0 Replies Latest reply on Apr 8, 2014 1:54 PM by shakira

    Caller_Modules... Program or BO classes. Where to put them?

    shakira

      I notice the only rules that return Caller_Paths (modules), Caller_Fingerprints, and Caller_Descriptions is the Buffer Overflow rule class. So how come Caller_Module is included in the Program class gui??

       

      Which one should I use to watch for bad caller module names and md5's? -

       

      Program class GUI version

      <Setting name="+SigRule#0" value="Rule { tag "Watch for bad Caller Modules NON EXPERT SUB 1" Class Program Id 5713 level 3 Caller_Module { Include "badcallermodule.exe" } directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate program:run program:open_with_modify }" />

       

      Buffer Overflow class Expert Version

        <Setting name="+SigRule#1" value=";Rule { tag "Watch for bad Caller Modules Expert Sub 1" Class Buffer_Overflow Id 5713 level 3 Caller_Module { Include { -hash "1234563345674678876576" } } directives "bo:stack" "bo:heap" "bo:writeable_memory" "bo:invalid_call" "bo:call_not_found"

       

       

      Like I said, I see absolutely no "Program class" rules written with or returning events with Caller_Modules data in them. So I'm assuming BO Class is the way to go. But then why is Caller Module a drop down box for Program Class rules in the GUI? Are they detecting the same thing or not?

       

      Message was edited by: shakira on 4/8/14 1:54:32 PM CDT