04-08-2007 04:51 PM - edited 03-10-2019 03:33 AM
Hi!,
I want to configure my sensor such that it sends a reset packet if it detect a file "VirtualR3D.exe".
I created a custome signature with STRING.TCP, but it does not work.
Engine: String.TCP
Service Port: 139,445
Regex String : [V][i][r][t][u][a][l][R][a][p][3][D][.][e][x][e]
Also, I clone a signature with this parameters.
Smb.Advanced
SMB Command: 162
service port:139,445
Regex:[V][i][r][t][u][a][l][R][a][p][3][D][.][e][x][e]
Please can you help me.
Tks in advaced.
04-08-2007 06:31 PM
It is best to capture the traffic on the wire so you can visually see how a file is transmitted through different protocols. I created a dummy file VirtualR3D.exe and shared it between two hosts.
The following string.tcp regexp has fired on this traffic.
[\]\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00a\x00p\x003\x00D\x00[.]\x00e\x00x\x00e\x00
I hope that helps.
-jonathan
04-09-2007 04:48 PM
Hi,
I created this custome signature:
signatures 60000 0
alert-severity high
sig-fidelity-rating 75
promisc-delta 10
sig-description
sig-name VirtualRap3D.exe
sig-string-info
sig-comment
exit
engine string-tcp
event-action produce-alert
regex-string [\]\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00a\x00p\x003\x00D\x00
[.]\x00e\x00x\x00e\x00
service-ports 139-139,445-445
exit
event-counter
event-count 1
event-count-key Axxx
But this doesnt work yet.
I also try with a atomic IP, filtering the traffic betweeen two host and logging packets.
port: 139
os: idSource=unknown type=unknown relevance=relevant
actions:
ipLoggingActivated: true
logPairPacketsActivated: true
ipLogIds:
ipLogId: 1701868400
triggerPacket:
000000 00 0A F3 57 5E 3C 00 18 FE 63 B1 33 81 00 00 73 ...W^<...c.3...s
000010 08 00 45 00 00 A0 51 88 40 00 80 06 79 DF 8E D2 ..E...Q.@...y...
000020 0F D3 8E D4 01 77 07 CD 00 8B 1F A0 A3 36 70 B5 .....w.......6p.
000030 1D CB 50 18 FC 00 25 84 00 00 00 00 00 74 FF 53 ..P...%......t.S
000040 4D 42 32 00 00 00 00 18 07 C8 00 00 00 00 00 00 MB2.............
000050 00 00 00 00 00 00 02 08 D8 06 00 08 90 3E 0F 30 .............>.0
000060 00 00 00 0A 00 00 40 00 00 00 00 00 00 00 00 00 ......@.........
000070 00 30 00 44 00 00 00 00 00 01 00 01 00 33 00 00 .0.D.........3..
000080 00 00 16 00 56 05 07 00 04 01 00 00 00 00 5C 00 ....V.........\.
000090 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 52 00 V.i.r.t.u.a.l.R.
0000A0 61 00 70 00 33 00 44 00 2E 00 65 00 78 00 65 00 a.p.3.D...e.x.e.
0000B0 00 00 ..
riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 85
interface: ge0_8
protocol: tcp
Please Help, i really need block this file.
Tks.
04-10-2007 12:28 AM
The regexp is correct based on the trigger packet information. When I tested this I shared the VirtualRap3D.exe file and accessed that file from another client through smb. From memory I set the direction "From service" based on the traffic information.
I could not find the setting on your signature settings but I would check this setting based on the traffic flow (from or to the service port) to ensure its correctly set.
04-16-2007 11:48 AM
Yes, but the IPS send me alert with all .exe files, not just the file VirtualRap3D.exe
?what?s wrong?
tks
04-16-2007 05:44 PM
I need a bit more information to figure out the issue.
Can you please send me your updated signature settings, and if possible an output or produce-verbose-alert. You can e-mail this output directly if you like.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide