11-08-2003 10:44 PM - edited 03-09-2019 05:27 AM
I'm trying to create a custom signature and am having trouble. I've gone through the documentation and thought I was doing it right, but apparently not.
I would like to monitor any time a certain file is copied over the network.
Any time the file "honeypot.xls" is copied across the network, I want it to trigger an alarm.
I tried the following:
TCP and UDP string.
Source ports - 135, 137, 139, 445
From Service and To service
Appreciate any help with this.
biz
Solved! Go to Solution.
11-10-2003 08:51 AM
Files are transfered as unicode strings with SMB. In order to match you need to add nulls between the characters
Try this as a RegexString:
\x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00
11-08-2003 11:17 PM
I'm not sure what you have read to date, but take a look at working with signature engines:
Hopefully, this will help in your quest.
11-09-2003 02:46 PM
Thanks for the doc... According to the doc, I'm doing it right - I think.
Here is what I'm doing:
String.TCP
Direction - From Service
RegexString - honeypot
ServicePorts - 135, 137, 139, 445 (although netbios-ssn (139) is all that's really needed)
Since someone would use a workstation to connect to the server on port 139/TCP, the copy of the file would be from service - at least that's how I read it.
I'm using CTR, so I went into events and added the new signature number and ensured that was part of the current policy. Does CTR have the ability to recognize custom sigs?
Any help is appreciated.
11-09-2003 10:03 PM
It should work let me knoiw if it doesn't I can get a little more information to help.
11-10-2003 06:54 AM
It still doesn't work. I"ve installed IEV on another server to see if it picks it up and it doesn't.
11-10-2003 08:51 AM
Files are transfered as unicode strings with SMB. In order to match you need to add nulls between the characters
Try this as a RegexString:
\x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00
11-13-2003 06:32 AM
I tried, but it still didn't work. Please tell me if my configuration looks correct:
Signature Type: Stream Signature - TCP Stream Signature.
Sig Identification: ID 2001 Sub ID 0 Sig name honeypot.tcp
TCP Stream Signature:
Reg Expression: \x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00
Service Ports: 139,445
Direction: From Port
Sev High
Action: Log
Any help is apprecitated.
11-13-2003 06:38 AM
It worked! Bless you! Thank you!...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide