soc-prime-ransomware-hunter-basic-1.2.zip

soc-prime-ransomware-hunter-basic-1.2.zip
  • Hi Andrey,

    we are facing problem in the script, The script will execute and a "ransomware.txt" will be created with the output, but after that the script is creating the files in the location specified i the script "/dev/${syslog_proto}/${syslog_server}/${syslog_port}" could you please help me on this.

    Regards,

    Punith.R

  • Punith,

    Did you create the (file )connector and point it to the file the script creates?

    Mike

  • Hi Punith,

    This bash script is used for downloading and sending information about ransomware sites/ip`s to your Arcsight ESM.

    You can run it on any Linux host, which have access to https://goo.gl/ port 443 and network access to syslog connector.

    Detailed description:

    1) Make directory on this Linux server: for example /root/ransomware_script:

    # mkdir /root/ransomware_script

    2) Copy script to this directory:

    /root/ransomware_script/ransomware-basic-to-siem.sh

    3) Open this script with any text editor, for example vi:

    vi /root/ransomware_script/ransomware-basic-to-siem.sh

    Change editor mode to INSERT - use Ins button on your keyboard

    Make changes on syslog_server, syslog_port, syslog_proto variables. You need to set correct values of Syslog Destination, for example, your Syslog Smart connector daemon works on IP 10.10.10.100 and listen 514 TCP port:

    syslog_server=10.10.10.100

    syslog_port=514

    syslog_proto=tcp

    Save changes: Put Esc button on keyboard and  combination  :wq! and Enter.

    Note: /dev/${syslog_proto}/${syslog_server}/${syslog_port} - all messages sends to destination  using Linux network socket. More detailed info about using sockets in Linux described  http://xmodulo.com/tcp-udp-socket-bash-shell.html .

    4) Schedule script to run every six minutes. Open /etc/crontab file on your Linux server(where script was installed) and add crontab string:

    vi /etc/crontab

    */6 * * * * /root/ransomware_script/ransomware-basic-to-siem.sh

    Save your changes.

    Please contact me if you need any help.

    Regards, Alex Verbniak

  • Hi Alex,

    Thanks for the detailed update.

    I have done all the above steps as you suggested.

    I am able to execute the script, But the script is not creating the folders in the /dev location as specified in the script.

    Regards,

    Punith.R