IPS Signatures with blank regex field when specify regex is "yes"

j.wheeler · ‎09-18-2011

I'm trying to track down what I believe is a false positive for Rustock Botnet sig 17363-3. This is a "service HTTP" signature and it indicates "yes" on specify URI regex, specify header regex and specify request regex, but the regex field is blank (null?) for all three of these. What does this mean? Does it mean the signature is matched if these three fields are null in the evaluated packet?

Dustin Ralich · ‎09-27-2011

I'm trying to track down what I believe is a false positive for Rustock Botnet sig 17363-3. This is a "service HTTP" signature and it indicates "yes" on specify URI regex, specify header regex and specify request regex, but the regex field is blank (null?) for all three of these. What does this mean? Does it mean the signature is matched if these three fields are null in the evaluated packet?

SIG 17363.3 is a "protected" signature; as a result, certain parameter values are not visible. Protected signatures may exist for a variety of reasons (e.g. NDA with relevant vendor, situations where detection method disclosure could enable evasion methods to be developed, etc.).

You can confirm this is true for this signature by reviewing it via the sensor CLI (notice the "protected" values):

sensor# conf t

sensor(config)# service signature-definition sig0

sensor(config-sig)# signature 17363 3

sensor(config-sig-sig)# show settings

uri-regex: ********

In this scenario, if you believe the signature is in-fact firing falsely, then you will need to open a TAC Service Request and provide copies of relevant Alerts (events), packet captures, etc. that can be analyzed by the IPS Signature Development Team.