2 Replies Latest reply: Nov 11, 2013 6:16 PM by Kary Tankink RSS

    Assistance with IPS custom signature subrule

    greatscott

      Hey, can anyone else test this out for us?

       

      So we cannot get this to fire:

       

      Rule {

      tag suspicious_dll

      Class Files

      Id XXXX

      level 1

      files { Include "*\\AppData\\Local\\&.dll" }

      directives files:write files:create files:execute

      }

       

      but can get this to fire:

       

      Rule {

      tag suspicious_dll

      Class Files

      Id XXXX

      level 1

      files { Include "*\\AppData\\Local\\bad.dll" }

      directives files:write files:create files:execute

      }

       

      Here is our testing method. We create a custom IPS signature with the first expert subrule. We then save the policy, wake the system up, try to create "bad.dll" and execute it within the "C:\users\username\appdata\local" folder structure. Run a wake up and check ePO, or check the local IPS console, and no event was generated. The second part of the test, is we remove the expert subrule from the first signature, and replace it with this second expert subrule. (notice the only difference is we are using "&.dll" in the first, and "bad.dll" in the second). We saved the policy, woke system up, again tried to create and execute bad.dll in the "C:\users\username\appdata\local" folder, and the event triggers.

       

      Essentially the & string wildcard is not working for us in this scenario. We have used this wildcard in the past, but not for dll files. Can anyone else recreate this test and see if they get similar results?

       

      Thanks in advance.

        • 1. Re: Assistance with IPS custom signature subrule
          epository

          Go out to the remote machine you are creating the bad.dll on and use the clientcontrol.exe /exportconfig 4 option to see if your policy is getting down to the machine.

           

          I have had instances where the "Update Security" had to be used to get the policy to apply as well as restarting the McAfee Host Intrusion Prevention service.....especially if clientconfig.exe doesnt produce any ouput.

           

          Also use clientconfig.exe /log 0 4 to put the logging into debug mode and try hitting the bad.dll to see if it will trigger.

           

          You may also need to specify all executables and all users with...that being said, I dont know why the first one would work and the second wouldnt...

           

          Executable { Include “*”}

          user_name { Include “*” }

           

          clientconfig.exe info.....

             7) /readNaiLic

           

             8) /exportConfig <path of export file> <config type ...>

           

                     Config Type:    0 = all

                                     1 = app protection

                                     2 = blocked hosts

                                     3 = firewall

                                     4 = hip custom sigs

                                     5 = IPS exceptions

                                     6 = settings

                                     7 = trusted apps

                                     8 = trusted networks

                                     9 = network ips sigs

                                     10 = hip sigs

                                     11 = hip engines

                                     12 = logon sessions

                                     13 = DNS blocking rules

          • 2. Re: Assistance with IPS custom signature subrule
            Kary Tankink

            Rule {

            tag suspicious_dll

            Class Files

            Id XXXX

            level 1

            files { Include "*\\AppData\\Local\\&.dll" }

            directives files:write files:create files:execute

            }

             

             

            Triggered just fine for me.  Use cmd.exe to create the file; not explorer.exe.

             

            EDIT: used "copy con" to create the file; notepad to edit the file; regsvr32 to run the dll.  All were blocked by this signature.

             

            Message was edited by: ktankink on 11/11/13 6:16:50 PM CST