Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

Question about SigID 3325 - Anyone know the RegexString value?

While trying to answer the question "what is causing this signature to fire?" in regards to SigID 3325, I decided to use the signature tuning utility to try and figure it out.

Unfortunately, other than knowing that this signature is using the "TCP.STRING" engine and that it looks for ports 139 or 445, I'm not sure what exactly in the payload is causing the signature to fire.

Does anyone have the exact RegexString value for SigID 3325?

Thanks,

MCpl Alex Arndt

IDS Engineering

CFNOC

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Question about SigID 3325 - Anyone know the RegexString valu

The current regex is:

\xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01

This is going to change in signature update S53 pending some more testing.

5 REPLIES
Bronze

Re: Question about SigID 3325 - Anyone know the RegexString valu

3.1 sensors protect regex strings by default. 4.1 sensors will show you the regex (except for NDA protected signatures). We are currently evaluating the 3325 regex for false positives and hope to have a solution soon.

Bronze

Re: Question about SigID 3325 - Anyone know the RegexString valu

Indeed, I have 3.1 sensors and that would explain why I don't see the RegexString field at all.

I see that Cisco is evaluating the RegexString for possible problems. Given that I'm probably experiencing false positives with this signature, can I get the string? I'd like to be able to compare it against the Context Buffer info provided with each event.

Anyone willing to toss me a bone?

Bronze

Re: Question about SigID 3325 - Anyone know the RegexString valu

The current regex is:

\xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01

This is going to change in signature update S53 pending some more testing.

Bronze

Re: Question about SigID 3325 - Anyone know the RegexString valu

Thanks much!

MCpl Alex Arndt

IDS Engineering

CFNOC DND CIRT

Cisco Employee

Re: Question about SigID 3325 - Anyone know the RegexString valu

Here is the signature settings from a 4.1(1)S51 sensor for comparison:

NOTE: Anyone with a 4.1 sensor can get this same output with the "show settings" command whiel configuring that signature.

NOTE: The regex for 4.1 is in the RegexString parameter below. I am not sure if the 3.1 RegexString is the same or not, but it should be fairly close.

SIGID: 3325

SubSig: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: high

AlarmThrottle: Summarize

AlarmTraits:

CapturePacket: False

ChokeThreshold:

Direction: ToService

Enabled: True

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits: 1

MinMatchLength: 55

Protocol: TCP

RegexString: \xFF\x53\x4D\x42\x32.*\x00\x01.*\x08\x01

ResetAfterIdle: 15

ServicePorts: 139,445

SigComment:

SigName: Samba call_trans2open Overflow

SigStringInfo: call_trans2open

SigVersion: S44

StorageKey: STREAM

StripTelnetOptions:

SummaryKey: AaBb

ThrottleInterval: 15

WantFrag:

95
Views
0
Helpful
5
Replies