1 Reply Latest reply on Jan 22, 2014 8:35 AM by shakira

    Understanding the Buffer Overflow Class for Custom HIPS Rules

    shakira

      Has anyone taken the time to figure out how to write an expert subrule for the Buffer Overflow class? I have some Default rules to refer to but it's a bit rough.

       

      At the very least, does anyone know what writing an expert buffer overflow subrule could bring to the table in terms of detecting/blocking new things? What it doesn't bring? Is it worth it?

        • 1. Re: Understanding the Buffer Overflow Class for Custom HIPS Rules
          shakira

          Here is a set of examples I've seen before:

           

          ---A generic bo rule:

           

          Rule {

             Class "Buffer_Overflow"

             Id "xxxx"

             level x

             time {Include "*"}

             application {Include "*"}

             user_name {Include "*"}

             attributes -no_trusted_apps -not_auditable

             directives "-d" "-c" "bo:stack" "bo:heap"

          }

           

           

          ----And here is a rule written to watch if a specific executbale was overflown instead:

           

          Rule {

             Class "Buffer_Overflow"

             Id "xxxx"

             level x

             time {Include "*"}

             if { $EAGENT_64Bit_Process } {

                    application {Include "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                                             "[iEnv SystemRoot]\\xxxxxx\\xxxxx.exe" \

                                    }

             } else {

                    application {Include "[iEnv SystemRoot]\\xxxxxxx\\xxxxxx.exe"}

             }

             user_name {Include "*"}

             dependencies "-d" "-c" "428"

             directives "-c" "-d" "bo:stack" "bo:heap"

             attributes -not_auditable

          }

           

           

          ----One using target_bytes which is related to the rule "Illegal execution" which would be great to have documentation on:

           

          Rule {

             Class "Buffer_Overflow"

             Id xxxx

             level x

             time {Include "*"}

             if { $EAGENT_64Bit_Process } {

                            application { Include "[iEnv SystemRoot]\\xxxx.exe"           \

                                                      "[iEnv SystemRoot]\\syswow64\\xxxx.exe" \

                                            }

             } else {

                    application { Include "[iEnv SystemRoot]\\xxxx.exe" }

             }

             user_name {Include "*"}

             dependencies "-d" "-c" "985"

             if { [lindex [split $EAGENT_Version .] 0] > 7 } {

                          target_bytes { Exclude {00 10 04 00 01 a3 50 91 f7 08 ff 96 40 00 03 00-95 8a 07 42 09 b0 31 bc 20 a9 52 4d 12 4e 55 f2} }

                          target_bytes { Exclude {b2 37 6b 3b 89 7d f4 8d 7d f4 53 6a ff ff 53 18-3c ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??} }

                  }

             directives "-d" "-c" "bo:writeable_memory"

          }