cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
194
Views
6
Helpful
4
Replies
Enthusiast

netsky.p signature

According to the signature 3136.3, The regular expression that looks for netsky.p is

\x68\x43\x7a\x65\x31\x57\x6c\x66\x57\x77\x69\x55\x33\x55\x43\x58\x59\x7a\x72\x79\x50\x6e\x4a\x45\x68\x38\x6f\x72\x0d\x0a\x4f\x31

When this translated to ASCII it is

hCze1WlfWwiU3UCXYzryPnJEh8orO1

Is there an internet reference for the use of this string to capture Netsky.p.

How can I trust that the signature events are not false positive?

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

Re: netsky.p signature

Darin,

In general a 32-byte section of particulary high entropy is looked for. The high entropy reduces (but obviously doesn't eliminate) the chance of a false positive.

4 REPLIES 4
Highlighted
Cisco Employee

Re: netsky.p signature

Hi Darin,

I'm afraid I'm not aware of any internet reference for the use of this string.

Our "virus signatures" such as this one are based on virus sample we receive from our partner Trend Micro.

If you feel this signature could trigger false positive, please provide some additional details.

Thanks,

JF

Participant

Re: netsky.p signature

Darin,

Keep in mind that we are evaulating the binary network data, so a binary string is not unreasonable. I don't think you should expect to be able to "parse" the string in every case.

Scott

Enthusiast

Re: netsky.p signature

Hi Scott,

Thank you for you reply,

I know that we are evaluating binary data but I was perhaps just looking for some substantial evidence that would enhance my evaluation of the signature.

When writing about an attack, one of the sections requires that you normally explain the signature. Motivating for more stringent security checking in our products and solutions with regard to network security is often a difficult task. This task is made easier with proper explanations for how these checks are made and I was wondering about the choice of regular expression in this signature.

What makes or excludes the signature from triggering falsely?

Why that choice of string to look for in the network data?

Participant

Re: netsky.p signature

Darin,

In general a 32-byte section of particulary high entropy is looked for. The high entropy reduces (but obviously doesn't eliminate) the chance of a false positive.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards