2 Replies Latest reply: Jun 13, 2014 3:03 PM by shakira RSS

    How do I make this rule myself, and what does it mean? SID 2834 Java File Creation

    shakira

      Rule {

              Class "Illegal_API_Use"

              Id "2834"

              level 3

              time {Include "*"}

              application {Include "*"}

              user_name {Include "*"}

              Vulnerability_Name {Include "Java - Creation of suspicious files in Temp folder"}

              directives "-d" "-c" "illegal_api_use:bad_parameter" \

                                      "illegal_api_use:invalid_call"

              attributes -not_auditable

      }

       

       

       

      It seems like the McAfee people who write rules are starting to leverage this kind of custom rule more often. Can someone please explain what is going on here? From what I see, all it is looking for is "illegal_api_use" stuff, which is in a ton of other rules. What makes this unique for java creating a file specifically? How does it work?

       

      As far as I can tell, we do not have the option to make these kind of rules in the gui, and we also would have no idea how to write a custom expert rule for it as it seems to be keying off of the "Vulernability_Name" line.

       

      It seems as those there is more goign on in the background before this rule fires. What is it?

       

      Here are some other examples:

       

      Rule {

              Class "Illegal_API_Use"

              Id "6001"

              level 3

              time {Include "*"}

              application {Include "*"}

              user_name {Include "*"}

              Vulnerability_Name {Include "Suspicious Data Sequence in Javascript"}

              directives "-d" "-c" "illegal_api_use:bad_parameter" "illegal_api_use:invalid_call"

              attributes -not_auditable

      }

      }

      Rule {

              Class "Illegal_API_Use"

              Id "2819"

              level 4

              time {Include "*"}

              application {Include "*"}

              user_name {Include "*"}

              Vulnerability_Name {Include "Windows Enumerate File Vulnerability"}

              directives "-d" "-c" "illegal_api_use:bad_parameter" "illegal_api_use:invalid_call"

              attributes -not_auditable

      }

       

      Rule {

              Class "Illegal_API_Use"

              Id "2830"

              level 0

              time {Include "*"}

              application {Include "*"}

              user_name {Include "*"}

              Vulnerability_Name {Include "Block User Creation"}

              directives "-d" "-c" "illegal_api_use:bad_parameter" \

                                      "illegal_api_use:invalid_call"

              attributes -not_auditable

      }

       

      I'm trying to get attention towards these because I'd like to be able to leverage whatever is making them myself. Normal style HIPs rule are not quite high fidelity enough.

       

      Message was edited by: shakira on 6/12/14 2:22:06 PM CDT
        • 1. Re: How do I make this rule myself, and what does it mean? SID 2834 Java File Creation
          greatscott

          McAfee wants to keep the lid on this. This type of HIPS signature TCL in and of itself does not detect anything. I am assuming it references some secondary list which defines what these Vuln Names correspond to, and thus what constitutes a block/allow. It would be nice to leverage it, but they don't want you putting them out of a job!

          • 2. Re: How do I make this rule myself, and what does it mean? SID 2834 Java File Creation
            shakira

            That was my thought as well greatscott. Though I'd be the first to praise McAfee HIPs if they'd let us detect on what I can only imagine they are able to detect on with whatever these rules are doing.

             

            I'm not sure there is a host based product that can look at API or System Calls, or their variables/parameters right now. If HIPs would allow that they'd have a ton (of money) to gain.

             

            Correlating API calls/parameters of known bad malware or behaviors, and then firing of a rule when a single piece or set over time is seen would be killer. Suddenly polymorphic file names, registry keys and md5's don't matter anymore.