[Snort-sigs] false negative on sig 688

Steven Bairstow sab139 at ...715...
Wed Aug 11 12:18:54 EDT 2004


This is rather ugly to read, but it will match both the regular ASCII and unicode versions of the login failure message.


alert tcp $SQL_SERVERS 1433 -> any any (msg:"MS-SQL sa login failed"; flow:from_server,established; pcre:"/\x00?L\x00?o\x00?g\x00?i\x00?n\x00? \x00?f\x00?a\x00?i\x00?l\x00?e\x00?d\x00? \x00?f\x00?o\x00?r\x00? \x00?u\x00?s\x00?e\x00?r\x00? \x00?\x27\x00?s\x00?a\x00?\x27/"; classtype:unsuccessful-user; reference:cve,CAN-2000-1209; reference:bugtraq,4797; reference:nessus,10673; sid:9000688; rev:10;)


At 5:56 PM -0400 8/9/04, Steven Bairstow wrote:
>MS-SQL server looks to be able to respond with either regular text and Unicode when sending a login failed message.  I found packets like the one below after noticing reports on BlackICE that where not on Snort.
>
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>08/09/04-17:27:06.386413 0:2:B3:C7:9:1 -> 0:5:85:23:28:25 type:0x800 len:0x8C
>146.186.xxx.xxx:1433 -> 64.119.xxx.xxx:18919 TCP TTL:128 TOS:0x0 ID:54776 IpLen:20 DgmLen:126 DF
>***AP**F Seq: 0x4095A151  Ack: 0x8026CBAB  Win: 0xFF4B  TcpLen: 20
>04 01 00 56 00 00 01 00 AA 42 00 18 48 00 00 01  ...V.....B..H...
>0E 1B 00 4C 00 6F 00 67 00 69 00 6E 00 20 00 66  ...L.o.g.i.n. .f
>00 61 00 69 00 6C 00 65 00 64 00 20 00 66 00 6F  .a.i.l.e.d. .f.o
>00 72 00 20 00 75 00 73 00 65 00 72 00 20 00 27  .r. .u.s.e.r. .'
>00 73 00 61 00 27 00 2E 00 00 00 00 00 FD 02 00  .s.a.'..........
>00 00 00 00 00 00                                ......
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>

-- 


Steven Bairstow
Computer and Network Services - Abington College - Penn State University
http://www.personal.psu.edu/~sab139              PGP Key ID = 0x0C81E13C


"No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced."




More information about the Snort-sigs mailing list