Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Signature Differences between IDS 3.xx and 4.0 - Missing signatures?

Have noticed recently that multiple signatures that appear in the NSDB do not show up in the IDM list of signatures for my version 3.xx sensors. Some quick research and reading of this forum has indicated that some signatures are being created specifically for the 4.0 sensors. For those signatures that may be detectable ONLY with the 4.0 engine I have no heartache .. but for those that would seem to be string-based (i.e. ADMIN$ access attempts) what would be the reason for not including them as a 3.xx signature?

For some of the recent worms (SoBig, MuMu, LoveGate, etc) there are several SMB signatures that could help identify the activity. The one that are most likely to do so are not available in the 3.xx sensors.

Now before anyone mentions that the IDS is not an Anti-virus tool <grin> - I am not asking it to be. What I am asking is that if one of our machines IS compromised that the IDS should raise the flags based on the inappropriate activity on the network.

Specifically I am looking at the following signatures:

3311 - SMB: remote SAM service access attempt

3312 - SMB .eml email file remote access

3313 - SMB suspicous password usage

3320 - SMB: ADMIN$ hidden share access attempt

3321 - SMB: User Enumeration

3322 - SMB: Windows Share Enumeration

3323 - SMB: RFPoison Attack

3324 - SMB NIMDA infected file transfer

Now not all these are string/pattern-based but the question remains... Why were these created as 4.0 signatures only?

In the meantime, I could use some help figuring out how to manually create signatures to recognize the ADMIN$, Remote SAM, and .eml incidents.

Thanks in advance for you assistance!

(as a side-note I AM one of those people who keep trying to remind folks that the IDS is not an Anti-virus tool - hence to those who know me it could be fairly humorous to see me asking these questions based on the need to identify some virus/trojan activity. To them I say with a big-ole-smile: C'est La Vie! )

"If at first you don't succeed .. try, try, again. Then quit. There's no use being a fool about it!" as twisted by W.C. Fields.

Henry Schupp

hschupp@idshq.com

1 REPLY
Bronze

Re: Signature Differences between IDS 3.xx and 4.0 - Missing sig

None of the 4.0 only SMB signatures are necessarily good candidates for string based regexes. Due to the complexity and variability of the SMB protocol, a special protocol engine for SMB was needed. This was done for reasons of speed and reducing false postives. While it is true that you might be able to construct a regex to match the conditions for the signatures you listed, it would would come at a great expense in terms of processor / memory usage due to the complexity of the regexes needed. This is especially true for 3.x systems. Using a more straight forward protocol parser, like 4.0 does, reduces this impact significantly. Also, with a complex regex, the possibility of false positives greatly increases in our experience. This is why in a nutshell that the signatures are 4.0 only.

116
Views
0
Helpful
1
Replies
CreatePlease to create content