New Custom Signatures for Goner.A Worm

mcerha · ‎12-04-2001

The following two custom signatures can be used to detect the presence of the 'Goner.A' worm. These signatures can be added to your sensors using the 'SigWizMenu' tool. Screenshots of how to enter the signatures is provided below. These signatures will be included in the next signature update.

1) To detect the Goner.A Worm being retrieved via POP or IMAP.

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20001

SigName: Goner.A Worm

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = FromService

5 - FlipAddr =

6 - MaxInspectLength =

7 - MinHits = 1

8 - MinMatchLength =

9 - MultipleHits =

10 * RegexString = [Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee][^\r\n]*[Gg][Oo][Nn][Ee][.][Ss][Cc][Rr]

11 - ResetAfterIdle = 15

12 - ServicePorts = 109,110,143,220

13 - SigComment =

14 - SigName = Goner.A Worm

15 - SigStringInfo =

16 - StripTelnetOptions =

17 - ThrottleInterval =

18 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

2) To detect the presence of the Goner.A worm in a SMTP session.

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20000

SigName: Goner.A Worm

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - MaxInspectLength =

7 - MinHits = 1

8 - MinMatchLength =

9 - MultipleHits =

10 * RegexString = [Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee][^\r\n]*[Gg][Oo][Nn][Ee][.][Ss][Cc][Rr]

11 - ResetAfterIdle = 15

12 - ServicePorts = 25

13 - SigComment =

14 - SigName = Goner.A Worm

15 - SigStringInfo =

16 - StripTelnetOptions =

17 - ThrottleInterval =

18 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

dlac455 · ‎12-05-2001

Just out of curiousity, why are 2 signatures needed? The only difference I can find is the ports. Thanks for the clarification.

scothrel · ‎12-05-2001

Direction is different as well. 25 "To Service" is inbound to your SMTP mail server. 109, 110, etc are outbound from pop2, pop3 etc servers (to clients)

c.ebinger · ‎12-05-2001

I have added the SMTP custom signature as stated. I set it for a level4 alarm. I receive an email from netrangr notifying me when it sees a goner.scr email come through. I believe the TCP reset is also working. However, an alarm icon does not appear on my director screen. I have OV set to pass up level 3, 4 and 5 alarms to the screen. I am receiving other level4 alarms on the screen. Did I miss something?

Charlie

marcabal · ‎12-05-2001

You can look in either SigSettings.conf or SigUser.conf for the SigOfGeneral line for the new signature you've added. Check to see if it has 4's set for all the destinations.

Format:

SigOfGeneral sigid# action# dest1sev# dest2sev# dest3sev# etc...

You will see that there is a separate severity number for each entry in the destinations file.

You can also check the sensor and director log files and see if the alarms are winding up in the log files and have severity of 4.

The alarm icons should be created in OpenView, but will show up with the signature id# you assigned rather than the name of the alarm. This happens becuase the signature was created on the sensor, and the director does not know about the signature. When the sensor alarms it sends an alarm with the signature number, but the alarm itself does not contain the name. Since the director does not know the name it has to just show the number.

If you are getting icons with numbers, you can correct this by doing the following:

1) Edit the /usr/nr/etc/signatures file on the director and include the new signature id and name.

2) Open nrConfigure and double click on the director, it will prompt asking it it shouldload the new signature file, you will want to select yes.

3) Close nrConfigure.

4) Close the ovw window.

5) Start back up ovw, and any new alarms should have the name (old alarms will still have the number).

NOTE: This is just a workaround, so when the director is upgraded with a new signature update you will want to edit the signatures file and ensure that your custom sigs were not removed.

jason.fletcher · ‎12-06-2001

I noticed in the IDS Active Update Bulletin that was sent out it states: "With the 4200 Series Appliance Sensor, running 3.0 code and higher, SigWizMenu may be used to modify the engine named "STRING.TCP" to detect the presence of the 'Goner.A' worm." Is this something that can be done if one is using the IDSM for a 6500? If so can it be configured with CSPM or must one use the Unix Director?

marcabal · ‎12-06-2001

You can take the strings designated and create Custom String Matches rather than Custom Signatures.

Custom String Matches should provide most of the functionality needed to implement the signatures and can be configured through CSPM or the Unix Director, and are available on all versions of the appliance and module.

So far, I think only the wu-ftp signature requires parameters not available through Custom String Matches.

NOTE: There is a known bug with the IDSM that you need to be aware of.

DDTS: CSCds24327 - the IDSM can not monitor for the same string on more than one port.

WIth the first signature for the Goner.A Worm it is looked for on multiple ports. When configuring a Custom Signature you will need to configure the signature ONLY for the ports for the type of email your company uses. If more than one type is used then you will need to configure a different string for each port to over come the IDSM bug.

Example:

The string to look for is: [Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee][^\r\n]*[Gg][Oo][Nn][Ee][.][Ss][Cc][Rr]

If you are running mail programs on both ports 109, and 110 then you can place the full string

for searching on port 109, but for port 10 leave off the initial [Ff] this makes it a different string and should not be affected by the IDSM bug: [Ii][Ll][Ee][Nn][Aa][Mm][Ee][^\r\n]*[Gg][Oo][Nn][Ee][.][Ss][Cc][Rr]

NOTE: I am assuming that this should work, but I have not had a chance to actually try it myself to verity for sure.

All of these signatures will be incorporated in a signature update on the IDSM.

(Though not sure when it would be released)

jason.fletcher · ‎12-07-2001

Thanks. I tried this and the custom string field only supports 63 characters. Now, I can shorten the string by taking off the letters F,I, and L at the beginning and that will fit, but are there any plans to increase the number of characters allowed in this field?

marcabal · ‎12-07-2001

If I remeber correctly this is an issue with CSPM; the sensors can actually accept more than that many characters, but I haven't tested it to be sure. I do not know if the CSPM team has scheduled a fix for this or not.

If this is just a CSPM bug, then the workaround for the CSPM bug would be to use the Epilogue feature to add lines to packetd.conf for the full Custom String Matches:

Syntax:

RecordOfStringName stringid port direction numocurrences string

SigOfStringMatch stringid action dest1sev dest2sev dest3sev etc...

Example:

RecordOfStringName 10901 109 2 1 "[Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee][^\r\n]*[Gg][Oo][Nn][Ee][.][Ss][Cc][Rr]"

SigOfStringMatch 10901 0 5 5 5 5

Epilogue Directions:

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch06.htm#xtocid259544