Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
495 Views 2 Replies Latest reply: Nov 11, 2013 5:59 PM by Kary Tankink RSS
greatscott Champion 283 posts since
Jul 18, 2011
Currently Being Moderated

Nov 8, 2013 10:34 AM

Assistance with IPS custom signature subrule

Hey, can anyone else test this out for us?

 

So we cannot get this to fire:

 

Rule {

tag suspicious_dll

Class Files

Id XXXX

level 1

files { Include "*\\AppData\\Local\\&.dll" }

directives files:write files:create files:execute

}

 

but can get this to fire:

 

Rule {

tag suspicious_dll

Class Files

Id XXXX

level 1

files { Include "*\\AppData\\Local\\bad.dll" }

directives files:write files:create files:execute

}

 

Here is our testing method. We create a custom IPS signature with the first expert subrule. We then save the policy, wake the system up, try to create "bad.dll" and execute it within the "C:\users\username\appdata\local" folder structure. Run a wake up and check ePO, or check the local IPS console, and no event was generated. The second part of the test, is we remove the expert subrule from the first signature, and replace it with this second expert subrule. (notice the only difference is we are using "&.dll" in the first, and "bad.dll" in the second). We saved the policy, woke system up, again tried to create and execute bad.dll in the "C:\users\username\appdata\local" folder, and the event triggers.

 

Essentially the & string wildcard is not working for us in this scenario. We have used this wildcard in the past, but not for dll files. Can anyone else recreate this test and see if they get similar results?

 

Thanks in advance.

  • epository Apprentice 84 posts since
    Jan 23, 2010
    Currently Being Moderated
    1. Nov 11, 2013 9:13 AM (in response to greatscott)
    Re: Assistance with IPS custom signature subrule

    Go out to the remote machine you are creating the bad.dll on and use the clientcontrol.exe /exportconfig 4 option to see if your policy is getting down to the machine.

     

    I have had instances where the "Update Security" had to be used to get the policy to apply as well as restarting the McAfee Host Intrusion Prevention service.....especially if clientconfig.exe doesnt produce any ouput.

     

    Also use clientconfig.exe /log 0 4 to put the logging into debug mode and try hitting the bad.dll to see if it will trigger.

     

    You may also need to specify all executables and all users with...that being said, I dont know why the first one would work and the second wouldnt...

     

    Executable { Include “*”}

    user_name { Include “*” }

     

    clientconfig.exe info.....

       7) /readNaiLic

     

       8) /exportConfig <path of export file> <config type ...>

     

               Config Type:    0 = all

                               1 = app protection

                               2 = blocked hosts

                               3 = firewall

                               4 = hip custom sigs

                               5 = IPS exceptions

                               6 = settings

                               7 = trusted apps

                               8 = trusted networks

                               9 = network ips sigs

                               10 = hip sigs

                               11 = hip engines

                               12 = logon sessions

                               13 = DNS blocking rules

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    2. Nov 11, 2013 6:16 PM (in response to greatscott)
    Re: Assistance with IPS custom signature subrule

    Rule {

    tag suspicious_dll

    Class Files

    Id XXXX

    level 1

    files { Include "*\\AppData\\Local\\&.dll" }

    directives files:write files:create files:execute

    }

     

     

    Triggered just fine for me.  Use cmd.exe to create the file; not explorer.exe.

     

    EDIT: used "copy con" to create the file; notepad to edit the file; regsvr32 to run the dll.  All were blocked by this signature.

     

    Message was edited by: ktankink on 11/11/13 6:16:50 PM CST

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points