8 Replies Latest reply: May 1, 2014 1:17 PM by shakira RSS

    EXPERT subrule questions and guidance

    shakira

      Correct me if I'm wrong, but I've found no real tutorials or examples of writing expert subrules for HIPS. I understand the wizard converts the gui to the expert rule language via the preview button, and I've created a few expert subrules myself.

       

      My question is, what is gained from using the expert subrule vs the wizard? I specifically mean in terms of available options, keywords and abilities to detect and block that the wizard may not have. Also, this description from the manual is confusing:

       

      "The Expert method, recommended only for advanced users, enables you to provide the rules syntax without limiting the number of types you can include in the signature. Before writing a rule, make sure you understand rule syntax"

       

      What does "types" refer to in this? I'm assuming it means you can add Files, Registry and other rule types together, but how would that work? I would LOVE an example of how that is beneficial if anyone has one, please! The more fine grain the rules can be the better!

       

      Lastly, I noticed the Default McAfee HIPS rules use a different language to write their rules which include if/else statements. Can we stick that stuff into expert rules?

       

      Message was edited by: shakira on 1/16/14 3:07:46 PM CST

       

      Message was edited by: shakira on 1/16/14 3:08:47 PM CST
        • 1. Re: EXPERT subrule questions and guidance
          greatscott

          Just looking at the standard subrule vs expert subrule, yes you can only do one "class" type for the basic subrule. You would essentially have to create multiple standard subrules if you wanted to do multiple classes. In an expert subrule, you can create multiple classes. Additionally, there seems to be only an "Include" field for file path indicators. You can create an "Exclude" rule within the expert subrules, but cannot in the standard subrules.

           

          Im sure there is more you can do with tcl within the expert subrule, but these are just off the top of my head.

           

          Message was edited by: greatscott on 1/17/14 7:46:22 AM CST
          • 2. Re: EXPERT subrule questions and guidance
            shakira

            So based off of that, does combining "types" in one expert rule actually work off each other to detect on a finer scale? Or are we simply saving ourselves form having multiple subrule names? I can't tell.

             

            For example, if we put a FIle path for "bad.exe" and a Registry key for "**/bad" in one expert subrule, do these combine and "and" into each other to make a finer tuned rule? Not sure if that's possible.

             

            From my testing and understanding so far, subrules are completely free of each other/not reliant on each other to fire, but does the above change that?

             

            Lastly... is there ANY good documentation on writing this stuff? Is is just TCL with the addition of some keywords form McAfee, or is it more limited? I'm incredibly dissapointed with the custom and expert rule writing documentation. There doesn't seem to be any classes on this as well.

             

            Message was edited by: shakira on 1/17/14 8:55:42 AM CST
            • 3. Re: EXPERT subrule questions and guidance
              greatscott

              i believe it only relieves you of having to create several subrules. and I also believe that the separate classes act as an "OR" statement, not an "AND" statement. so you would be correct in your thinking.

              • 4. Re: EXPERT subrule questions and guidance
                shakira

                Thanks for th answer Scott.

                 

                So just out of curiosities sake I wonder what more can be done with TCL and whatever it is you call the McAfee keywords that are being used in it in HIPS.... hmmmm...

                • 5. Re: EXPERT subrule questions and guidance
                  shakira

                  I'd like to add that these things are known by me to be available in HIPS expert custom rules but not available in the GUI wizard version custom rules:

                   

                  1. DATA values for the reg key class

                       ex. Look for the word "test" being set as the DATA "value" in a key/value:

                       new_data { Include"74006500730074000000" }

                       where t = 7400, e = 6500, s = 7300, t = 7400 and 0000 at the end for whatever reason. Add      00’s to the end of ascii hex values.

                   

                   

                  2. Buffer overflows. Not much documentation on this, but here is an example of an incredibly basic one:


                  Rule {

                     Class "Buffer_Overflow"

                     Id "xxxx"

                     level x

                     time {Include "*"}

                     application {Include "*"}

                     user_name {Include "*"}

                     attributes -no_trusted_apps -not_auditable

                     directives "-d" "-c" "bo:stack" "bo:heap"

                  }

                   

                   

                  - And here is a rule written to watch if a specific executbale was overflown instead:

                   

                  Rule {

                     Class "Buffer_Overflow"

                     Id "xxxx"

                     level x

                     time {Include "*"}

                     if { $EAGENT_64Bit_Process } {

                            application {Include "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                                                     "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                                            }

                     } else {

                            application {Include "[iEnv SystemRoot]\\xxxxxxx\\xxxxxx.exe"}

                     }

                     user_name {Include "*"}

                     dependencies "-d" "-c" "428"

                     directives "-c" "-d" "bo:stack" "bo:heap"

                     attributes -not_auditable

                  }

                   

                   

                  - One using target_bytes which is related to the rule "Illegal execution" which would be great to have documentation on:

                   

                  Rule {

                     Class "Buffer_Overflow"

                     Id xxxx

                     level x

                     time {Include "*"}

                     if { $EAGENT_64Bit_Process } {

                                    application { Include "[iEnv SystemRoot]\\xxxx.exe"           \

                                                              "[iEnv SystemRoot]\\syswow64\\xxxx.exe" \

                                                    }

                     } else {

                            application { Include "[iEnv SystemRoot]\\xxxx.exe" }

                     }

                     user_name {Include "*"}

                     dependencies "-d" "-c" "985"

                     if { [lindex [split $EAGENT_Version .] 0] > 7 } {

                                  target_bytes { Exclude {00 10 04 00 01 a3 50 91 f7 08 ff 96 40 00 03 00-95 8a 07 42 09 b0 31 bc 20 a9 52 4d 12 4e 55 f2} }

                                  target_bytes { Exclude {b2 37 6b 3b 89 7d f4 8d 7d f4 53 6a ff ff 53 18-3c ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??} }

                          }

                     directives "-d" "-c" "bo:writeable_memory"

                  }

                   

                   

                  3. Lastly, any of the linux classes

                   

                  Message was edited by: shakira on 1/22/14 8:32:58 AM CST

                   

                  Message was edited by: shakira on 1/22/14 8:34:15 AM CST
                  • 6. Re: EXPERT subrule questions and guidance
                    shakira

                    Found something new that isn't documented. Well it is kind of, but horribly. This is what a buffer overflow rule specifically from a "call not found" could look like ("Suspicious Function Invocation - CALL Not Found" for example):

                     

                    Rule {

                                    Class "Buffer_Overflow"

                                    Id "xxxx"

                                    level x

                                    application {Include "*"}

                                    dependencies -d -c "432" "434"

                                    attributes -no_trusted_apps -not_auditable

                                    directives -c -d "bo:call_not_found"

                     

                    It's on or off. Something is a BO specifically from "call_not_found" or not. Those are your options.

                     

                    If you wanted to filter on the SourceProcessName you'd use that application line. If you wanted to filter by the Caller Path/Module (dll's) though, you wouldn't know how. The doc on page 108 mentioned "caller module" but with no example. The actual syntax is Caller_Module:

                     

                    Caller_Module {Exclude { -path "*\\good123.dll"} }

                    Caller_Module {Exclude { -path "*\\good456.dll"} }

                     

                    That seems to be what you would use if you wanted to exclude two good known dll's from the above mentioned rule. You could instead however only "Include" known bad paths or file names, only blocking things you KNOW should be blocked!

                    • 7. Re: EXPERT subrule questions and guidance
                      shakira
                      Just looking at the standard subrule vs expert subrule, yes you can only do one "class" type for the basic subrule. You would essentially have to create multiple standard subrules if you wanted to do multiple classes. In an expert subrule, you can create multiple classes. Additionally, there seems to be only an "Include" field for file path indicators. You can create an "Exclude" rule within the expert subrules, but cannot in the standard subrules.

                       

                       

                      So I just tried this, and it does not work. For example:

                       

                      Works:

                      Rule {

                      tag "c to mcafee test"

                      Class Files

                      Id 4045

                      level 3

                      files { Include "c*mcafeetest.exe" }

                      directives  files:create

                      }

                       

                      Doesn't Work:

                      Rule {

                      tag "c to mcafee test"

                      Class Files

                      Class Programs

                      Id 4045

                      level 3

                      files { Include "c*mcafeetest" }

                      Target_Exectuable { Include { -path "*\\mcafeetest.exe" }

                      directives files:create program:run

                      }

                       

                      With the error: "ERROR: Multiple class sectionsREMOVED"

                       

                       

                       

                      I was hoping this worked so I didn't have to make 4 subrules every time I want to watch and md5 doing anything (to files, reg keys, services, and other programs). Any ideas on how to consolidate that behavior into one rule?

                       

                      Message was edited by: shakira on 3/13/14 10:32:23 AM CDT
                      • 8. Re: EXPERT subrule questions and guidance
                        shakira

                        I've found another rule option that is only available in expert rules. The abiltiy to only use pieces of signers/certs instead of the whole, perfectly known string. This is great for when you don't know how certs would be parsed through ClienControl.exe's /execinfo switch. Maybe you get info for a known bad cert form someone but don't have the sample to actually run client control.exe on (seen here: https://kc.mcafee.com/corporate/index?page=content&id=KB71205). The GUI DOES NOT allow you to put a star in the front of a signer string for some reason.

                         

                         

                         

                         

                         

                         

                        The working rule (also firing on many other microsoft .exe's as to be expected because they share the same cert):

                         

                        Rule {

                             tag "windows app by signer sub 1"

                             Class Program

                             Id 5809

                             level 3

                             Executable { Include { -sdn "*OU=MOPR*" }

                             }

                             directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate      program:run program:open_with_modify

                        }

                         

                         

                        Event:

                         

                        ------------------------------

                        04-24 08:44:35 [00408] VIOLATION: [3] ------- Violation ---- Size 1523 ----

                        <Event> <!-- Level=Med, Reaction=Log -->

                          <EventData

                          SignatureID="5809"

                          SignatureName="windows apps by piece of signer"

                          SeverityLevel="3"

                          Reaction="2"

                          ProcessUserName="NT AUTHORITY\SYSTEM"

                          Process="C:\WINDOWS\SYSTEM32\SVCHOST.EXE"

                          IncidentTime="2014-04-24 08:44:33"

                          AllowEx="True"

                          SigRuleClass="Program"

                          ProcessId="956"

                          Session="0"

                          SigRuleDirective="open_with_any"/>

                          <Params>

                            <Param name="Workstation Name" allowex="True">xxx</Param>

                            <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

                            <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

                            <Param name="Executable Description" allowex="False">HOST PROCESS FOR WINDOWS SERVICES</Param>

                            <Param name="Executable Fingerprint" allowex="False">54a47f6b5e09a77e61649109c6a08866</Param>

                            <Param name="Target File Name" allowex="False">IEXPLORE.EXE</Param>

                            <Param name="Target Path" allowex="False">C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE</Param>

                            <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

                            <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

                            <Param name="Target Description" allowex="False">INTERNET EXPLORER</Param>

                            <Param name="Target Fingerprint" allowex="False">c613e69c3b191bb02c7a191741a1d024</Param>

                          </Params>

                        </Event>

                         

                         

                         

                        Message was edited by: shakira on 4/24/14 8:52:17 AM CDT

                         

                        Message was edited by: shakira on 5/1/14 1:17:03 PM CDT