Solved: Help Understanding a NetWare Signature

natehausrath · ‎07-24-2008

Recently I've seen signature 5644/2 fire pretty regularly. This is a Client Service for Netware Overflow signature. It's always from a couple of hosts on my network, and it is directed at machines that aren't running CSNW. So I'm not really concerned about anything being compromised by it, but I want to make sure the source machines aren't sending anything malicious.

When I looked this signature up in Intellishield, it shows an alarm severity of medium. It also shows that it is a component of meta-signature 5644/3. Well, after exploring 5644/3 a bit further, I discovered it is triggered when 5644/0, 1, and 2 are all detected. So does this mean I shouldn't be concerned if one part of this meta-signature is detected by itself?

Also, I logged the packets that caused 5644/2 to trigger, and I wanted to see what exactly caused it. Well, the regex pattern for this signature is protected. I thought it would be helpful to at least be able to see what happened, so is there any other way I can look at this or find this information? Or would it not be helpful in this case to see specifically what happened in the packet?

Thanks for any help!

mhellman · ‎07-24-2008

By default, that sig (component of a META sig) does not have an action assigned. This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action. You should probably remove whatever actions have been added.

View solution in original post

scothrel · ‎07-24-2008

Nate, I didn't see what version you were running, but I looked up the signature 5644-2...it has an SFR of 60. TVR will default to 100 unless changed by the user. The "medium" results in an ASR of 75. For 6.0(5), that's a base RR of 45, (SFR*TVR*ASR)/10000. There are adding modifiers for a relevant OS (+10) and a modifier for the source being on the "watch list". The only things that can account for an adder of 30 would be the TVR being set to HIGH and some watchlist value (or just a large watchlist value). There might be bug hiding in there someplace (we did find one in Meta that was fixed in 5.1(8) and 6.0(5)), but a look at String.TCP showed that it does not have the Meta problem.

SC

View solution in original post

mhellman · ‎07-24-2008

By default, that sig (component of a META sig) does not have an action assigned. This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action. You should probably remove whatever actions have been added.

natehausrath · ‎07-24-2008

Ahh, I see this now. I have an event action override set to cause an alert when the risk rating is over 80. It looks like the RR for each of these events is 85. Is this because the severity is set to medium, which causes the ASR to be increased in the RR calculation? I don't have any of the involved machines set in any TVR category.

I guess I'll just set a filter for it.

mhellman · ‎07-24-2008

hmm...yeah, I don't use event action override. Personally, I can't imagine why a component of a META sig (that does not have an action by itself) would have such a high RR.

natehausrath · ‎07-24-2008

Yea, it's a little confusing. I'll have to see if I can find out why those event action overrides are enabled. Thanks for your help!

scothrel · ‎07-24-2008

Nate, I didn't see what version you were running, but I looked up the signature 5644-2...it has an SFR of 60. TVR will default to 100 unless changed by the user. The "medium" results in an ASR of 75. For 6.0(5), that's a base RR of 45, (SFR*TVR*ASR)/10000. There are adding modifiers for a relevant OS (+10) and a modifier for the source being on the "watch list". The only things that can account for an adder of 30 would be the TVR being set to HIGH and some watchlist value (or just a large watchlist value). There might be bug hiding in there someplace (we did find one in Meta that was fixed in 5.1(8) and 6.0(5)), but a look at String.TCP showed that it does not have the Meta problem.

SC

natehausrath · ‎07-25-2008

We're running 6.1(1).

But I just discovered that the destination machine IS on the TVR mission critical list. I guess I missed it when I looked the first time around. Sorry about that! This would definitely explain the increased RR.

Thanks for you help!

scothrel · ‎07-25-2008

Yep, that would do it. That causes the TVR to be 200, not 100.

Scott

scothrel · ‎07-24-2008

mhellman wrote: "This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action."

The correct answer is "Most". Occasionally a signature that has a value on its own may get included in a Meta.

SC

mhellman · ‎07-24-2008

thanks for the follow up and clarification.