Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
5
Replies

Question about SigID 3325 - Anyone know the RegexString value?

Go to solution
a.arndt
Level 3
Level 3

‎09-16-2003 09:29 AM - edited ‎03-09-2019 04:48 AM

While trying to answer the question "what is causing this signature to fire?" in regards to SigID 3325, I decided to use the signature tuning utility to try and figure it out.

Unfortunately, other than knowing that this signature is using the "TCP.STRING" engine and that it looks for ports 139 or 445, I'm not sure what exactly in the payload is causing the signature to fire.

Does anyone have the exact RegexString value for SigID 3325?

Thanks,

MCpl Alex Arndt

IDS Engineering

CFNOC

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mcerha
Level 3
Level 3
In response to a.arndt

‎09-16-2003 12:41 PM

The current regex is:

\xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01

This is going to change in signature update S53 pending some more testing.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mcerha
Level 3
Level 3

‎09-16-2003 10:34 AM

3.1 sensors protect regex strings by default. 4.1 sensors will show you the regex (except for NDA protected signatures). We are currently evaluating the 3325 regex for false positives and hope to have a solution soon.

0 Helpful

Go to solution
a.arndt
Level 3
Level 3
In response to mcerha

‎09-16-2003 11:38 AM

Indeed, I have 3.1 sensors and that would explain why I don't see the RegexString field at all.

I see that Cisco is evaluating the RegexString for possible problems. Given that I'm probably experiencing false positives with this signature, can I get the string? I'd like to be able to compare it against the Context Buffer info provided with each event.

Anyone willing to toss me a bone?

0 Helpful

Go to solution
mcerha
Level 3
Level 3
In response to a.arndt

‎09-16-2003 12:41 PM

The current regex is:

\xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01

This is going to change in signature update S53 pending some more testing.

0 Helpful

Go to solution
a.arndt
Level 3
Level 3
In response to mcerha

‎09-17-2003 03:36 AM

Thanks much!

MCpl Alex Arndt

IDS Engineering

CFNOC DND CIRT

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to a.arndt

‎09-16-2003 01:33 PM

Here is the signature settings from a 4.1(1)S51 sensor for comparison:

NOTE: Anyone with a 4.1 sensor can get this same output with the "show settings" command whiel configuring that signature.

NOTE: The regex for 4.1 is in the RegexString parameter below. I am not sure if the 3.1 RegexString is the same or not, but it should be fairly close.

SIGID: 3325

SubSig: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: high

AlarmThrottle: Summarize

AlarmTraits:

CapturePacket: False

ChokeThreshold:

Direction: ToService

Enabled: True

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits: 1

MinMatchLength: 55

Protocol: TCP

RegexString: \xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01

ResetAfterIdle: 15

ServicePorts: 139,445

SigComment:

SigName: Samba call_trans2open Overflow

SigStringInfo: call_trans2open

SigVersion: S44

StorageKey: STREAM

StripTelnetOptions:

SummaryKey: AaBb

ThrottleInterval: 15

WantFrag:

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents