cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
237
Views
0
Helpful
3
Replies
Highlighted
Beginner

Kamasutra Signature

Is the Kamasutra worm signature available? If it is not available yet... is ther any workaround to detect and prevent the worm?

Regards

3 REPLIES 3
Beginner

Re: Kamasutra Signature

Correct me if I am wrong however this looks to be another alias for the blackworm. There was a custom signature provided under the blackworm thread:

In the meantime you can use the following custom signature to catch WORM_GREW.A also known as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife, Win32/Blackmal.F:

Engine: String.TCP

Service Port: 25

Regex String :

\x6d\x41\x70\x4d\x6a\x74\x64\x4e\x45\x51\x78\x4a\x7a\x49\x6a\x53\x79\x46\x49\x4f\x44\x30\x4e\x43\x6b\x31\x4b\x57\x6c\x51\x70\x4e

Beginner

Re: Kamasutra Signature

I'm new to creating rules. Can you give me the steps needed to create this rule using the IDM Gui interface to a 4255 running 5.0? Things like what engine to use and where to put the Regex string.

Cisco Employee

Re: Kamasutra Signature

Go to

Configuration | Signature Definition | Signature Configuration

Click on the "Add" button.

-> New popup with the signature parameters

Select String TCP as an engine

->New parameters appear

Configure "Regex String" and "Service Ports" as mentionned previously.

Click "OK"

Click "APPLY"