This article is the sixth installment in an on-going series of articles on how to utilize SEP 12.1 for Incident Response. Links to the previous five are below:
- How to utilize SEP 12.1 for Incident Response - PART 1
- How to utilize SEP 12.1 for Incident Response - PART 2
- How to utilize SEP 12.1 for Incident Response - PART 3
- How to utilize SEP 12.1 for Incident Response - PART 4
- How to utilize SEP 12.1 for Incident Response - PART 5
In this article, I will explain and demonstrate the use of custom IPS signatures to detect file downloads via HTTP and HTTPS in the event of an Incident Response.
Creating custom IPS signatures is more of an advanced feature that SEP 12.1 offers so care should be taken. The custom IPS signature feature uses SNORT syntax so if you're familar with SNORT, you can write your own signatures fairly easily.
To start using custom IPS, login to the SEPM and go to Policies >> select your IPS policy >> select the Custom Intrusion Prevention Signatures tab:
Select Add Custom Intrusion Prevention Signatures...
Now, you will need to start building your custom signatures so open the policy.
For this example, we will detect executable file (.exe extension) download via HTTP and HTTPS.
Select Add... to add a new group and give it a name such Monitor HTTP downloads:
Now, under Signatures for this Group, select Add... so you can build your signature like so:
The Content section is the meat and potatoes here. To detect .exe file extension downloads, enter in the following syntax:
rule tcp, dest=(80,443), saddr=$LOCALHOST, msg="EXE GET in HTTP detected", regexpcontent="[Gg][Ee][Tt] .*[Ee][Xx][Ee] .*"
This tells your custom signature to detect .exe file extension downloads.
Make sure the Enabled checkbox is ticked and keep the Name at "*" so that downloads from all browsers are detected. If you only use IE for example, you could set it to iexplore.exe but I would suggest using the wildcard * so all applications that download are checked.
Once done, click OK to save and you can apply your policy to your IR group.
To verify the policy has been picked up by your client(s) just verify within the System log:
If successful, you will see the above message. If unsuccessful, you will get an error message telling you it could not be applied.
The policy is also visible on the client under Help >> Troubleshooting:
Once the policy in place, simply test bu downloading an executable file (.exe file extension). You will see the entry in the Security log on the client:
It is best to view this in the SEPM though from the Monitors section:
Log type: Network Threat Protection
Log content: Attacks
To view the alert, select it and click Details for the detailed info.
And that's it! You now are detecting .exe file downloads for your IR group to determine if any malicious activity is taking place.
You can also add more signatures to detect other types of file extension downloads such as .scr, .zip, .bat or any others you can think of. I will be posting my custom IPS policy to the Downloads section here on Connect with the file extension types that I check for.
Hopefully this article has been helpful for you and please let me know if you have any questions or even suggestions for future articles.
Thanks!
Brian