[Snort-sigs] Problems with "NETBIOS nimda .eml", sid: 1293,rev: 2

Coochey, Giles g.coochey at ...138...
Sun Feb 3 08:31:29 EST 2002


Hi All,

I've noticed that there are some problems with the standard rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)

Firstly this rule does not seem to get triggered if both of the hosts
participating in the TCP connection are Windows 2000 based. If one of the
machines is NT based then it does get triggered.

I also notice that this rule gets triggered by NT4 machines if they are
being searched by a command such as:

dir /s \\system\c$\*.eml

By looking at actual events and false positives I would like to edit the
rule to exclude alerts if the following string appears:

|00 3C 00 2E 00 45 00 4D 00 4C 00| ==> ".>...E.M.L"

As this is the string produced by SMB2 when the DOS command above is run.

I've tried something of the order:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
content:"|00|E|00|M|00|L"; content:!"|00 3C 2E 00 45 00 4D 00 4C 00|";
flags:A+; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)

but without success?

Does anyone have any suggestions?

I've heard about pass rules, but have never used them as yet and I believe I
have to edit the logging order to implement it.

Your advice is appreciated.

Giles





More information about the Snort-sigs mailing list