cancel
Showing results for 
Search instead for 
Did you mean: 
shakira
Level 10

EXPERT subrule questions and guidance

Jump to solution

Correct me if I'm wrong, but I've found no real tutorials or examples of writing expert subrules for HIPS. I understand the wizard converts the gui to the expert rule language via the preview button, and I've created a few expert subrules myself.

My question is, what is gained from using the expert subrule vs the wizard? I specifically mean in terms of available options, keywords and abilities to detect and block that the wizard may not have. Also, this description from the manual is confusing:

"The Expert method, recommended only for advanced users, enables you to provide the rules syntax without limiting the number of types you can include in the signature. Before writing a rule, make sure you understand rule syntax"

What does "types" refer to in this? I'm assuming it means you can add Files, Registry and other rule types together, but how would that work? I would LOVE an example of how that is beneficial if anyone has one, please! The more fine grain the rules can be the better!

Lastly, I noticed the Default McAfee HIPS rules use a different language to write their rules which include if/else statements. Can we stick that stuff into expert rules?

Message was edited by: shakira on 1/16/14 3:07:46 PM CST

Message was edited by: shakira on 1/16/14 3:08:47 PM CST
0 Kudos
1 Solution

Accepted Solutions
greatscott
Level 12

Re: EXPERT subrule questions and guidance

Jump to solution

i believe it only relieves you of having to create several subrules. and I also believe that the separate classes act as an "OR" statement, not an "AND" statement. so you would be correct in your thinking.

0 Kudos
8 Replies
greatscott
Level 12

Re: EXPERT subrule questions and guidance

Jump to solution

Just looking at the standard subrule vs expert subrule, yes you can only do one "class" type for the basic subrule. You would essentially have to create multiple standard subrules if you wanted to do multiple classes. In an expert subrule, you can create multiple classes. Additionally, there seems to be only an "Include" field for file path indicators. You can create an "Exclude" rule within the expert subrules, but cannot in the standard subrules.

Im sure there is more you can do with tcl within the expert subrule, but these are just off the top of my head.

Message was edited by: greatscott on 1/17/14 7:46:22 AM CST
0 Kudos
shakira
Level 10

Re: EXPERT subrule questions and guidance

Jump to solution

So based off of that, does combining "types" in one expert rule actually work off each other to detect on a finer scale? Or are we simply saving ourselves form having multiple subrule names? I can't tell.

For example, if we put a FIle path for "bad.exe" and a Registry key for "**/bad" in one expert subrule, do these combine and "and" into each other to make a finer tuned rule? Not sure if that's possible.

From my testing and understanding so far, subrules are completely free of each other/not reliant on each other to fire, but does the above change that?

Lastly... is there ANY good documentation on writing this stuff? Is is just TCL with the addition of some keywords form McAfee, or is it more limited? I'm incredibly dissapointed with the custom and expert rule writing documentation. There doesn't seem to be any classes on this as well.

Message was edited by: shakira on 1/17/14 8:55:42 AM CST
0 Kudos
greatscott
Level 12

Re: EXPERT subrule questions and guidance

Jump to solution

i believe it only relieves you of having to create several subrules. and I also believe that the separate classes act as an "OR" statement, not an "AND" statement. so you would be correct in your thinking.

0 Kudos
shakira
Level 10

Re: EXPERT subrule questions and guidance

Jump to solution

Thanks for th answer Scott.

So just out of curiosities sake I wonder what more can be done with TCL and whatever it is you call the McAfee keywords that are being used in it in HIPS.... hmmmm...

0 Kudos
shakira
Level 10

Re: EXPERT subrule questions and guidance

Jump to solution

I'd like to add that these things are known by me to be available in HIPS expert custom rules but not available in the GUI wizard version custom rules:

1. DATA values for the reg key class

     ex. Look for the word "test" being set as the DATA "value" in a key/value:

     new_data { Include"74006500730074000000" }

     where t = 7400, e = 6500, s = 7300, t = 7400 and 0000 at the end for whatever reason. Add      00’s to the end of ascii hex values.

2. Buffer overflows. Not much documentation on this, but here is an example of an incredibly basic one:


Rule {

   Class "Buffer_Overflow"

   Id "xxxx"

   level x

   time {Include "*"}

   application {Include "*"}

   user_name {Include "*"}

   attributes -no_trusted_apps -not_auditable

   directives "-d" "-c" "bo:stack" "bo:heap"

}

- And here is a rule written to watch if a specific executbale was overflown instead:

Rule {

   Class "Buffer_Overflow"

   Id "xxxx"

   level x

   time {Include "*"}

   if { $EAGENT_64Bit_Process } {

          application {Include "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                                   "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                          }

   } else {

          application {Include "[iEnv SystemRoot]\\xxxxxxx\\xxxxxx.exe"}

   }

   user_name {Include "*"}

   dependencies "-d" "-c" "428"

   directives "-c" "-d" "bo:stack" "bo:heap"

   attributes -not_auditable

}

- One using target_bytes which is related to the rule "Illegal execution" which would be great to have documentation on:

Rule {

   Class "Buffer_Overflow"

   Id xxxx

   level x

   time {Include "*"}

   if { $EAGENT_64Bit_Process } {

                  application { Include "[iEnv SystemRoot]\\xxxx.exe"           \

                                            "[iEnv SystemRoot]\\syswow64\\xxxx.exe" \

                                  }

   } else {

          application { Include "[iEnv SystemRoot]\\xxxx.exe" }

   }

   user_name {Include "*"}

   dependencies "-d" "-c" "985"

   if { [lindex [split $EAGENT_Version .] 0] > 7 } {

                target_bytes { Exclude {00 10 04 00 01 a3 50 91 f7 08 ff 96 40 00 03 00-95 8a 07 42 09 b0 31 bc 20 a9 52 4d 12 4e 55 f2} }

                target_bytes { Exclude {b2 37 6b 3b 89 7d f4 8d 7d f4 53 6a ff ff 53 18-3c ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??} }

        }

   directives "-d" "-c" "bo:writeable_memory"

}

3. Lastly, any of the linux classes

Message was edited by: shakira on 1/22/14 8:32:58 AM CST

Message was edited by: shakira on 1/22/14 8:34:15 AM CST
0 Kudos
shakira
Level 10

Re: EXPERT subrule questions and guidance

Jump to solution

Found something new that isn't documented. Well it is kind of, but horribly. This is what a buffer overflow rule specifically from a "call not found" could look like ("Suspicious Function Invocation - CALL Not Found" for example):

Rule {

                Class "Buffer_Overflow"

                Id "xxxx"

                level x

                application {Include "*"}

                dependencies -d -c "432" "434"

                attributes -no_trusted_apps -not_auditable

                directives -c -d "bo:call_not_found"

It's on or off. Something is a BO specifically from "call_not_found" or not. Those are your options.

If you wanted to filter on the SourceProcessName you'd use that application line. If you wanted to filter by the Caller Path/Module (dll's) though, you wouldn't know how. The doc on page 108 mentioned "caller module" but with no example. The actual syntax is Caller_Module:

Caller_Module {Exclude { -path "*\\good123.dll"} }

Caller_Module {Exclude { -path "*\\good456.dll"} }

That seems to be what you would use if you wanted to exclude two good known dll's from the above mentioned rule. You could instead however only "Include" known bad paths or file names, only blocking things you KNOW should be blocked!

0 Kudos
shakira
Level 10

Re: EXPERT subrule questions and guidance

Jump to solution
Just looking at the standard subrule vs expert subrule, yes you can only do one "class" type for the basic subrule. You would essentially have to create multiple standard subrules if you wanted to do multiple classes. In an expert subrule, you can create multiple classes. Additionally, there seems to be only an "Include" field for file path indicators. You can create an "Exclude" rule within the expert subrules, but cannot in the standard subrules.

So I just tried this, and it does not work. For example:

Works:

Rule {

tag "c to mcafee test"

Class Files

Id 4045

level 3

files { Include "c*mcafeetest.exe" }

directives  files:create

}

Doesn't Work:

Rule {

tag "c to mcafee test"

Class Files

Class Programs

Id 4045

level 3

files { Include "c*mcafeetest" }

Target_Exectuable { Include { -path "*\\mcafeetest.exe" }

directives files:create program:run

}

With the error: "ERROR: Multiple class sectionsREMOVED"

I was hoping this worked so I didn't have to make 4 subrules every time I want to watch and md5 doing anything (to files, reg keys, services, and other programs). Any ideas on how to consolidate that behavior into one rule?

Message was edited by: shakira on 3/13/14 10:32:23 AM CDT
0 Kudos
shakira
Level 10

Re: EXPERT subrule questions and guidance

Jump to solution

I've found another rule option that is only available in expert rules. The abiltiy to only use pieces of signers/certs instead of the whole, perfectly known string. This is great for when you don't know how certs would be parsed through ClienControl.exe's /execinfo switch. Maybe you get info for a known bad cert form someone but don't have the sample to actually run client control.exe on (seen here: https://kc.mcafee.com/corporate/index?page=content&id=KB71205). The GUI DOES NOT allow you to put a star in the front of a signer string for some reason.

The working rule (also firing on many other microsoft .exe's as to be expected because they share the same cert):

Rule {

     tag "windows app by signer sub 1"

     Class Program

     Id 5809

     level 3

     Executable { Include { -sdn "*OU=MOPR*" }

     }

     directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate      program:run programSmiley Surprisedpen_with_modify

}

Event:

------------------------------

04-24 08:44:35 [00408] VIOLATION: [3] ------- Violation ---- Size 1523 ----

<Event> <!-- Level=Med, Reaction=Log -->

  <EventData

  SignatureID="5809"

  SignatureName="windows apps by piece of signer"

  SeverityLevel="3"

  Reaction="2"

  ProcessUserName="NT AUTHORITY\SYSTEM"

  Process="C:\WINDOWS\SYSTEM32\SVCHOST.EXE"

  IncidentTime="2014-04-24 08:44:33"

  AllowEx="True"

  SigRuleClass="Program"

  ProcessId="956"

  Session="0"

  SigRuleDirective="open_with_any"/>

  <Params>

    <Param name="Workstation Name" allowex="True">xxx</Param>

    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Executable Description" allowex="False">HOST PROCESS FOR WINDOWS SERVICES</Param>

    <Param name="Executable Fingerprint" allowex="False">54a47f6b5e09a77e61649109c6a08866</Param>

    <Param name="Target File Name" allowex="False">IEXPLORE.EXE</Param>

    <Param name="Target Path" allowex="False">C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Target Description" allowex="False">INTERNET EXPLORER</Param>

    <Param name="Target Fingerprint" allowex="False">c613e69c3b191bb02c7a191741a1d024</Param>

  </Params>

</Event>

Message was edited by: shakira on 4/24/14 8:52:17 AM CDT

Message was edited by: shakira on 5/1/14 1:17:03 PM CDT
0 Kudos