CSA wizard for API events

Unanswered Question
Aug 18th, 2008

This is just an FYI.


If you use the wizard to generate an exception rule for API events, sometimes the pattern created isn't correct. For example, you have an ASP.NET application that trips this event:


TESTMODE: The process 'C:\WINDOWS\system32\inetsrv\w3wp.exe' (as user NT AUTHORITY\NETWORK SERVICE) attempted to access a resource which would have resulted in the user being asked the following question. 'The process C:\WINDOWS\system32\inetsrv\w3wp.exe is attempting to invoke a system function from a buffer. Do you wish to allow this?'


And the wizard excludes this pattern:


f643001f7510897b0883c4145f5e5b*\CreateThread\**\CreateThread


You will need to remove the 2nd CreateThread at the end so it looks like this:


f643001f7510897b0883c4145f5e5b*\CreateThread\**


I don't know if this is a bug in the API rules themselves, or in the wizard itself. It only seems to be a problem when its duplicated - if it shows a destination file or another value, then it works fine as-is. Hope this helps someone.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion