cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
jrybicki
Level 8
Report Inappropriate Content
Message 1 of 2
‎08-23-2018 10:39 AM

McAfee ESM and ePO TIE Hash Values

I just found something totally ridiculous in the SIEM and figured I'd share it.  I was looking at events in the SIEM from ePO and noticed the sha1 and sha256 file hashes provided from ePO (mainly from TIE) have a 0x in the front of every value because it is a hexadecimal. Unfortunately, normal STIX feeds along with other data sources (like Cisco Firepower) do not normally have a 0x in front of their values, making correlation impossible without customizing the parser to add a 0x in the sha1 and sha256 fields. Further complicating matters.... ePO events show sha values in mixed or lower case.  In feeds like US-CERT, the values imported via the ESM Cyber Threat Feed feature, STIX or TAXII values are provided (without the 0x) and tend to be in upper case.  I just tested attempting to find a TIE hash after converting a known TIE file sha1 hash into upper case and failed to find it in the ESM (because the search is case sensative).
 
This is a big problem because I have several correlation rules looking for hash vales for things like HIDDEN COBRA files, and this effectivly breaks those rules since there is no way in a correlation rule to make things case insensative!

Now we have three issues:
 
  1. Any BackTrace would miss SHA256 and SHA1 values provided by ePO because they would not have a 0x in the SHA256 or SHA1 fields
  2. If TIE were to see something like a defined HIDDEN COBRA hash, it wouldnt cause the correlation rule to alert because the values defined in the watchlist dont have a 0x in them
  3. Other data sources like a Cisco Firepower IPS (which also displays sha256 values but not in the correct field!) would not properly correlate with TIE events because it doesnt have a 0x in the hash value
     
    In order to fix the issue I have to:

    1. Alter the Firepower Parser to place the SHA256 value in the SHA256 field
    2. Alter the FIrepower Parser to append a 0x before the SHA256 value in the SHA256 filed
    3. Alter all of the values in my various SHA256 and SHA1 watchlists to have a 0x before each line item
    4. Convert all of the values in the SHA256 and SHA1 watchlists to lowercase 
    5. Hope that all SHA256 and SHA1 values provided by my data sources (including ePO) are in lowercase
2 people had this problem.
Reply
1 Reply
Highlighted
kmc
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2
‎09-23-2018 11:11 PM

Re: McAfee ESM and ePO TIE Hash Values

Hi @jrybicki

Have you got solution parcer to convert it into lower case?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC