Showing results for 
Search instead for 
Did you mean: 
Level 10

Caller_Modules... Program or BO classes. Where to put them?

I notice the only rules that return Caller_Paths (modules), Caller_Fingerprints, and Caller_Descriptions is the Buffer Overflow rule class. So how come Caller_Module is included in the Program class gui??

Which one should I use to watch for bad caller module names and md5's? -

Program class GUI version

<Setting name="+SigRule#0" value="Rule { tag "Watch for bad Caller Modules NON EXPERT SUB 1" Class Program Id 5713 level 3 Caller_Module { Include "badcallermodule.exe" } directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify }" />

Buffer Overflow class Expert Version

  <Setting name="+SigRule#1" value=";Rule { tag "Watch for bad Caller Modules Expert Sub 1" Class Buffer_Overflow Id 5713 level 3 Caller_Module { Include { -hash "1234563345674678876576" } } directives "bo:stack" "bo:heap" "bo:writeable_memory" "bo:invalid_call" "bo:call_not_found"

Like I said, I see absolutely no "Program class" rules written with or returning events with Caller_Modules data in them. So I'm assuming BO Class is the way to go. But then why is Caller Module a drop down box for Program Class rules in the GUI? Are they detecting the same thing or not?

Message was edited by: shakira on 4/8/14 1:54:32 PM CDT
0 Kudos