Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
9
Replies

Signature 3110 Suspicious Mail Attachment - False +ve

ssverma
Level 1
Level 1

‎06-03-2004 04:06 AM - edited ‎03-09-2019 07:36 AM

I see a lot of alert for alarm id 3110 from my 4210 box.The signature says that it fires if it finds a vbs,wsh,cmd...etc attachment but I found that it gives me alerts for a doc,xls attachment in mail.

Is there a problem with the signature or do I need to do some other configuration chanes.

Please help.

Labels:
0 Helpful
9 Replies 9

darin.marais
Level 4
Level 4

‎06-03-2004 05:53 AM

The signature structure for a 4.1.4-s94 sensor has the following expression and should therefore not trigger with a .doc or .xls attachment.

RegexString: [Aa][Tt][Tt][Aa][Cc][Hh][Mm][Ee][Nn][Tt].*[\n\r]*.*[Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee][^\r\n]*[.](([Vv][Bb][Ss])|([Vv][Bb][Ee])|([Ss][Ww][Ff])|([Hh][Tt][Aa])|([Ss][Cc][Rr])|([Pp][Ii][Ff])|([Cc][Oo][Mm])|([Bb][Aa][Tt])|([Ee][Xx][Ee])|([Cc][Mm][Dd])|([Ww][Ss][FfHh]))

ServicePorts: 25

Would it be possible to capture the trigger packet for closer inspection?

On May 11, 2004, 8:39pm PST, marcabal of cisco systems wrote:

There are 2 steps for dealing with the trigger packet.

Step 1 is to tune the signature and set CapturePacket to True.

Step 2 is to view the trigger packet when the alert fires.

To configure it in IDM follow the steps according to this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31460

In Step 4 set the CapturePacket parameter to True

Similar steps are also available for IDS MC. I just don't know of a specific link to point to.

To view the trigger packet in IEV:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#1789

With IEV you can view a hexadecimal and ascii representation of the packet, or if you have ethereal loaded you can have the trigger packet loaded into the ethereal viewer and be able to view detailed analysis of the packet.

The hexadecimal and ascii view of the packet can also be seen in the "show events" command in the sensor CLI, or in the show events ouput of IDM.

To view events in the CLI:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#379622

To view events in IDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap4.htm#860304

If after you view the packet through the CLI or IDM, and you want to be able to view even more detailed analysis of the packet, then do the following.

Copy the trigger packet from the CLI or IDM events output, and paste it into a file on your desktop.

Next run text2pcap to convert the hexadecimal and ascii representation into a libpcap file.

The libpcap file can then be opened using ethereal for detailed analysis.

NOTE: text2pcap is a utility that is included in most ethereal installations.

If you are using Security Monitor (VMS) for viewing the alarms, then there is not currently a method within SecMon for viewing the trigger packet. You will need to use either IEV, the CLI, or IDM to view the trigger packet.

This feature is being added in a future version of Security Monitor (I am not sure when).

Reference http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd5bb27

0 Helpful

ssverma
Level 1
Level 1
In response to darin.marais

‎06-07-2004 12:22 AM

Hi,

Thanks for your help.But I am running a 4210 with 3.x S82.Also I would like to know as to how do I see the expression for the signature that is matched to send a alert.

For now I have disabled the signature as I am not able to find a correct solution.

0 Helpful

darin.marais
Level 4
Level 4
In response to ssverma

‎06-08-2004 10:41 AM

As far as I am aware, on a version 3.1, it is not possible to see the regular expression.

0 Helpful

ssverma
Level 1
Level 1
In response to darin.marais

‎06-21-2004 02:46 AM

Hi,

Ok it means that for 3.1 I would not be able to view the signature expression.Any idea as to why the signature 3110 behaves in this manner.

Can I see any seetng related to the signature from the commandline.

Any other alternative that would help in this situation.

0 Helpful

pbaussmann
Level 1
Level 1
In response to ssverma

‎07-13-2004 05:04 PM

Hello,

Have you tried running the SigWizMenu from the CLI in 3.1? You can usually look at the regular expression from this app. Just type .SigWizMenu at the prompt.

Hope this helps you solve your problem.

pete

0 Helpful

ssverma
Level 1
Level 1
In response to pbaussmann

‎07-13-2004 11:11 PM

Hi,

I couldn't find the command SigWizMenu in 3.1.Are you sure it there in 3.1.Also I did a search for it but not there.

Sachin

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to ssverma

‎07-14-2004 07:39 AM

The SigWizMenu was renamed to .SigWizMenu.

Notice the period in front of the "S".

You can "cd /usr/nr/bin" to get to the bin directory and execute "ls -la" and you should see the .SigWizMenu program.

Marco

0 Helpful

ssverma
Level 1
Level 1
In response to marcabal

‎07-14-2004 11:47 PM

Hi,

Thanks I got that command but it the CLI version of what I can do from the IDM.I dont see that it shows me the expression that it would be matching to fire the alarm.

Also has anybody else come across the same problem wherein the sig is fired even on the word attachmenst.

Sachin

0 Helpful

jodr
Level 1
Level 1
In response to darin.marais

‎10-29-2004 02:28 AM

We want to enable the CapturePacket parameter for a selection of signatures. Is this possible using one of the regular interfaces (CLI, IDM, VMS) ? Or do we really have to do it manually for each signature individually ?

0 Helpful
Customers Also Viewed These Support Documents