[Snort-sigs] False positive: NETBIOS DCERPC ISystemActivator bind attempt

Aaron Ferguson a.ferguson at ...1976...
Tue Oct 21 06:01:18 EDT 2003


We have noticed that PCs running Corning Intellisuite seem to be generating
packets which trigger the "NETBIOS DCERPC ISystemActivator bind attempt"
rule when they try to check out a licence from our server. There's no sign
of Blaster (or variants) infection on the machines (and the matching packets
are only targetted at our license server and are very few in number -
whereas a "real" Blaster attack generates large amounts of traffic to lots
of hosts).

The rule says:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
ISystemActivator bind attempt"; flow:to_server,established; content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00
00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352;
classtype:attempted-admin; sid:2192; rev:1;)

Snort catches the following packet from an Intellisuite client (to our
license server):

[**] NETBIOS DCERPC ISystemActivator bind attempt [**]
10/21-09:32:16.153448 X.X.X.X:4677 -> X.X.X.X:135
TCP TTL:127 TOS:0x0 ID:43616 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xB1C2EE96  Ack: 0x8EF65DE5  Win: 0xFFFF  TcpLen: 20
05 00 0B 03 10 00 00 00 48 00 00 00 5A 00 00 00  ........H...Z...
D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00  ................
A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46  ...............F
00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00  .....]..........
2B 10 48 60 02 00 00 00                          +.H`....

Looking at "real" Blaster packets the only difference I can see is that byte
12 (5A above) always seems to be 7F.

Anyone else seen this?


----------------------------------------------------------------------------
Aaron Ferguson
Computer Manager
Department of Electronic and Electrical Engineeering
University of Strathclyde
204 George Street
Glasgow G1 1XW
UK

Tel: +44 (0) 141 548 2076
Fax: +44 (0) 141 552 2487
Email: a.ferguson at ...1976...








More information about the Snort-sigs mailing list