4 Replies Latest reply on May 28, 2014 2:58 PM by shakira

    Need explanation: What is "Vulenrability_Name" in Illegal_API_Use rule class?

    shakira

      Two rules. Basically identical besides Vulnerability_Name. What the heck is this field? It seems to be the key to what makes the rule fire on different things but I can't figure out why. I don't see it in HIPS event logs as well. I was hoping to use the Illegal_API_Use class more but I would need to know the answer to this to move forward because it seems to be the key.

       

       

       

      Vulnerability in Netlogon RPC Service Could Allow Denial of Service-

      This event indicates an attempt to exploit a denial of service vulnerability in Netlogon RPC Service. Note: Signature is not supported in Windows Server 2008 and 64-bit machines                                           

      References: CVE-2010-2742                        

       

      Rule {

              Class "Illegal_API_Use"

              Id "2280"

              level 3

              time {Include "*"}

              application {Include "*"}

              user_name {Include "*"}

              Vulnerability_Name {Include "Vulnerability in Netlogon RPC Service Could Allow Denial of Service"}

              directives "-d" "-c" "illegal_api_use:bad_parameter" "illegal_api_use:invalid_call"

              attributes -not_auditable

      }

       

       

       

      Active Directory SPN Validation Vulnerability-

      This event indicates an attempt to exploit a SPN Validation Vulnerability in a Active Directory Server. Note: Signature is not supported in Windows Server 2008 and 64-bit machines                                           

      References: CVE-2011-0040                        

       

      Rule {

              Class "Illegal_API_Use"

              Id "2285"

              level 3

              time {Include "*"}

              application {Include "*"}

              user_name {Include "*"}

              Vulnerability_Name {Include "Active Directory SPN Validation Vulnerability"}

              directives "-d" "-c" "illegal_api_use:bad_parameter" "illegal_api_use:invalid_call"

      }

       

       

      I can't find reference to the specific Vulnerabiltiy_Names anywhere. My best guess is it has to do with Virus Scan or another piece of HIPS but I'm just throwing out a wild guess.

       

      The reason I was curious about this class is because it's one of the few that seems to dig out the actual API call going on (like CreateFileA), and puts it in the event log. If I can grab the API calls I can find more bad stuff. Anyone have any ideas?

        • 1. Re: Need explanation: What is "Vulenrability_Name" in Illegal_API_Use rule class?
          Kary Tankink

          I'm not sure I understand the question, but Vulnerabiltiy_Names is the CVE vulnerability name (from the vendor).

           

          CVE-2010-2742:

          http://technet.microsoft.com/en-us/security/bulletin/MS10-101

           

          CVE-2011-0040:

          http://technet.microsoft.com/en-us/security/bulletin/ms11-005

           

           

           

          Per KB73399:

           

          KB73399 - FAQs for Host Intrusion Prevention 8.0

          https://kc.mcafee.com/corporate/index?page=content&id=KB73399

           

           

           

          Use the following general methodology when assessing IPS signature events:

          1. Identify the signature number that is being triggered.
          2. Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
          3. Review the References CVE description link(s), if any are included in the description information for that signature.
          4. Identify whether any Microsoft Technet Security Bulletins are linked for the applicable vulnerability, and identify whether any Microsoft security updates have been released that resolve the vulnerability.
          5. Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied (as noted above):

            1. If so, the applicable IPS Signature may be disabled on the systems having the associated Microsoft Security Updates applied.
            2. If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.

           

          • 2. Re: Need explanation: What is "Vulenrability_Name" in Illegal_API_Use rule class?
            greatscott

            i think shakira was asking what the vulnerability_name field was for. meaning, how does that field within the expert subrule cause the signature to fire?

             

            Message was edited by: greatscott on 2/20/14 10:54:41 AM CST
            • 3. Re: Need explanation: What is "Vulenrability_Name" in Illegal_API_Use rule class?
              shakira

              Exactly. What is the Vulnerability_Name for? The ONLY difference in the two rules that would would make them alert on different things is the Vulnerability_Name lines. How come that is enough to make the rules alert on something different? It doesn't make sense. It's not looking for different files, registry keys, or apps/programs, but still fires on seperate unique events happening.

               

              If I'm still not clear, I'm not talking about the fact that it refers to a CVE name. That's great, but why do the rules fire on different things when they are exactly the same rule? Vulnerability_Name seems to be the key difference here. What is it changing for the rule to fire on different things?

              • 4. Re: Need explanation: What is "Vulenrability_Name" in Illegal_API_Use rule class?
                shakira

                Seems like these rules are the "kernel level"/"kevlar" rules made at the byte level:

                 

                You told us earlier that we have to think of hooking as user mode hooking, so kernel mode hooking is simply to overview if what's being triggered in user mode is not doing anything it shouldn't do then ?
                What was said that you can assume that “Processes” are operating in user-mode to simplify the problem for triaging Host IPS issues. Host IPS actually hooks in both user-mode and in the kernel.

                 

                https://community.mcafee.com/docs/DOC-4975

                 

                 

                 

                Question 4:

                I was wondering how these two rules created by McAfee function. There only difference is the Vulnerability_Name line, which somehow makes these rules fire off for different events. How is this possible? I'd like to leverage these custom expert rules if possible but need this question answered first.

                 

                Rule {

                 

                        Class "Illegal_API_Use"

                 

                        Id "2280"

                 

                        level 3

                 

                        time {Include "*"}

                 

                        application {Include "*"}

                 

                        user_name {Include "*"}

                 

                        Vulnerability_Name {Include "Vulnerability in Netlogon RPC Service Could Allow Denial of Service"}

                 

                        directives "-d" "-c" "illegal_api_use:bad_parameter" "illegal_api_use:invalid_call"

                 

                        attributes -not_auditable

                 

                }

                 

                Answer 4:

                These are the way the Kevlar (binary signatures; not written in TCL code) signatures work.  Please work with our Sales/Professional Services team for assistance.