cancel
Showing results for 
Search instead for 
Did you mean: 
shakira
Level 10
Report Inappropriate Content
Message 1 of 3

How do I make this rule myself, and what does it mean? SID 2834 Java File Creation

Rule {

        Class "Illegal_API_Use"

        Id "2834"

        level 3

        time {Include "*"}

        application {Include "*"}

        user_name {Include "*"}

        Vulnerability_Name {Include "Java - Creation of suspicious files in Temp folder"}

        directives "-d" "-c" "illegal_api_use:bad_parameter" \

                                "illegal_api_use:invalid_call"

        attributes -not_auditable

}

It seems like the McAfee people who write rules are starting to leverage this kind of custom rule more often. Can someone please explain what is going on here? From what I see, all it is looking for is "illegal_api_use" stuff, which is in a ton of other rules. What makes this unique for java creating a file specifically? How does it work?

As far as I can tell, we do not have the option to make these kind of rules in the gui, and we also would have no idea how to write a custom expert rule for it as it seems to be keying off of the "Vulernability_Name" line.

It seems as those there is more goign on in the background before this rule fires. What is it?

Here are some other examples:

Rule {

        Class "Illegal_API_Use"

        Id "6001"

        level 3

        time {Include "*"}

        application {Include "*"}

        user_name {Include "*"}

        Vulnerability_Name {Include "Suspicious Data Sequence in Javascript"}

        directives "-d" "-c" "illegal_api_use:bad_parameter" "illegal_api_use:invalid_call"

        attributes -not_auditable

}

}

Rule {

        Class "Illegal_API_Use"

        Id "2819"

        level 4

        time {Include "*"}

        application {Include "*"}

        user_name {Include "*"}

        Vulnerability_Name {Include "Windows Enumerate File Vulnerability"}

        directives "-d" "-c" "illegal_api_use:bad_parameter" "illegal_api_use:invalid_call"

        attributes -not_auditable

}

Rule {

        Class "Illegal_API_Use"

        Id "2830"

        level 0

        time {Include "*"}

        application {Include "*"}

        user_name {Include "*"}

        Vulnerability_Name {Include "Block User Creation"}

        directives "-d" "-c" "illegal_api_use:bad_parameter" \

                                "illegal_api_use:invalid_call"

        attributes -not_auditable

}

I'm trying to get attention towards these because I'd like to be able to leverage whatever is making them myself. Normal style HIPs rule are not quite high fidelity enough.

Message was edited by: shakira on 6/12/14 2:22:06 PM CDT
2 Replies

Re: How do I make this rule myself, and what does it mean? SID 2834 Java File Creation

McAfee wants to keep the lid on this. This type of HIPS signature TCL in and of itself does not detect anything. I am assuming it references some secondary list which defines what these Vuln Names correspond to, and thus what constitutes a block/allow. It would be nice to leverage it, but they don't want you putting them out of a job!

Highlighted
shakira
Level 10
Report Inappropriate Content
Message 3 of 3

Re: How do I make this rule myself, and what does it mean? SID 2834 Java File Creation

That was my thought as well greatscott. Though I'd be the first to praise McAfee HIPs if they'd let us detect on what I can only imagine they are able to detect on with whatever these rules are doing.

I'm not sure there is a host based product that can look at API or System Calls, or their variables/parameters right now. If HIPs would allow that they'd have a ton (of money) to gain.

Correlating API calls/parameters of known bad malware or behaviors, and then firing of a rule when a single piece or set over time is seen would be killer. Suddenly polymorphic file names, registry keys and md5's don't matter anymore.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community