script is not creating the folders in the /dev location as specified in the script.