cancel
Showing results for 
Search instead for 
Did you mean: 
shakira
Level 10

Understanding the Buffer Overflow Class for Custom HIPS Rules

Has anyone taken the time to figure out how to write an expert subrule for the Buffer Overflow class? I have some Default rules to refer to but it's a bit rough.

At the very least, does anyone know what writing an expert buffer overflow subrule could bring to the table in terms of detecting/blocking new things? What it doesn't bring? Is it worth it?

0 Kudos
1 Reply
shakira
Level 10

Re: Understanding the Buffer Overflow Class for Custom HIPS Rules

Here is a set of examples I've seen before:

---A generic bo rule:

Rule {

   Class "Buffer_Overflow"

   Id "xxxx"

   level x

   time {Include "*"}

   application {Include "*"}

   user_name {Include "*"}

   attributes -no_trusted_apps -not_auditable

   directives "-d" "-c" "bo:stack" "bo:heap"

}

----And here is a rule written to watch if a specific executbale was overflown instead:

Rule {

   Class "Buffer_Overflow"

   Id "xxxx"

   level x

   time {Include "*"}

   if { $EAGENT_64Bit_Process } {

          application {Include "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                                   "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                          }

   } else {

          application {Include "[iEnv SystemRoot]\\xxxxxxx\\xxxxxx.exe"}

   }

   user_name {Include "*"}

   dependencies "-d" "-c" "428"

   directives "-c" "-d" "bo:stack" "bo:heap"

   attributes -not_auditable

}

----One using target_bytes which is related to the rule "Illegal execution" which would be great to have documentation on:

Rule {

   Class "Buffer_Overflow"

   Id xxxx

   level x

   time {Include "*"}

   if { $EAGENT_64Bit_Process } {

                  application { Include "[iEnv SystemRoot]\\xxxx.exe"           \

                                            "[iEnv SystemRoot]\\syswow64\\xxxx.exe" \

                                  }

   } else {

          application { Include "[iEnv SystemRoot]\\xxxx.exe" }

   }

   user_name {Include "*"}

   dependencies "-d" "-c" "985"

   if { [lindex [split $EAGENT_Version .] 0] > 7 } {

                target_bytes { Exclude {00 10 04 00 01 a3 50 91 f7 08 ff 96 40 00 03 00-95 8a 07 42 09 b0 31 bc 20 a9 52 4d 12 4e 55 f2} }

                target_bytes { Exclude {b2 37 6b 3b 89 7d f4 8d 7d f4 53 6a ff ff 53 18-3c ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??} }

        }

   directives "-d" "-c" "bo:writeable_memory"

}