I'd like to create a custom signature to prevent create, execute, read, rename, and write a list of MD5 hashes. I haven't been able to find documentation on this process. My thought process is:
1. Create Stand IPS Subrule
2. Rule Type = File
3. Create "executables" for each MD5 / fingerprint
What should be included in the parameter section? I want the entire system to be protected from these MD5 hashes.
Is my thought process correct? Any and all feedback is appreciatred!
Message was edited by: FLJKBH on 2/25/14 4:03:07 PM CST
You can't do this in HIPS if I'm understanding you correctly. You can only log/block MD5's if they are a "Program" (.exe, .dll, application, or "executable" as you've seen). That means you cannot just block a txt file with a hash of nfwd8932hf3212e.
What you CAN do is block a .exe or .dll with a certian md5sum from being opened or ran, or opening or running anything. You can also prevent that md5sum/.exe/.dll from doing file operations to specific file names or any files which is what you were actually doing above.
Yeah, I was dissapointed as well. Still haven't found a good solution for this seemingly basic operation. There is something called McAfee GTI proxy that can take in hashes and work off of the AV on access scan I think, but it only blocks them, and subsequently deletes the files. Not a usable solution for forensics or incident response etc.
Message was edited by: shakira on 2/26/14 10:12:33 AM CST
Correct. If you're trying to block non-exectuable files, this is not possible in Host IPS. The FILES engine only uses PATH/FILENAME for non-exectuable files.