09-16-2003 09:29 AM - edited 03-09-2019 04:48 AM
While trying to answer the question "what is causing this signature to fire?" in regards to SigID 3325, I decided to use the signature tuning utility to try and figure it out.
Unfortunately, other than knowing that this signature is using the "TCP.STRING" engine and that it looks for ports 139 or 445, I'm not sure what exactly in the payload is causing the signature to fire.
Does anyone have the exact RegexString value for SigID 3325?
Thanks,
MCpl Alex Arndt
IDS Engineering
CFNOC
Solved! Go to Solution.
09-16-2003 12:41 PM
The current regex is:
\xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01
This is going to change in signature update S53 pending some more testing.
09-16-2003 10:34 AM
3.1 sensors protect regex strings by default. 4.1 sensors will show you the regex (except for NDA protected signatures). We are currently evaluating the 3325 regex for false positives and hope to have a solution soon.
09-16-2003 11:38 AM
Indeed, I have 3.1 sensors and that would explain why I don't see the RegexString field at all.
I see that Cisco is evaluating the RegexString for possible problems. Given that I'm probably experiencing false positives with this signature, can I get the string? I'd like to be able to compare it against the Context Buffer info provided with each event.
Anyone willing to toss me a bone?
09-16-2003 12:41 PM
The current regex is:
\xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01
This is going to change in signature update S53 pending some more testing.
09-17-2003 03:36 AM
Thanks much!
MCpl Alex Arndt
IDS Engineering
CFNOC DND CIRT
09-16-2003 01:33 PM
Here is the signature settings from a 4.1(1)S51 sensor for comparison:
NOTE: Anyone with a 4.1 sensor can get this same output with the "show settings" command whiel configuring that signature.
NOTE: The regex for 4.1 is in the RegexString parameter below. I am not sure if the 3.1 RegexString is the same or not, but it should be fairly close.
SIGID: 3325
SubSig: 0
AlarmDelayTimer:
AlarmInterval:
AlarmSeverity: high
AlarmThrottle: Summarize
AlarmTraits:
CapturePacket: False
ChokeThreshold:
Direction: ToService
Enabled: True
EndMatchOffset:
EventAction:
FlipAddr:
MaxInspectLength:
MaxTTL:
MinHits: 1
MinMatchLength: 55
Protocol: TCP
RegexString: \xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01
ResetAfterIdle: 15
ServicePorts: 139,445
SigComment:
SigName: Samba call_trans2open Overflow
SigStringInfo: call_trans2open
SigVersion: S44
StorageKey: STREAM
StripTelnetOptions:
SummaryKey: AaBb
ThrottleInterval: 15
WantFrag:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: