[Snort-sigs] sql.rules name clashes / unneeded offsets

Chris Green cmg at ...26...
Fri Feb 1 10:37:43 EST 2002


Most/All(?) of the MS-SQL rules have a SMB variant and a TCP/1433
variant.

I propose changing them to:

"MS-SQL/SMB xp_cmdshell - program execution"
"MS-SQL/1433 xp_cmdshell - program execution"

since the signatures are really a lil bit different.

Also, all of the signatures -> $SQL_SERVERS have a offset of 8.  This
is indicative of the typical query but I'm not convinced that MS-SQL
actually cares what the packet looks like and its just a TCP stream so
the attack in the below packet could really be spread across two
smaller packets and evade the rules.

I don't have any "testable" MS-SQL servers so I can't validate this.
I only catch them as they fly by exploited.

xxx.xxx.xxx.xxx:1531 -> xxx.xxx.xxx.xxx:1433
TCP TTL:117 TOS:0x0 ID:42620 IpLen:20 DgmLen:178 DF
***AP*** Seq: 0x14D7AF05  Ack: 0xFD8B3747  Win: 0x42DC  TcpLen: 20
01 01 00 8A 00 00 01 00 78 00 70 00 5F 00 63 00  ........x.p._.c.
6D 00 64 00 73 00 68 00 65 00 6C 00 6C 00 20 00  m.d.s.h.e.l.l. .
27 00 6E 00 65 00 74 00 20 00 6C 00 6F 00 63 00  '.n.e.t. .l.o.c.
61 00 6C 00 67 00 72 00 6F 00 75 00 70 00 20 00  a.l.g.r.o.u.p. .
61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00  a.d.m.i.n.i.s.t.
72 00 61 00 74 00 6F 00 72 00 73 00 20 00 73 00  r.a.t.o.r.s. .s.
71 00 6C 00 61 00 67 00 65 00 6E 00 74 00 63 00  q.l.a.g.e.n.t.c.
6D 00 64 00 65 00 78 00 65 00 63 00 20 00 2F 00  m.d.e.x.e.c. ./.
61 00 64 00 64 00 20 00 27 00                    a.d.d. .'.


-- 
Chris Green <cmg at ...26...>
Eschew obfuscation.




More information about the Snort-sigs mailing list