Highlighted
4 Replies
puniraj88 Absent Member.
Absent Member.

Re: soc-prime-ransomware-hunter-basic-1.2.zip

Hi Andrey,

we are facing problem in the script, The script will execute and a "ransomware.txt" will be created with the output, but after that the script is creating the files in the location specified i the script "/dev/${syslog_proto}/${syslog_server}/${syslog_port}" could you please help me on this.

Regards,

Punith.R

0 Likes
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: soc-prime-ransomware-hunter-basic-1.2.zip

Punith,

Did you create the (file )connector and point it to the file the script creates?

Mike

0 Likes
a_verbnyak1 Absent Member.
Absent Member.

Re: soc-prime-ransomware-hunter-basic-1.2.zip

Hi Punith,

This bash script is used for downloading and sending information about ransomware sites/ip`s to your Arcsight ESM.

You can run it on any Linux host, which have access to https://goo.gl/ port 443 and network access to syslog connector.

Detailed description:

1) Make directory on this Linux server: for example /root/ransomware_script:

# mkdir /root/ransomware_script

2) Copy script to this directory:

/root/ransomware_script/ransomware-basic-to-siem.sh

3) Open this script with any text editor, for example vi:

vi /root/ransomware_script/ransomware-basic-to-siem.sh

Change editor mode to INSERT - use Ins button on your keyboard

Make changes on syslog_server, syslog_port, syslog_proto variables. You need to set correct values of Syslog Destination, for example, your Syslog Smart connector daemon works on IP 10.10.10.100 and listen 514 TCP port:

syslog_server=10.10.10.100

syslog_port=514

syslog_proto=tcp

Save changes: Put Esc button on keyboard and  combination  :wq! and Enter.

Note: /dev/${syslog_proto}/${syslog_server}/${syslog_port} - all messages sends to destination  using Linux network socket. More detailed info about using sockets in Linux described  http://xmodulo.com/tcp-udp-socket-bash-shell.html .

4) Schedule script to run every six minutes. Open /etc/crontab file on your Linux server(where script was installed) and add crontab string:

vi /etc/crontab

*/6 * * * * /root/ransomware_script/ransomware-basic-to-siem.sh

Save your changes.

Please contact me if you need any help.

Regards, Alex Verbniak

0 Likes
puniraj88 Absent Member.
Absent Member.

Re: soc-prime-ransomware-hunter-basic-1.2.zip

Hi Alex,

Thanks for the detailed update.

I have done all the above steps as you suggested.

I am able to execute the script, But the script is not creating the folders in the /dev location as specified in the script.

Regards,

Punith.R

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.