Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

3340-0, Windows Shell External Handler

We saw a couple of these yesterday. What concerns me is that the trigger packet does not contain a string that matches the regex. I have 2 questions:

1) What is the point of putting brackets around the colon at the end of the regex? This is done in other regex's as well (single character enclosed in square brackets), so there must be a point right?

2) Where is the colon in the trigger packet?

UPDATE: duh. I figured this out...it must be in the next packet.

Here is the regex:

[=].?[Ss][Hh][Ee][Ll][Ll][:]

Here is the alarm:

evIdsAlert: eventId=1136129594516778202 vendor=Cisco severity=high

originator:

hostId: 27-fw-dmz-c1

appName: sensorApp

appInstanceId: 14978

time: June 9, 2006 12:46:51 AM UTC offset=-300 timeZone=GMT-06:00

signature: description=Windows Shell External Handler id=3340 version=S102

subsigId: 0

sigDetails: =shell:

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 4.78.168.81 locality=ANY

port: 80

target:

addr: 206.195.195.101 locality=NETCACHE_EXT_IP

port: 5049

context:

fromAttacker:

000000 66 66 6F 6E 20 75 6E 64 65 72 20 6C 61 79 65 72 ffon under layer

000010 22 3B 73 35 5B 31 5D 3D 73 37 3B 76 61 72 20 73 ";s5[1]=s7;var s

000020 38 3D 22 41 6C 6C 6F 76 65 72 20 64 65 6C 69 63 8="Allover delic

000030 61 74 65 20 62 65 61 64 65 64 20 61 70 70 6C 69 ate beaded appli

000040 71 75 5C 75 30 30 45 39 22 3B 73 35 5B 32 5D 3D qu\u00E9";s5[2]=

000050 73 38 3B 76 61 72 20 73 39 3D 22 48 61 6C 74 65 s8;var s9="Halte

000060 72 20 74 69 65 73 20 69 6E 20 62 61 63 6B 20 6F r ties in back o

000070 66 20 6E 65 63 6B 3B 20 76 2D 6E 65 63 6B 22 3B f neck; v-neck";

000080 73 35 5B 33 5D 3D 73 39 3B 76 61 72 20 73 31 30 s5[3]=s9;var s10

000090 3D 22 53 61 73 68 20 74 69 65 73 20 69 6E 20 62 ="Sash ties in b

0000A0 61 63 6B 3B 20 66 6C 61 72 65 64 20 68 65 6D 22 ack; flared hem"

0000B0 3B 73 35 5B 34 5D 3D 73 31 30 3B 76 61 72 20 73 ;s5[4]=s10;var s

0000C0 31 31 3D 22 53 6E 61 70 2D 63 6C 6F 73 75 72 65 11="Snap-closure

0000D0 20 61 74 20 62 61 63 6B 3B 20 66 61 6C 6C 73 20 at back; falls

0000E0 74 6F 20 68 69 70 22 3B 73 35 5B 35 5D 3D 73 31 to hip";s5[5]=s1

0000F0 31 3B 76 61 72 20 73 31 32 3D 22 53 68 65 6C 6C 1;var s12="Shell

riskRatingValue: 60

interface: ge0_0

protocol: tcp

1 REPLY
Cisco Employee

Re: 3340-0, Windows Shell External Handler

Regarding #2, That's most likely what it is. This is a stream based signature, so the regex doesn't have to fall inside one particular packet, it has to be in the stream of reassembled packets. Turning on the signature action "Produce Verbose Alert" will give you more context, and you may be able to catch the end colon.

Regarding #1, Really there's no difference between ":" or "[:]" (minus the quotes) in a regex. The brackets denote a character class so [abc] means one of either a or b or c. In the case of [:] it's a character class with only one character. There is a reason that you see one value character classes in our signatures, and it simply comes down to readability... it's easy to miss something like a single colon wedged in amongst a large regex, it's not so easy to miss it when we stick it into a character class.

140
Views
5
Helpful
1
Replies
CreatePlease to create content