1 2 Previous Next 16 Replies Latest reply: Oct 15, 2013 9:26 AM by greatscott RSS

    Can meaningful exceptions be configured for signature 1226?

    dmease729

      Hi,

       

      A bit of background before the actual question, which in summary is "Can meaningful exceptions be configured for signature 1226?".  I am also sigs 531 and 532 into this as well, as I am running into the same problem.

       

      Host IPS8.0 currently running in adaptive mode.  To confirm adaptive mode was operating as required, I tweaked signature 413 (severity and client rules settings), copied calc.exe to calc.xls.exe, and then ran the new executable.  Sent the props, and run the property translater task, and hey presto it is sitting in ePO as an IPS client rule.

       

      Now I know that I ran the executable from Windows Explorer, so what I am seeing makes sense.  The description of the signature in question (snipped) is:

       

      "...This event indicates that a file with two extensions (such as readme.txt. exe) was run..."
      "...To execute legal programs that contain multiple extensions ... ... create an exception for this security event so that your trusted file is exempt from triggering this signature."

       

      So coming back to the fact that I know what happened, examining a few fields in the client rule generated:

       

      Full executable name: C:\WINDOWS\EXPLORER.EXE
      Secondary Full executable name: C:\TEMP\CALC.XLS.EXE

       

      Makes sense!  If I see something else along these lines that I have initiated, I will have all of the information to act, either initiating a security incident or creating relevant exceptions.

       

      While I was testing, there were a number of other things happening in the background, and I noted some other client rules generated:

       

      Sig ID: 1226 (...MS IIS process has tried to modify a file outside its own directory...)
      Full executable name: C:\WINDOWS\SYSWOW64\INETSRV\W3WP.EXE
      <Other information deemed helpful in this case>: none
      <Further information obtainable from HIPS console on target server>: none

       

      So... do I take it from this that if the action is legitimate, we can only configure an exception for W3WP.EXE as a whole, no matter what it is trying to modify, as we dont know in this instance what it has tried to modify?  There is no way to add an exclusion to say 'W3WP.EXE can modify X, Y and Z, but that is all'?

       

      cheers,

        • 1. Re: Can meaningful exceptions be configured for signature 1226?
          greatscott

          yes, you can create exceptions for 1226 without using just the executable as a whole. for some reason i have had some issues with this signature though. first what you would do is look at a 1226 event. as you noted, it will be w3wp.exe as the threat source process name attempting to modify some other arbitrary file path. to find this path, look at the event in ePO, at the bottom under "Host IPS 8.0 Event Information". This path will be listed as "Files"

           

          Once you have these bits of data, (the signature, threat source process name, and file), you can create the exception. In the exception, specify the signature, put the threat source process name in as the "executable", and your "files" will go under the parameters section in the exceptions builder.

           

          so your answer is yes, you can specify that w3wp.exe can only modify x,y and z. you have to specify x,y, and z in the "parameters" section of the exceptions builder.

          • 2. Re: Can meaningful exceptions be configured for signature 1226?
            dmease729

            Hi,

             

            First of all - great name :-)

             

            In the IPS Client Rule in ePO, there is no "Host IPS 8.0 Event Information" link.  There are "Go to related System", "Go to related Computer Property" and "Go to related detected system".  The Host IPS 8.0 Event Information link tends to be listed in the events, but not the IPS client rules, which may be the issue here?  Is the question now "is it possible to get the information required from an IPS client rule (whilst in adaptive mode) to to configure a meaningful IPS exception"?  Or to put it another (harsh, maybe incorrect) way "Is adaptive mode next to useless for some signatures, when we are trying to determine exceptions after the initial logging period has come to an end"?

             

            cheers,

            • 3. Re: Can meaningful exceptions be configured for signature 1226?
              petersimmons

              Part of the problem is running the IPS module in Adaptive mode. You should NEVER use Adaptive mode to discover what exceptions you need. That's the wrong use case. You only use Adaptive mode for very short periods to get the format of the client exception correct. Adaptive mode basically creates rules for every non-exploit event. And that's definitely not what you want. Everyone downloads the best practices guide and then promptly ignores what it says (assuming they actually read it in the first place)...

              • 4. Re: Can meaningful exceptions be configured for signature 1226?
                petersimmons

                And there are no meaningful exclusions for this particular rule. I find it extremely annoying and have classified it as a "junk" rule. It is one of several I commonly disable. It might have worked circa 2005 when it was created. Now it just causes issues.

                • 5. Re: Can meaningful exceptions be configured for signature 1226?
                  greatscott

                  dmease, i wasnt saying in the client rule, im talking about if you have adaptive mode turned OFF and you see a 1226 event come into ePO in the Threat Event log. Click into the specific 1226 event in ePO. Look toward the bottom for the advanced parameter data. You will see the section I am talking about. It will generally have a Files section, subject distinguished name, etc. That "files" section will yield the file name for the advanced parameter you are looking for.

                   

                  Or you can heed Peter's advice and chalk it up to being a "Junk" rule. 

                  • 6. Re: Can meaningful exceptions be configured for signature 1226?
                    dmease729

                    Hi guys,

                     

                    Thanks for the feedback, it is appreciated!  In response to the above:

                     

                    Peter - I tend to read a lot of the documentation, and when I get the chance I will get together a list of inconistencies or ambiguities in them.  The documentation is in general fantastic, dont get me wrong, but has caused me frustrations at time.  Also, best practise doesnt neccessarily mean the same as it must be followed - some of the best practise documentation lacks basic explanations (that are meaningful) discussing why things are done in certain ways.  Although my decision may have been wrong, we were on tight timescales, and didnt have a great deal of time to go through many logs (not the best situation, granted - and I am aware of the aggregation functions which would have speeded it up slightly).  Great comment on this signature also - I have come across a few situations like this :-)

                     

                    Scott - my question stated I was running in adaptive mode :-)  Not having a go - I have done the same thing myself, and I genuinelly thank you for your comments - I like having these type of conversations (even if they point to me doing something wrong :-\ )

                     

                    Peter - I dont understand the comment "You only use Adaptive mode for very short periods to get the format of the client exception correct." - If it is for formatting purposes only, what is the point of adaptive mode.  The best practise section in the install guide clearly states:

                     

                    "By setting representative hosts in adaptive mode during the pilot, you create a tuning configuration for each usage profile or application. The IPS feature then allows you to take any, all, or none of the client rules and convert them to server-mandated policies."

                     

                    In this case I wouldnt be able to take the client rules generated and convert them to server mandated policies, as they would be too general, and if I wanted to make them more specific I wouldnt have the information to do so.  Genuine question - I really feel like I am missing something here!

                     

                    Cheers,

                    • 7. Re: Can meaningful exceptions be configured for signature 1226?
                      greatscott

                      i dont particularly subscribe to the whole "adaptive mode" deal. i like creating the exceptions without all the tertiary crap that gets put into exceptions that are created automatically.

                       

                      back to the 1226 and w3wp.exe talk. i feel like right on the same day that the HIPS content update was released last month (14 august 2013), we had a definite inflection in w3wp.exe events, for several threat names. the content update did not include any of the threat names that are firing in the graph below, but i cant help but think they were somehow modified. the lines are threat target hostnames, and they are IIS servers, also these events are filtered by w3wp.exe threat source process name.

                       

                      so, sequence of events:

                      1. 14 August 2013 - HIPS content was released

                      2. 15 August 2013 - Major inflection of w3wp.exe related events on all IIS servers

                      3. 2 September 2013 - People making posts about how to tune 1226 and w3wp.exe (could just be coincidental)

                       

                      Inflection:

                       

                      w3wp.png

                      • 8. Re: Can meaningful exceptions be configured for signature 1226?
                        Kary Tankink

                        dmease729 wrote:

                         

                        Peter - I dont understand the comment "You only use Adaptive mode for very short periods to get the format of the client exception correct." - If it is for formatting purposes only, what is the point of adaptive mode.  The best practise section in the install guide clearly states:

                         

                        To explain it a little further, IPS Adaptive mode is limited in its use.  It can be used for creating IPS exceptions automatically, but when you add these IPS Client Rules to your policy, they need to be tweaked.  You don't just add every client rule in as necessary.  If one signature violations for 10 applications, you don't add each unique client rule to your policy.  You might add one IPS exception, and add 10 different applications (granted, you're only adding Signature and Application details; more IPS Parameters details will require more IPS exceptions to be created).  This is how you "optimize" your policy.  Another example would be 1 Signature, 1 Application, but 10 different files or registry parameters.  Again, you don't want to create multiple IPS exceptions for you; you'd want to try to "group" these violations into a more general exception.  You CAN create many exceptions, depending on different factors of the violation (if an IPS exception requires some specific parameters to be used), but generally, you want to make the exceptions broad.  Like Firewall Rules, the more specific you make the rule/exception, the more rules you are going to need to effectively manage your policy.  An example for Firewall Rules would be something like:  1) create a Firewall policy that allows all Outbound traffic, but only limited Inbound, or 2) create a Firewall Rule that has limited Outgoing and limited Incoming.  The #1 policy is not going to be as big as policy #2, but it won't be as secure.  In managing your IPS and FW policies, you'll need to find a balance of this.

                         

                        Also, with IPS Adaptive mode, the Signature has to allow Adaptive mode functionality.  If you look at the IPS Signatures, there is a option.  Many IPS signatures have this disabled, which means, Adaptive mode will not work for that signature at all (unless you change it).  Rather than using Adaptive mode for IPS to automatically create IPS exceptions that you tweak, you can instead use the IPS event to manually create the same IPS exception, then tweak afterwards.  Due to this, I typically suggest not using Adaptive mode to create automatic exceptions, and suggest instead to just find the IPS event and create the exception off of that.  Either way, you get the same IPS Client Rule added to your policy, that you then have to tweak further.

                        • 9. Re: Can meaningful exceptions be configured for signature 1226?
                          damageinc

                          Scott,

                           

                          Thanks for posting the info about the last content update.  I also saw a massive blow up in the IIS-related events that started on the date of the most recent content update.  I wonder if there was a phantom update to this signature, because they were not listed in the August content update.

                           

                          Secondly, if a McAfee employee is on the record on the forums as saying a certain signature is "junk", then why does this signature even exist?

                           

                          -DamageInc

                          1 2 Previous Next