signatures with '********' values for some options

mhellman · ‎02-16-2006

There are some signatures that have '********' for a value in certain options. The example I'm working on currently is 5561-0 thru 5561-2, Windows SMTP Overflow. 5561-2 for example has this value for both the regex string and the service ports. What does this mean?

rupadras · ‎02-16-2006

It means that the regex string and the service ports for 5561-2 are hidden. If any value in a signature is hidden, the value is shown as *********.

mhellman · ‎02-17-2006

Why would they be hidden?

john.stephens · ‎02-17-2006

I've seen this in many of their signatures, and it makes event analysis a little tougher when you don't know the exact string that is triggering a signature. I cannot speak for Cisco as to why they make these hidden, but my guess is that it is due to the fact that their not an open source IDS/IPS provider. If they don't hide the criteria they use to build signatures, then it would be pretty easy to let them do the signature development work and have others just copy the regex expressions into their own IDS signatures. Also there is the thought that if all the details of the signature were more easily accessible, it would make it easier to know how to evade detection. Again, not sure if this is why Cisco hides them, just a few thoughts.

mhellman · ‎02-17-2006

I would guess that we are wasting about 8 resource hours a day researching [and eventually disabling] signatures that generate false positives on our Cisco sensors. I find it hard to believe anyone would want to copy them;-)

wsulym · ‎02-17-2006

I had actually posted a quick reply to the initial question, but I'll bring it back up here... generally, the hidden fields contain not publicly disclosed information. Somebody may eventually figure out the magic bits, but until then, we have the obligation to keep it under wraps. As to the event analysis, sure I agree, not knowing what we specifically look for does make it a bit more difficult, but we keep tabs on the forum and jump in to help you resolve issues you may encounter. We'll pull you offline and work thru the issues keeping your company's or customer's information private.

wsulym · ‎02-17-2006

Signatures that have hidden regexs and/or ports contain information that is disclosed under NDA agreements or is not otherwise publicly known.

marcabal · ‎02-17-2006

Just to make sure everyone is clear.

If Cisco generates the signature based on research from the Internet, then the signature fields are unencrypted and fully viewable by the user. The information is already in the public domain so no additional risk will be seen if the signature details are unencrypted.

BUT if Cisco generates the signature based on research from a partner company that it received through a non-disclosure agreement with that partner company, then Cisco is legally obliged to encrypt the details of the signature.

This information is in general related to vulnerabilities in the partner's product and the method to exploit the vulnerability is not in the public domain at the time of the writing of the signature. The only means of getting the information to write the signature is through these non-disclosure agreements.

Writing these signature with encrypted fields allows us to provide protection to our IPS users without causing additional risk of releasing details of the vulnerability before users have had opportunity to apply the partner's patches to their products.