Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
2
Helpful
7
Replies

Custom Sigs

Go to solution
bizsnatch
Level 1
Level 1

‎11-08-2003 10:44 PM - edited ‎03-09-2019 05:27 AM

I'm trying to create a custom signature and am having trouble. I've gone through the documentation and thought I was doing it right, but apparently not.

I would like to monitor any time a certain file is copied over the network.

Any time the file "honeypot.xls" is copied across the network, I want it to trigger an alarm.

I tried the following:

TCP and UDP string.

Source ports - 135, 137, 139, 445

From Service and To service

Appreciate any help with this.

biz

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
anthall
Level 1
Level 1
In response to bizsnatch

‎11-10-2003 08:51 AM

Files are transfered as unicode strings with SMB. In order to match you need to add nulls between the characters

Try this as a RegexString:

\x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00

View solution in original post

0 Helpful
7 Replies 7

Go to solution
lwierenga
Level 1
Level 1

‎11-08-2003 11:17 PM

I'm not sure what you have read to date, but take a look at working with signature engines:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c28.html#788076

Hopefully, this will help in your quest.

Go to solution
bizsnatch
Level 1
Level 1
In response to lwierenga

‎11-09-2003 02:46 PM

Thanks for the doc... According to the doc, I'm doing it right - I think.

Here is what I'm doing:

String.TCP

Direction - From Service

RegexString - honeypot

ServicePorts - 135, 137, 139, 445 (although netbios-ssn (139) is all that's really needed)

Since someone would use a workstation to connect to the server on port 139/TCP, the copy of the file would be from service - at least that's how I read it.

I'm using CTR, so I went into events and added the new signature number and ensured that was part of the current policy. Does CTR have the ability to recognize custom sigs?

Any help is appreciated.

0 Helpful

Go to solution
lwierenga
Level 1
Level 1
In response to bizsnatch

‎11-09-2003 10:03 PM

It should work let me knoiw if it doesn't I can get a little more information to help.

0 Helpful

Go to solution
bizsnatch
Level 1
Level 1
In response to lwierenga

‎11-10-2003 06:54 AM

It still doesn't work. I"ve installed IEV on another server to see if it picks it up and it doesn't.

0 Helpful

Go to solution
anthall
Level 1
Level 1
In response to bizsnatch

‎11-10-2003 08:51 AM

Files are transfered as unicode strings with SMB. In order to match you need to add nulls between the characters

Try this as a RegexString:

\x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00

0 Helpful

Go to solution
bizsnatch
Level 1
Level 1
In response to anthall

‎11-13-2003 06:32 AM

I tried, but it still didn't work. Please tell me if my configuration looks correct:

Signature Type: Stream Signature - TCP Stream Signature.

Sig Identification: ID 2001 Sub ID 0 Sig name honeypot.tcp

TCP Stream Signature:

Reg Expression: \x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00

Service Ports: 139,445

Direction: From Port

Sev High

Action: Log

Any help is apprecitated.

0 Helpful

Go to solution
bizsnatch
Level 1
Level 1
In response to anthall

‎11-13-2003 06:38 AM

It worked! Bless you! Thank you!...

0 Helpful
Customers Also Viewed These Support Documents