[Snort-sigs] False positive C$ - signatures 2470, 2472, 2471 and 533

erik at ...835... erik at ...835...
Wed Jul 14 13:13:08 EDT 2004


Hi,

There seem to be a "bug" in the Snort rulebase regarding signatures
matching IPC$ and C$ share access. The signatures which are suppose to
alert on ipc$ access are overlapping the signatures regarding c$.

This causes the following problem:
Events matching sid:537:11 also matches sid:533:8 (false positive)
Events matching sid:2465:3 also matches sid:2471:3 (false positive)
Events matching sid:538:10 also matches sid:2470:3 (false positive)
Events matching sid:2466:3 also matches sid:2472:3 (false positive)

(I assume that this was not the original intention)

I've done some changes to my local copy of the signatures to 
eliminate these false positives. What I've done is to add a negated
expression, which matches the corresponding IPC$ signature.

I'm not sure if this is the most efficient way of correcting the problem, 
but it seems to work. I've tested that my version of SID:2472 and 
SID:2470 does in fact detect C$ access and that they don't alert on 
IPC$ access. I'm not sure if I'm causing any more false positives with 
these changes, but I do know that one false positive is eliminated.

I have not verified the changes done to 2471 and 533, but my guess is 
that they will probably have the same result as the other two changes.

The way I've changed the rules also raises another question, which 
is not clearly answered in the documentation and I have'nt read the 
source. When the preceding expression is negated, how does this effect
the "distance" option. I would guess that the distance is still 
relative to the end of last match and that the negated match/nomatch 
does'nt affect this?

Below are new signatures (I've bumped the revision number, but these
changes are not "official" and have been limited tested):

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:9;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:4;)


These are the original signatures and their corresponding IPC$ signatures:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:3;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2466; rev:3;)


/erik




More information about the Snort-sigs mailing list