Signature Differences between IDS 3.xx and 4.0 - Missing signatures?
Have noticed recently that multiple signatures that appear in the NSDB do not show up in the IDM list of signatures for my version 3.xx sensors. Some quick research and reading of this forum has indicated that some signatures are being created specifically for the 4.0 sensors. For those signatures that may be detectable ONLY with the 4.0 engine I have no heartache .. but for those that would seem to be string-based (i.e. ADMIN$ access attempts) what would be the reason for not including them as a 3.xx signature?
For some of the recent worms (SoBig, MuMu, LoveGate, etc) there are several SMB signatures that could help identify the activity. The one that are most likely to do so are not available in the 3.xx sensors.
Now before anyone mentions that the IDS is not an Anti-virus tool <grin> - I am not asking it to be. What I am asking is that if one of our machines IS compromised that the IDS should raise the flags based on the inappropriate activity on the network.
Specifically I am looking at the following signatures:
3311 - SMB: remote SAM service access attempt
3312 - SMB .eml email file remote access
3313 - SMB suspicous password usage
3320 - SMB: ADMIN$ hidden share access attempt
3321 - SMB: User Enumeration
3322 - SMB: Windows Share Enumeration
3323 - SMB: RFPoison Attack
3324 - SMB NIMDA infected file transfer
Now not all these are string/pattern-based but the question remains... Why were these created as 4.0 signatures only?
In the meantime, I could use some help figuring out how to manually create signatures to recognize the ADMIN$, Remote SAM, and .eml incidents.
Thanks in advance for you assistance!
(as a side-note I AM one of those people who keep trying to remind folks that the IDS is not an Anti-virus tool - hence to those who know me it could be fairly humorous to see me asking these questions based on the need to identify some virus/trojan activity. To them I say with a big-ole-smile: C'est La Vie! )
"If at first you don't succeed .. try, try, again. Then quit. There's no use being a fool about it!" as twisted by W.C. Fields.
Re: Signature Differences between IDS 3.xx and 4.0 - Missing sig
None of the 4.0 only SMB signatures are necessarily good candidates for string based regexes. Due to the complexity and variability of the SMB protocol, a special protocol engine for SMB was needed. This was done for reasons of speed and reducing false postives. While it is true that you might be able to construct a regex to match the conditions for the signatures you listed, it would would come at a great expense in terms of processor / memory usage due to the complexity of the regexes needed. This is especially true for 3.x systems. Using a more straight forward protocol parser, like 4.0 does, reduces this impact significantly. Also, with a complex regex, the possibility of false positives greatly increases in our experience. This is why in a nutshell that the signatures are 4.0 only.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...