Views:

Summary

In some environments high number of file Read or NFS lookup operations against blocklist patterns may cause large number of unnecessary alerts/blocks. For example, this can happen in development environment because of “ls” command or some application reading restricted extensions.

In this situation it will be desirable to remove monitoring READ and NFS_LOOKUP against blocklist patterns.
This is normally done on the CryptoSpike->Clusters -> svmName screen by unchecking corresponding operations: “Read” checkbox and “Lookup” checkbox.
However, these operations are required for the behavioral pattern filters such as “Generic Ransomware (replace)” and “Generic Ransomware (overwrite)” and cannot be unchecked.

Below procedure allows to continue monitoring required READ and NFS_LOOKUP operations without generating alerts/blocks via blocklist patterns.


Step-by-Step

  1. Create New Category (i.e “RD-LOOKUP-Removed”) and include to it all operations except SMB_RD, NFS_RD and NFS_LOOKUP. (CryptoSpike->Filters->Filters Categories)
 
  1. Copy “BLOCK_ALL”:

SMB_CREAT,SMB_OPEN,SMB_CLOSE,SMB_DEL,SMB_REN,SMB_GET_ATTR,SMB_SET_ATTR,SMB_RD,SMB_WR,NFS_OPEN,NFS_CLOSE,NFS_CREAT,NFS_DEL,NFS_REN,NFS_GET_ATTR,NFS_SET_ATTR,NFS_RD,NFS_WR,NFS_SYM_LNK,NFS_LNK,NFS_LOOKUP

  1. Create “RD-LOOKUP-Removed”:

SMB_CREAT,SMB_OPEN,SMB_CLOSE,SMB_DEL,SMB_REN,SMB_GET_ATTR,SMB_SET_ATTR,SMB_WR,NFS_OPEN,NFS_CLOSE,NFS_CREAT,NFS_DEL,NFS_REN,NFS_GET_ATTR,NFS_SET_ATTR,NFS_WR,NFS_SYM_LNK,NFS_LNK

  1. At his time, we cannot mass-change Filter Category in GUI, and we need to do it via SQL statement:
    1. Connect to CS Server via SSH
    2. mysql cryprospikectl
    3. update PL_FILTER set FILTER_CATEGORY=6, FILTER_CATEGORY_NAME= “RD-LOOKUP-Removed” where FILTER_CATEGORY=1;

Note: in default installation we have 5 Filter Categories. “BLOCK_ALL” is FILTER_CATEGORY=1. New category (in this case “RD-LOOKUP-Removed”) will get next available number FILTER_CATEGORY=6.

You can check results by running:
select FILTER_CATEGORY_NAME,FILTER_CATEGORY,count(*) from PL_FILTER group by FILTER_CATEGORY;

This will display number of filters per each Name/Category.
                                               
                                               
 

  1. Enable Read and Lookup from SVM monitoring (CryptoSpike->Clusters -> svmName)
    1. On SVM level select “Inherit from parent” option
    2. Click on every Child button (for Volumed: CIFS, SIFS audit, NFS; for Shares: CIFS). ​​​​​​This will setup inheritance from SVM Parent to Children Volume and Shares.
    3. Now “Save” – this will propagate “Inherit from parent” option to children Volumes and Shares.
    4. Now, on the same screen select “Blocklist” (instead of “Inherited from parent”)
    5. We now can check back “Read” and “Lookup” checkboxes from the “Monitor Operation” section of this SVM
    6. Now click on “Save” to propagated new setting to children Volumes and Shares, BUT WITHOUT CLICKING AGAIN ON THE CHILDREN BUTTONS


With this setup READs and LOOKUPs are monitored again for the SVM and existing behavioral Patterns should trigger normally. However, file Filter blocking (blocklist/passlist) will Not monitor files for READs and LOOKUPs since “RD-LOOKUP-Removed” Filter Category does not include these operations.