[Snort-sigs] SMB Login Failure
bmc at ...95...
Fri Jun 6 06:56:05 EDT 2003
On Thu, Jun 05, 2003 at 01:24:02PM -0400, Andy Wood wrote:
> The Cisco IDSs do a good job of detecting internal attacks, one
> being SMB Login Failures. This rule is nice for detecting servers that have
> misconfigured services, not to mention someone trying to brute force. There
> is no snort rule that detects SMB failures that I have seen. I have
> captured a failure, but am not able to tell if I have constructed the best
> rule. Can anyone offer any suggestions? My doubt comes with the Offset and
> Depth section, as I'm not quite sure how to determine byte positions within
> the Hex patterns. (The rule does work with both being set to 1) Thanks.
> Attached is the cap in TCPDUMP format. Packet 33 is the server's
> failure response.
> alert tcp any 139 -> any any (msg:"SMB Login Failure - Port 139";
> flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth 1; sid
> 3000004; rev:1;)
> RULE-LOCKED:alert tcp any 445 -> any any (msg:"SMB Login Failure - Port
> 445"; flow:to_client,established; content:"|6d 00 00 c0|"; offset: 1; depth
> 1; sid 3000005; rev:1;)
That was a good idea for a rule, but it needs a bit of help.
1) Its smb. lets make sure there is an SMB header ("|FF|SMB").
2) since this is a response to the Session Setup command, add the
command id ("|73|").
3) After we have all of that put together, we need better offset &
depth. This payload we are looking for is 4 bytes from the
begining of the packet, and is 9 bytes long.
So we put all of that together, and we have:
alert tcp any 445 -> any any (msg:"SMB Login Failure"; \
flow:from_server,established; content:"|FF|SMB|73 6d 00 00 c0|"; \
Thanks for the idea, a rule like this will show up in snort soon.
More information about the Snort-sigs