Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Custom Sigs

I'm trying to create a custom signature and am having trouble. I've gone through the documentation and thought I was doing it right, but apparently not.

I would like to monitor any time a certain file is copied over the network.

Any time the file "honeypot.xls" is copied across the network, I want it to trigger an alarm.

I tried the following:

TCP and UDP string.

Source ports - 135, 137, 139, 445

From Service and To service

Appreciate any help with this.

biz

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Custom Sigs

Files are transfered as unicode strings with SMB. In order to match you need to add nulls between the characters

Try this as a RegexString:

\x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00

7 REPLIES
New Member

Re: Custom Sigs

I'm not sure what you have read to date, but take a look at working with signature engines:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c28.html#788076

Hopefully, this will help in your quest.

New Member

Re: Custom Sigs

Thanks for the doc... According to the doc, I'm doing it right - I think.

Here is what I'm doing:

String.TCP

Direction - From Service

RegexString - honeypot

ServicePorts - 135, 137, 139, 445 (although netbios-ssn (139) is all that's really needed)

Since someone would use a workstation to connect to the server on port 139/TCP, the copy of the file would be from service - at least that's how I read it.

I'm using CTR, so I went into events and added the new signature number and ensured that was part of the current policy. Does CTR have the ability to recognize custom sigs?

Any help is appreciated.

New Member

Re: Custom Sigs

It should work let me knoiw if it doesn't I can get a little more information to help.

New Member

Re: Custom Sigs

It still doesn't work. I"ve installed IEV on another server to see if it picks it up and it doesn't.

Cisco Employee

Re: Custom Sigs

Files are transfered as unicode strings with SMB. In order to match you need to add nulls between the characters

Try this as a RegexString:

\x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00

New Member

Re: Custom Sigs

I tried, but it still didn't work. Please tell me if my configuration looks correct:

Signature Type: Stream Signature - TCP Stream Signature.

Sig Identification: ID 2001 Sub ID 0 Sig name honeypot.tcp

TCP Stream Signature:

Reg Expression: \x00[Hh]\x00[Oo]\x00[Nn]\x00[Ee]\x00[Yy]\x00[Pp]\x00[Oo]\x00[Tt]\x00

Service Ports: 139,445

Direction: From Port

Sev High

Action: Log

Any help is apprecitated.

New Member

Re: Custom Sigs

It worked! Bless you! Thank you!...

98
Views
2
Helpful
7
Replies
This widget could not be displayed.