Help Understanding a NetWare Signature

Answered Question
Jul 24th, 2008
User Badges:

Recently I've seen signature 5644/2 fire pretty regularly. This is a Client Service for Netware Overflow signature. It's always from a couple of hosts on my network, and it is directed at machines that aren't running CSNW. So I'm not really concerned about anything being compromised by it, but I want to make sure the source machines aren't sending anything malicious.


When I looked this signature up in Intellishield, it shows an alarm severity of medium. It also shows that it is a component of meta-signature 5644/3. Well, after exploring 5644/3 a bit further, I discovered it is triggered when 5644/0, 1, and 2 are all detected. So does this mean I shouldn't be concerned if one part of this meta-signature is detected by itself?


Also, I logged the packets that caused 5644/2 to trigger, and I wanted to see what exactly caused it. Well, the regex pattern for this signature is protected. I thought it would be helpful to at least be able to see what happened, so is there any other way I can look at this or find this information? Or would it not be helpful in this case to see specifically what happened in the packet?


Thanks for any help!

Correct Answer by scothrel about 8 years 9 months ago

Nate, I didn't see what version you were running, but I looked up the signature 5644-2...it has an SFR of 60. TVR will default to 100 unless changed by the user. The "medium" results in an ASR of 75. For 6.0(5), that's a base RR of 45, (SFR*TVR*ASR)/10000. There are adding modifiers for a relevant OS (+10) and a modifier for the source being on the "watch list". The only things that can account for an adder of 30 would be the TVR being set to HIGH and some watchlist value (or just a large watchlist value). There might be bug hiding in there someplace (we did find one in Meta that was fixed in 5.1(8) and 6.0(5)), but a look at String.TCP showed that it does not have the Meta problem.


SC

Correct Answer by mhellman about 8 years 9 months ago

By default, that sig (component of a META sig) does not have an action assigned. This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action. You should probably remove whatever actions have been added.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
mhellman Thu, 07/24/2008 - 08:08
User Badges:
  • Blue, 1500 points or more

By default, that sig (component of a META sig) does not have an action assigned. This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action. You should probably remove whatever actions have been added.

natehausrath Thu, 07/24/2008 - 08:30
User Badges:

Ahh, I see this now. I have an event action override set to cause an alert when the risk rating is over 80. It looks like the RR for each of these events is 85. Is this because the severity is set to medium, which causes the ASR to be increased in the RR calculation? I don't have any of the involved machines set in any TVR category.


I guess I'll just set a filter for it.

mhellman Thu, 07/24/2008 - 08:38
User Badges:
  • Blue, 1500 points or more

hmm...yeah, I don't use event action override. Personally, I can't imagine why a component of a META sig (that does not have an action by itself) would have such a high RR.

natehausrath Thu, 07/24/2008 - 08:40
User Badges:

Yea, it's a little confusing. I'll have to see if I can find out why those event action overrides are enabled. Thanks for your help!

Correct Answer
scothrel Thu, 07/24/2008 - 14:14
User Badges:
  • Cisco Employee,

Nate, I didn't see what version you were running, but I looked up the signature 5644-2...it has an SFR of 60. TVR will default to 100 unless changed by the user. The "medium" results in an ASR of 75. For 6.0(5), that's a base RR of 45, (SFR*TVR*ASR)/10000. There are adding modifiers for a relevant OS (+10) and a modifier for the source being on the "watch list". The only things that can account for an adder of 30 would be the TVR being set to HIGH and some watchlist value (or just a large watchlist value). There might be bug hiding in there someplace (we did find one in Meta that was fixed in 5.1(8) and 6.0(5)), but a look at String.TCP showed that it does not have the Meta problem.


SC

natehausrath Fri, 07/25/2008 - 05:44
User Badges:

We're running 6.1(1).


But I just discovered that the destination machine IS on the TVR mission critical list. I guess I missed it when I looked the first time around. Sorry about that! This would definitely explain the increased RR.


Thanks for you help!

scothrel Fri, 07/25/2008 - 08:20
User Badges:
  • Cisco Employee,

Yep, that would do it. That causes the TVR to be 200, not 100.


Scott

scothrel Thu, 07/24/2008 - 13:23
User Badges:
  • Cisco Employee,

mhellman wrote: "This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action."


The correct answer is "Most". Occasionally a signature that has a value on its own may get included in a Meta.


SC

mhellman Thu, 07/24/2008 - 13:29
User Badges:
  • Blue, 1500 points or more

thanks for the follow up and clarification.

Actions

This Discussion