[Snort-sigs] False positive C$ - signatures 2470, 2472, 2471 and 533

sekure sekure at ...2420...
Wed Jul 14 18:02:30 EDT 2004


That's not all:

1113 and 1002 often get triggered together,
2050 and 2003 also get trigered together.

I sent an email to snort-users list on Jun 14th about this issue and
then followed up a few days later.  Nobody was interested so I dropped
it.

On Tue, 13 Jul 2004 21:36:16 +0200, erik at ...835... <erik at ...835...> wrote:
> 
> Hi,
> 
> There seem to be a "bug" in the Snort rulebase regarding signatures
> matching IPC$ and C$ share access. The signatures which are suppose to
> alert on ipc$ access are overlapping the signatures regarding c$.
> 
> This causes the following problem:
> Events matching sid:537:11 also matches sid:533:8 (false positive)
> Events matching sid:2465:3 also matches sid:2471:3 (false positive)
> Events matching sid:538:10 also matches sid:2470:3 (false positive)
> Events matching sid:2466:3 also matches sid:2472:3 (false positive)
> 
> (I assume that this was not the original intention)
> 
> I've done some changes to my local copy of the signatures to
> eliminate these false positives. What I've done is to add a negated
> expression, which matches the corresponding IPC$ signature.
> 
> I'm not sure if this is the most efficient way of correcting the problem,
> but it seems to work. I've tested that my version of SID:2472 and
> SID:2470 does in fact detect C$ access and that they don't alert on
> IPC$ access. I'm not sure if I'm causing any more false positives with
> these changes, but I do know that one false positive is eliminated.
> 
> I have not verified the changes done to 2471 and 533, but my guess is
> that they will probably have the same result as the other two changes.
> 
> The way I've changed the rules also raises another question, which
> is not clearly answered in the documentation and I have'nt read the
> source. When the preceding expression is negated, how does this effect
> the "distance" option. I would guess that the distance is still
> relative to the end of last match and that the negated match/nomatch
> does'nt affect this?
> 
> Below are new signatures (I've bumped the revision number, but these
> changes are not "official" and have been limited tested):
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:9;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:4;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:4;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:4;)
> 
> These are the original signatures and their corresponding IPC$ signatures:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:8;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:11;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:3;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:3;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:3;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:10;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:3;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2466; rev:3;)
> 
> /erik
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list