Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
1
Replies

Couple of questions:

chrisv
Level 1
Level 1

‎06-06-2002 11:33 AM - edited ‎03-08-2019 10:53 PM

1. Is it my imagination that any informational alerts (green) that I use to receive in CSPM has disappeared since the install of 3.1(2) S24. All alerts I’m getting now are either yellow or red.

2. I'm sure there are many Klez worms going in and out of our network but I'm not getting any alerts on this. Is anyone detecting the Klez worm with the default signature?

Thanks in advance,

Chris

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎06-06-2002 02:23 PM

In answer to 1:

It sounds like a configuration change. Did you just upgrade to 3.1 or did you also run sysconfig-sensor or IDM and change the configuration at all?

You need to check the destination file on your sensor. See if CSPM destination is configured for sev 1 or sev 3 alarms. You may want to set this to sev 1.

In answer to2:

The original Klez worm propogated through an email with a audio/x-wav attachment with the name Gn.Exe.

S13 included the 3117 signature to fire on this particular propogation method.

Refer to the NSDB:

http://www.cisco.com/cgi-bin/front.x/csec/getIDSInfo.pl?SIG_ID=3117&SIG_SUB_ID=0

The problem is that the worm can be easily changed to use different file names besides Gn.Exe. The signature will not detect these variations on the filename.

Trying to write signature for all of the possible variations could be impossible.

The best method is to use the good old Virus Scanner software which analyzes the file contents. It would be very difficult to build in this level of analysis into the network IDS system, especially when there already Virus Scanners doing exactly that.

If you have a particular filename variation in your network and want to write a custom signature then you can change the 3117 signature regex to match your paritcular variation.

The 3117 signature regex is: [cC][Oo][Nn][Tt][Ee][Nn][Tt][-][tT][Yy][Pp][Ee][:]

[ \t][Aa][Uu][Dd][Ii][Oo][/\\][Xx][-][Ww][Aa][Vv][;]

[ \t][Nn][Aa][Mm][Ee][=][\x22\x27]*[Gg][Nn][.][Ee][Xx][Ee]

NOTE: The above is wrapped to multiple lines, when putting in a custom signature put this all in one line.

0 Helpful
Customers Also Viewed These Support Documents