cancel
Showing results for 
Search instead for 
Did you mean: 
greatscott
Level 12

Assistance with IPS custom signature subrule

Hey, can anyone else test this out for us?

So we cannot get this to fire:

Rule {

tag suspicious_dll

Class Files

Id XXXX

level 1

files { Include "*\\AppData\\Local\\&.dll" }

directives files:write files:create files:execute

}

but can get this to fire:

Rule {

tag suspicious_dll

Class Files

Id XXXX

level 1

files { Include "*\\AppData\\Local\\bad.dll" }

directives files:write files:create files:execute

}

Here is our testing method. We create a custom IPS signature with the first expert subrule. We then save the policy, wake the system up, try to create "bad.dll" and execute it within the "C:\users\username\appdata\local" folder structure. Run a wake up and check ePO, or check the local IPS console, and no event was generated. The second part of the test, is we remove the expert subrule from the first signature, and replace it with this second expert subrule. (notice the only difference is we are using "&.dll" in the first, and "bad.dll" in the second). We saved the policy, woke system up, again tried to create and execute bad.dll in the "C:\users\username\appdata\local" folder, and the event triggers.

Essentially the & string wildcard is not working for us in this scenario. We have used this wildcard in the past, but not for dll files. Can anyone else recreate this test and see if they get similar results?

Thanks in advance.

0 Kudos
2 Replies
epository
Level 10

Re: Assistance with IPS custom signature subrule

Go out to the remote machine you are creating the bad.dll on and use the clientcontrol.exe /exportconfig 4 option to see if your policy is getting down to the machine.

I have had instances where the "Update Security" had to be used to get the policy to apply as well as restarting the McAfee Host Intrusion Prevention service.....especially if clientconfig.exe doesnt produce any ouput.

Also use clientconfig.exe /log 0 4 to put the logging into debug mode and try hitting the bad.dll to see if it will trigger.

You may also need to specify all executables and all users with...that being said, I dont know why the first one would work and the second wouldnt...

Executable { Include “*”}

user_name { Include “*” }

clientconfig.exe info.....

   7) /readNaiLic

   8) /exportConfig <path of export file> <config type ...>

           Config Type:    0 = all

                           1 = app protection

                           2 = blocked hosts

                           3 = firewall

                           4 = hip custom sigs

                           5 = IPS exceptions

                           6 = settings

                           7 = trusted apps

                           8 = trusted networks

                           9 = network ips sigs

                           10 = hip sigs

                           11 = hip engines

                           12 = logon sessions

                           13 = DNS blocking rules

0 Kudos
McAfee Employee

Re: Assistance with IPS custom signature subrule

Rule {

tag suspicious_dll

Class Files

Id XXXX

level 1

files { Include "*\\AppData\\Local\\&.dll" }

directives files:write files:create files:execute

}

Triggered just fine for me.  Use cmd.exe to create the file; not explorer.exe.

EDIT: used "copy con" to create the file; notepad to edit the file; regsvr32 to run the dll.  All were blocked by this signature.

Message was edited by: ktankink on 11/11/13 6:16:50 PM CST
0 Kudos