alerts

[jeanlk15]

this ransomware executed first and then once completed contacted the internet so FalconGate rightly reported but would not be able to stop anything as it stays so quiet till its done its damage first. i think it was a teslacrypt or something.. what sort of malware or phising can FlaconGate stop then ?

[A3sal0n]

Hi, Thanks for your feedback on this nice example. Currently FG will block and report just the attacks having C&C servers within the list of IP addresses extracted from the public blacklists listed in the file config.ini:

[blacklists_ip] Malware = http://malc0de.com/bl/IP_Blacklist.txt,https://sslbl.abuse.ch/blacklist/sslipblacklist.csv,http://rules.emergingthreats.net/blockrules/emerging-dshield.rules,https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

Botnet = http://rules.emergingthreats.net/blockrules/emerging-botcc.rules

Hacking = http://rules.emergingthreats.net/blockrules/compromised-ips.txt,http://rules.emergingthreats.net/blockrules/emerging-ciarmy.rules,https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv

Tor = https://check.torproject.org/exit-addresses,https://www.dan.me.uk/torlist/,https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv

As you can see we have included already some public trackers for Ransomware malware. This can be easily extended with your own sources as well.

The issue with Ransomeware is that it's not possible to fight back completely at the network level. Some of the newer variants don't even need to get the encryption keys from the Command & Control server to encrypt the files in the system. This might have happened in your example:

1. The malware was executed in your VM and generated a local encryption key
2. Files were encrypted
3. The malware tried to "call home" to report the newly created key
4. FalconGate detected the callback traffic to the malware's C&C server

[jeanlk15]

thanks for feedback, i was trying to understand a bit more configuring FalconGate

in logs/alerts.sqlite i have this "tmfilms.net ... detected trying to resolve the IP address ...could be an indicator of the presence of Malware on this host...." etc...

with the botnet link.. Botnet = http://....emerging-botcc.rules, should i change the alert word to drop for it to drop ? or duplicate the entries to be alert & drop ? [ like suricata IPS or FalconGate does not work that way? ]

also in the links in the Hacking section \ http://rules.emergingthreats.net/blockrules/emerging-ciarmy.rules should this also be edited ? has alert only in this file..

do all lists auto block or do i determine this ?

[A3sal0n]

Hi @jeanlk15

It seems that in your case FalconGate reported the attempts of the malware to resolve the domain "tmfilms.net". This was captured by the VirusTotal rule because you probably configured your own API key for this capability. Currently FalconGate won't block any detection originated in the VirusTotal feed because there's a high probability of false positives. All the detections matching certain criteria will be reported.

FalconGate doesn't work like a conventional IPS like Suricata or Snort. So far our main goal is to identify obvious malicious indicators in home or SOHO networks by conducting behavioral host analysis and trigger a protection action whenever possible and when the probabilities of disrupting legitimate network traffic are low. Otherwise we will generate just an alert and let the users decide what to do.

Currently our protection mechanism it's still quite simple since it's using only blacklists of known malware and offenders in general. If you add your own sources to config.ini then these will be parsed for all the IP addresses and/or domains listed and added to FalconGuard's block list to be blocked automatically. Both IP addresses and domains are blocked via different mechanisms. FalconGate has also an IP based custom blacklist you could use to block specific traffic you consider abnormal in your network.

We are planing to enable in future versions free access to our own cloud based API which will provide the blacklists currently used plus other. This will allow us to provide a cleaner feed and more focused to the protection of the types of networks we're aiming at. This is currently under development.

[jeanlk15]

Hi A3sal0n,

thanks for the info, can you clarify something for me ?

question 1 how can I tell 1) alert or block in this case 2) which entry triggered it in config.ini ?

from logs/alerts.sqlite i see: "Malware192.168.2.240tmfilms.netThis host ....according to VirusTotal and/or the local FalconGate blacklist"

question 2 which of your sections can i use in config.ini if I use will block? regardless of the word alert my rule? for example if I make a rule file with this inside...

alert $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"TMFILMS attack";flow:to:....etc..?

does both [blacklists_domain] for a domain or [blacklists_ip] for an IP block with this sort of line ?

question 3 the malware word i circled, is this something i determine that word from the config.ini ? or not..

[A3sal0n]

question 1 how can I tell 1) alert or block in this case 2) which entry triggered it in config.ini ? [Currently the traffic towards any IP address and domains retrieved from the URLs in config.ini will be both blocked and alerted. There's currently no supported way to identify exactly which URL in the Intel sources provided the IP/domain which triggered the alert.]

question 2 which of your sections can i use in config.ini if I use will block? regardless of the word alert my rule? for example if I make a rule file with this inside...

alert $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg:"TMFILMS attack";flow:to:....etc..?

does both [blacklists_domain] for a domain or [blacklistsip] for an IP block with this sort of line ? [As I mentioned above any IP or domain retrieved from the URLs linked to both [blacklists_domain] and [blacklistsip] will be blocked. FalconGate doesn't support alerting on arbitrary patterns or definitions in the style of an IDS/IPS like Snort. FalconGate is not an IDS. If you're interested to block specific IP addresses we recommend you to add them to the blacklist in the user configuration section of our webgui. To block a whole new feed of IP addresses or domains is more convenient to add them to the Intel feeds sections in the config.ini file.]

question 3 the malware word i circled, is this something i determine that word from the config.ini ? or not.. [Your assumption is correct, this word matches the keywords we're currently using to define the threat categories in config.ini. This also means that you could define your own categories or modify the existing categories.]

[jeanlk15]

The fact that you can 'parse' different formats of file in the config.ini, and sift out domains & ip addresses is clever.

Every how often do links inside the config.ini get re-updated ( revisited ) for changes ? How can we delete the logs ?

[A3sal0n]

hi @jeanlk15

We're currently moving away from supporting specific Intel sources/URLs in our config.ini file to a centralized Intel feed based on a public API hosted in our own cloud (see issue #25 for additional information). You can still list your own sources in config.ini and they will be parsed with the generic parser we have built within FG.

Currently the URLs are visited every 4 hours.

Could you explain which logs exactly you're referring to?