Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Custom Trojan Connections Rule

Created: 10 Jul 2007 • Updated: 25 May 2010 | 1 comment
Rg's picture
Hello,
 
First : I'm new to the SSIM so I have only a limited knowledge of the appliance
Second : We are using the versions below
 
Version 4.5.1.15
SSIM version : 4.5.0.113 installed at Wed Jun 13 17:17:58 CEST 2007
SESA Version (v 2.5.2.18) installed at Wed Jun 13 17:17:58 CEST 2007
SSIM 4.5.1.15 Service Pack 1 : Wed Jun 13 17:42:03 CEST 2007
DB2 FixPak 14 + IBM Patch applied at : Wed Jun 13 17:55:01 CEST 2007
SSIM 4.5.1.15 Hotfix 1 : Wed Jun 13 18:00:12 CEST 2007
SSIM 4.5.1.15 Hotfix 2 : Wed Jun 13 18:01:14 CEST 2007
SSIM 4.5.1.15 Hotfix 3 : Wed Jun 13 18:02:54 CEST 2007
SSIM 4.5.1.15 Hotfix 4 : Wed Jun 13 18:07:42 CEST 2007
 
I was wondering if it is possible to alter the Trojan Connection Rule in order to discard connections to defined target ports in the Asset Services.
 
The logic behind this is that if a service is defined for a certain asset, then connections to this service are normal (hence no trojan connection). It should not matter if the service port is also known as a trojan port for certain trojans.
 
I was thinking about creating a custom "trojan connections" rule based on the existing one.  It should have been easy to define an extra "AND" option stating that the "Derived" Destination Host Services should not contain the Ip Destination Port. Unfortunately I can only use the predefined port list to filter on this field.
 
Has anybody done anything like this ?
 
Kind regards,
 
Ronny

Comments 1 CommentJump to latest comment

lukaszfr's picture

Hello,

I think that one of the possibilities is the "Destination Port Is Open" option - you may find it among "Derived" options.
If your assets are grouped into groups of hosts/servers that share similar services you may define these services/ports in custom user lookup table and use it as another rule criteria - that's the second option but as you can see it isn't very flexible.

Maybe someone has another idea?

Regards,
Antilles