Endpoint Protection

Hi All,

As per topic, how does Symantec rate exploit/vulnerability before adding it to SEP IPS signatures?

 

Does it add "in the wild" exploit as well? How about exploit to Apache and such?

 

Let say certain exploit is detected by different IPS (hardware IPS) but not by SEP IPS, how does we escalate it?

 

 

 

regards

It is based on th signature...The signatures based on the SYmantec Site

how does Symantec rate exploit/vulnerability before adding it to SEP IPS signatures?

Security response team looks into this before adding into IPS signature. THe ratings mostly have CVE.

 

Does it add "in the wild" exploit as well? How about exploit to Apache and such?

check these list of signatures available

http://www.symantec.com/security_response/attacksignatures/

 

Let say certain exploit is detected by different IPS (hardware IPS) but not by SEP IPS, how does we escalate it? 

you can talk to support  and request for addition of signature in SEP IPS.

Hello,

Please check out the below document,

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/business/support/index?page=content&id=HOWTO55275&actp=search&viewlocale=en_US&searchid=1331268421687

About Symantec IPS signatures

http://www.symantec.com/business/support/index?page=content&id=HOWTO55155&actp=search&viewlocale=en_US&searchid=1331268525299

Can anbody help check whether this CVE is covered by SEP IPS?

cve:2011-3192

 

If it's not the list just request for additional signature?

How does it works? Just forward the CVE number?

yep, covered

check this link

Attack: Apache and IIS Range DoS

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24454

 

you should be working with support on the query and the vulnerability that has been seen,

First of all thank you Pete.

Let me be honest, the support kinda "blur" this time.... he should point out that this exploit is covered by SEP IPS at the very beginning..

 

I'll wait until he reach that point....

 

How can i search on Symantec side if any other exploit is covered by SEP IPS?

Do i need to look for it manually per application name? (in this case affected application is Apache)

 

see if this helps

visit this page

http://www.symantec.com/security_response/attacksignatures and there is search on the right hand top corner enter the CVE number and do search and try to figure out the IPS signature URL

or click on each signature.

We write our own SEP custom IPS signatures if none exists with Symantec. We use either Snort rules and re-write for SEP or we actually use packet sniffing traces to build a signature.

@pete

thanks again, the search using CVE number is working fine

what are the rate of exploit signature added to SEP IPS vs daily exploit found?

 

@thatdude,

is snort rule 100% compatible with SEP custom IPS? or do we need to alter it?

do you have any other guide than provided by Symantec, it does not really in-depth...

 

IPS signatures are usually releases 2 times a week as per the pattern.

SNORT code are compatible.

@pete

1) by saying compatible means no changes are needed? we can just copy n paste it to the rule column?

2) do you have any in-depth guide for SEP custom IPS?

 

also how long is 2 weeks for IPS signature update standard? how does it fare with other brand/rival?

(fully understand that SEP is not dedicated IPS...but let say there's a 0day... 2 weeks is quite long)

You have to edit the SNORT rule before using it in SEP. I've got a request in with the product team to create a SNORT to SEP IPS conversion utility to makes things easier for admins.

1) by saying compatible means no changes are needed? we can just copy n paste it to the rule column?

you need to edit it.

2) do you have any in-depth guide for SEP custom IPS?

click on the help and please check the forums ( articles)

Ok i got the snort rule here for this particular CVE, can anyone help to convert to SEP Custom IPS?

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS Apache Killer denial of service tool exploit attempt"; flow:to_server,established; content:"Range"; nocase; http_header; content:"bytes"; within:10; nocase; http_header; pcre:"/Range\s*\x3A\s*bytes=([\d\x2D]+\x2C){50}/Hsmi"; reference:bugtraq,49303; reference:cve,2011-3192; reference:url,archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html; reference:url,osvdb.org/show/osvdb/74721; classtype:attempted-dos; sid:19825; rev:6;)

 

 

Many thanks!!

Anyone?

It would be helpful as an example of snort conversion to SEP custom IPS..

you may check this article

https://www-secure.symantec.com/connect/downloads/custom-ips-signatures-detect-botnet-traffic

I'm having headache to convert this snort to SEP custom IPS...

lack of documentation really making it hard

 

 

Any future plan to release more info about this SEP custom IPS? I've re-checked SEP manual... so far did not find any example

Anybody got a good paper about packet capture/IPS analysis?

I've found a few but still need suggestion from fellow Symantec user...