0 Replies Latest reply on Jun 20, 2014 8:33 AM by dmease729

    How to fully verify GTI file reputation configuration

    dmease729

      NSM and sensor v7.5

       

      Hi,

       

      We have followed through:

      7.5 Integration Guide (revA), pages 61 onwards (File reputation integration configurations in the Manager)

      7.5 IPS Administration Guide (revC), pages 251 onwards (Add an Advanced Malware Policy -> Manage Advanced Malware policies)

       

      Running commands from p69 (Integration Guide), yields the following:

       

      intruShell@x> show gti config

      Primary Nameserver IP                   : x.x.x.x

      Secondary Nameserver IP                 : x.x.x.x

       

      [File reputation configuration]

      Sensitivity Level                       : Very low

      Timeout                                 : 3

       

      [IP reputation configuration]

      GTI proxy host                          : x.x.x.x

      GTI proxy port                          : x

      GTI proxy username                      : " "

      intruShell@x> show gti stats file

       

      [GTI fingerprint analysis and response]

       

      Clean files                                     : 0

      Malware files                                   : 0

      Blocked malware files                           : 0

       

      [Nameserver statistics]

       

      Files submitted to local nameserver             : 4

      Queries waiting to be sent                      : 0

      Nameserver connectivity errors                  : 4

       

      [Custom fingerprint analysis and response]

       

      Files compared against custom fingerprints      : 0

      Files matching custom fingerprints              : 0

      Files blocked due to custom fingerprint match   : 0

      intruShell@x>

       

       

      So - it looks like a)sensor is doing its job, and b)we have an issue internally (we are looking into this at present - likely DNS requests being blocked).

       

       

      Questions:

      1) Under what conditions does the connectivity errors counter increase?  I am assuming that this includes timeouts, and possibly port unreachables if network is actively blocking?

      2) Is there any easy way to verify that GTI file reputation is working?  ie, we have some kind of 'EICARish' test that results in a benign alert coming through?

            Initial thoughts on this:

                  - Increase file reputation sensitivity (possibly to very high).  Risky in inline blocking, but for span or tap deployments, should be ok perhaps (but still, we would need to wait for genuine malware to trigger an alert)

                  - Go to eicar.org and download the .com file via HTTP - even if this is detected, would it go all the way through to alerts?  This doesnt appear to work

                  - Create a file, determine MD5 hash, upload to custom fingerprints, and go.  I believe this wouldnt work, as in order to check against the custom fingerprints, the file needs to be deemed as potentially suspicious beforehand

       

       

      Any help,thoughts,best practise on this would be greatly appreciated!

       

      Cheers,