Custom App-ID SMB Signature Assistance

Retired Member — Mon, 30 Jun 2014 19:37:36 GMT

Hello,

I'm trying to write a custom smb signature to restrict access to certain shares. It's based on Custom App-ID for a specific SMB share

My share pattern is '\\america\credit'. Unfortunately, it didn't work for me and I opened a support case. But they asked me to post the sig. here to verify it first before they look at this further. Can some one please, check the signature ?

<and-condition>

<or-condition>

<pattern-match>

<context>ms-ds-smb-req-share-name</context>

</pattern-match>

</operator>

</entry>

</or-condition>

</entry>

</and-condition>

<scope>protocol-data-unit</scope>

<order-free>no</order-free>

<comment>string in unicode matches "\\america\credit"</comment>

</entry>

</signature>

<subcategory>storage-backup</subcategory>

<category>business-systems</category>

<technology>client-server</technology>

<evasive-behavior>no</evasive-behavior>

<consume-big-bandwidth>no</consume-big-bandwidth>

<used-by-malware>no</used-by-malware>

<able-to-transfer-file>yes</able-to-transfer-file>

<has-known-vulnerability>yes</has-known-vulnerability>

<tunnel-other-application>no</tunnel-other-application>

<tunnel-applications>no</tunnel-applications>

<prone-to-misuse>no</prone-to-misuse>

<pervasive-use>no</pervasive-use>

<file-type-ident>yes</file-type-ident>

<virus-ident>yes</virus-ident>

<spyware-ident>no</spyware-ident>

<data-ident>no</data-ident>

<parent-app>ms-ds-smb</parent-app>

<description>App-ID to identify and control access to a specific SMB share</description>

<port>

</port>

</default>

</entry>

</application>

Thanks,

Alex

Re: Custom App-ID SMB Signature Assistance

bpappas — Wed, 09 Jul 2014 22:13:12 GMT

I think you want to remove the <or-condition> as that will make the entry contained inside that tag optional. as i read it the signature would fire on all traffic, not just the path you want to match.

Re: Custom App-ID SMB Signature Assistance

gwesson — Wed, 09 Jul 2014 23:04:03 GMT

Looking at a packet capture, the raw hex stream doesn't include spaces. So yours would be:

\x5C005C0061006D006500720069006300\x

I haven't tested this, but it may be worth a shot. I know the article linked shows spaces, but that seems odd to me because the pattern is specifying hex (using \x in front and back). Might be worth trying.

-Greg

Re: Custom App-ID SMB Signature Assistance

Retired Member — Thu, 24 Jul 2014 01:02:59 GMT

Sorry for the late post. Thank you Greg, I'll give it a shot.

Alex

topic Re: Custom App-ID SMB Signature Assistance in Automation/API Discussions

Custom App-ID SMB Signature Assistance

Re: Custom App-ID SMB Signature Assistance

Re: Custom App-ID SMB Signature Assistance

Re: Custom App-ID SMB Signature Assistance