5 Replies Latest reply on Jun 25, 2015 10:50 AM by shakira

    Use of wildcards in certificates. Custom HIPS signature

    c14us

      Hi All

       

      As seen on many downloadpages, wrappers for misc. software is often wrapped with PUP software (or worse).

      I've played with a rule to stop the most agressive adware publishers based on theire certificates, but have problems using wildcards (they are not accepted/working)

       

      Do any of you know how usages of wildcard should be applied in certificate check.

       

      Ex 1. (Not working, but what I would like to do. I've tested with * and **)

       

      Rule {

      tag "Blocked Certificates"

      Class Program

      Id 4007

      level 4

      Target_Executable { Include { -sdn "CN=*fried cookie**" }

      }

      directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate program:run program:open_with_modify

      }

       

       

      Ex 2. (The full cert is working, but it is to specific, and will require way to much manual work to be of any interest)

      Rule {

      tag "Funnel"

      Class Program

      Id 4001

      level 4

      Target_Executable { Include { -sdn "CN=funnel delivery (fried cookie ltd.), O=funnel delivery (fried cookie ltd.), L=tel aviv, C=il" }

      }

      directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate program:run program:open_with_modify

      }

        • 1. Re: Use of wildcards in certificates. Custom HIPS signature
          Kary Tankink

          According to the HELP menu for EXECUTABLES, the Signer must be an EXACT match (no wildcards).

          Specify a signer: A signer distinguished name (SDN) for the executable is required and it must match exactly the entries in the accompanying field, including commas and spaces. If signer information is in executables in the Host IPS catalog, you can type an entry and you will get verification of the entry.       

          • 2. Re: Use of wildcards in certificates. Custom HIPS signature
            c14us

            Ugh!

             

            Hoped that not was the case. Would be nice stop stop adware developers per part of there signer name.

            A GTI function to check signers would be nice. I'll make a PER.

             

            Thanks for the reply

            • 3. Re: Use of wildcards in certificates. Custom HIPS signature
              shakira

              You can indeed use wildcard for certs but it must be done with expert rules:

               

              Rule {

                            tag "look for multiple signers/certs with stars in them because we only know pieces"

                            Class Program

                            Id 5809

                            level 3

                            Executable { Include { -sdn "*OU=MPR*" } \

                            { -sdn "*OU=MOPR*" }

                            }

                            directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate program:run program:open_with_modify

              }

               

              Trying to do this in the GUI will remove the wildcards. Not sure why the it does this. At least the option is there in the expert rules.

              • 4. Re: Use of wildcards in certificates. Custom HIPS signature
                c14us

                I wanna dance with you Shakira. It's working

                 

                Can only get the it to accept one signer name in the rule though. Get syntax error every time when trying to add more.

                The example below will block the "Fried Cookie" wrapped installer of FileZilla at SourgeForge. I'll like to add a few other blacklisted certificates like "CN=OpenCandy" and "CN=PC Utilities Software Limited". Can I get you to try adding multiple SDN's in one single rule?

                 

                 

                Rule {
                tag "Blocked Certificates"
                Class Program
                Id 4003
                level 4
                Target_Executable { Include { -sdn "*CN=*Fried Cookie*"  } }

                directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate program:run program:open_with_modify
                }

                • 5. Re: Use of wildcards in certificates. Custom HIPS signature
                  shakira

                  Glad I could help! Very cool that Sourceforge was nice enough to identify their wrapper installers for us . Here is a rule using multiple certs with stars that just worked for me via expert rule:

                   

                  Rule {

                  tag "test"

                  Class Program

                  Id 5932

                  level 3

                  Executable { Include { -sdn "*OU=What*" } \

                  { -sdn "*OU=hello*" }

                  }

                  directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate program:run program:open_with_modify

                  }

                   

                  What I did was made the rule with the GUI (standard rule), clicked preview and copied the rule. Then I pasted that into an expert rule and added the stars. Make sure to remove any whitespace added from copying and pasting this rule! I got a syntax error when I copied right form this post and tried to add it.