[Snort-sigs] SMB Login Failure

Brian bmc at ...95...
Fri Jun 6 06:56:05 EDT 2003

On Thu, Jun 05, 2003 at 01:24:02PM -0400, Andy Wood wrote:
> 	The Cisco IDSs do a good job of detecting internal attacks, one
> being SMB Login Failures.  This rule is nice for detecting servers that have
> misconfigured services, not to mention someone trying to brute force.  There
> is no snort rule that detects SMB failures that I have seen.  I have
> captured a failure, but am not able to tell if I have constructed the best
> rule. Can anyone offer any suggestions?  My doubt comes with the Offset and
> Depth section, as I'm not quite sure how to determine byte positions within
> the Hex patterns.  (The rule does work with both being set to 1) Thanks.
> 	Attached is the cap in TCPDUMP format.  Packet 33 is the server's
> failure response.
> alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139";
> flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
> 3000004; rev:1;)
> RULE-LOCKED:alert tcp any 445 -> any any (msg:"SMB Login Failure - Port
> 445"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth
> 1; sid 3000005; rev:1;)

That was a good idea for a rule, but it needs a bit of help.

1) Its smb.  lets make sure there is an SMB header ("|FF|SMB").
2) since this is a response to the Session Setup command, add the
   command id ("|73|").
3) After we have all of that put together, we need better offset &
   depth.  This payload we are looking for is 4 bytes from the
   begining of the packet, and is 9 bytes long.

So we put all of that together, and we have:

   alert tcp any 445 -> any any (msg:"SMB Login Failure"; \
      flow:from_server,established; content:"|FF|SMB|73 6d 00 00 c0|"; \
      offset:4; depth:9;)

Thanks for the idea, a rule like this will show up in snort soon.


More information about the Snort-sigs mailing list