Block File in My Network

e.basto26 · ‎04-08-2007

Hi!,

I want to configure my sensor such that it sends a reset packet if it detect a file "VirtualR3D.exe".

I created a custome signature with STRING.TCP, but it does not work.

Engine: String.TCP

Service Port: 139,445

Regex String : [V][i][r][t][u][a][l][R][a][p][3][D][.][e][x][e]

Also, I clone a signature with this parameters.

Smb.Advanced

SMB Command: 162

service port:139,445

Regex:[V][i][r][t][u][a][l][R][a][p][3][D][.][e][x][e]

Please can you help me.

Tks in advaced.

jlimbo · ‎04-08-2007

It is best to capture the traffic on the wire so you can visually see how a file is transmitted through different protocols. I created a dummy file VirtualR3D.exe and shared it between two hosts.

The following string.tcp regexp has fired on this traffic.

[\]\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00a\x00p\x003\x00D\x00[.]\x00e\x00x\x00e\x00

I hope that helps.

-jonathan

e.basto26 · ‎04-09-2007

Hi,

I created this custome signature:

signatures 60000 0

alert-severity high

sig-fidelity-rating 75

promisc-delta 10

sig-description

sig-name VirtualRap3D.exe

sig-string-info

sig-comment

exit

engine string-tcp

event-action produce-alert

regex-string [\]\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00a\x00p\x003\x00D\x00

[.]\x00e\x00x\x00e\x00

service-ports 139-139,445-445

exit

event-counter

event-count 1

event-count-key Axxx

But this doesnt work yet.

I also try with a atomic IP, filtering the traffic betweeen two host and logging packets.

port: 139

os: idSource=unknown type=unknown relevance=relevant

actions:

ipLoggingActivated: true

logPairPacketsActivated: true

ipLogIds:

ipLogId: 1701868400

triggerPacket:

000000 00 0A F3 57 5E 3C 00 18 FE 63 B1 33 81 00 00 73 ...W^<...c.3...s

000010 08 00 45 00 00 A0 51 88 40 00 80 06 79 DF 8E D2 ..E...Q.@...y...

000020 0F D3 8E D4 01 77 07 CD 00 8B 1F A0 A3 36 70 B5 .....w.......6p.

000030 1D CB 50 18 FC 00 25 84 00 00 00 00 00 74 FF 53 ..P...%......t.S

000040 4D 42 32 00 00 00 00 18 07 C8 00 00 00 00 00 00 MB2.............

000050 00 00 00 00 00 00 02 08 D8 06 00 08 90 3E 0F 30 .............>.0

000060 00 00 00 0A 00 00 40 00 00 00 00 00 00 00 00 00 ......@.........

000070 00 30 00 44 00 00 00 00 00 01 00 01 00 33 00 00 .0.D.........3..

000080 00 00 16 00 56 05 07 00 04 01 00 00 00 00 5C 00 ....V.........\.

000090 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 52 00 V.i.r.t.u.a.l.R.

0000A0 61 00 70 00 33 00 44 00 2E 00 65 00 78 00 65 00 a.p.3.D...e.x.e.

0000B0 00 00 ..

riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 85

interface: ge0_8

protocol: tcp

Please Help, i really need block this file.

Tks.

jlimbo · ‎04-10-2007

The regexp is correct based on the trigger packet information. When I tested this I shared the VirtualRap3D.exe file and accessed that file from another client through smb. From memory I set the direction "From service" based on the traffic information.

I could not find the setting on your signature settings but I would check this setting based on the traffic flow (from or to the service port) to ensure its correctly set.

e.basto26 · ‎04-16-2007

Yes, but the IPS send me alert with all .exe files, not just the file VirtualRap3D.exe

?what?s wrong?

tks

jlimbo · ‎04-16-2007

I need a bit more information to figure out the issue.

Can you please send me your updated signature settings, and if possible an output or produce-verbose-alert. You can e-mail this output directly if you like.