5 Replies Latest reply: Dec 10, 2013 2:55 PM by kenobe RSS

    HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?

    kenobe

      Hi all,

       

      We're toying with enabling signatures 6010 and 6011 in our HIPS 8 IPS rules.  Their severity in the signature list is set to Disabled by default.  We changed them to Medium.  Then, we went into Exception Rules, imported those signatures into a new exception rule, and they show up as DISABLED.

       

      Does this mean they're still disabled or is that severity setting not accurate, and things will work as intended?

       

      Thanks for any help.

       

      Ken

        • 1. Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?
          c14us

          Hi Ken

           

          Think you are using an unortodoks practice.

          Do this instead.

           

          Make a new policy rule where 6010 and 6011 are enabled

          In the assignmen create a new Policy Instance and add your new rule.

          Verify the rules are enabled by using the View effective police function at the assignment

          And finaly test, test and test

           

          Regards

          Claus

          • 2. Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?
            Kary Tankink

            kenobe wrote:

            Does this mean they're still disabled or is that severity setting not accurate, and things will work as intended?

            It's only a UI issue.  It's just showing the default state of the siganture; not the actual modified state.  Make sure you're on the latest extension (HIPS 8.0.3.762), as this was fixed in one of the more recent versions.

             

             

             

            PD23958 - Host Intrusion Prevention 8.0.0.563 Extension Release Notes

             

            Issue: When an IPS signature is edited to alter the severity, the default severity is retained. (Reference: 722290)

            Resolution: The severity level is now correctly modified and displayed.

            • 3. Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?
              kenobe

              Checked and your correct.  On the server in question we're on HIPS Extension 8.0.0.528.  On another server we're on 8.0.0.563 and we don't see the same error there.

               

              Thanks!

               

              Ken

              • 4. Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?
                c14us

                Sorry Kenobe

                 

                I misunderstood your question. Did not know that flaw.

                But I would very much like to know, how valueble you find the new information you gained by enabling 6010 & 6011. Would you mind writing a bit of your findings?

                 

                Regards

                Claus

                • 5. Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?
                  kenobe

                  Sure!

                   

                  We started by changing both signatures from Disabled to Medium in the IPS Rules signatures.  We block Medium here so we want that effect eventually to block files not in the whitelist.

                   

                  We then created a single exception with both 6010 and 6011 as the signatures in the rule.  Weh then set the Paremeters, New Executable and put *.*  That let all files run.  We then broke the New Executables down to slightly more specific directories like so:

                       c:\Program files\**\*.exe     (this lets all files under program files to run no matter the subdirectory name)

                       c:\program files (x86)\**\*.exe      (same thing but for 64-bit files)

                       c:\windows\**\*.com     (same thing but lets .com files run vs. .exe files)

                       c:\windows\*.exe     (lets files only directly under the c:\windows directory to run, not subdirectories)

                   

                  After letting that rule run for a week we checked the threat event log for threat names 6010 and 6011 and had a very large list.  We're considering using that to build our white and blacklist.  In the query you'll be able to see if the file was allowed or not.  For example, using the rules above any exe run from c:\temp won't work, so it's blocked.  The only downside I found is when a file is blocked the user does not get notified via a pop-up.    That might just be an IPS option set wrong, though.

                   

                  As you can see our rules were very loose.  This was to start creating a whitelist without hurting the users.  You can break the rules down to single executables, use wildcards, use fingerprints and even certain digital signatures only.  Seriously considering, say, all Microsoft signed files to run but weighing that against how easy or difficult it is to spoof a signature.

                   

                  Hope this helps!

                   

                  Ken

                   

                  Message was edited by: kenobe on 12/10/13 2:55:39 PM CST