[Snort-sigs] False positive C$ - signatures 2470, 2472, 2471 and 533

Matthew Watchinski mwatchinski at ...435...
Fri Jul 16 16:36:03 EDT 2004


 From looking at sid 1113, 1002, 2050, and 2003 it doesn't look like 
this is an overlap issue.  Do you have a pcap that creates this 
behavior?  I'd assume that in most situations 1113 and 1002 will go off 
on the same attack as cmd.exe and ../ kind of go together.  This is 
normal attack behavior.  However, 2050 and 2003 looks to be pretty 
different, if you have pcap of this I'd like to see it.

Thanks
-matt

sekure wrote:

>That's not all:
>
>1113 and 1002 often get triggered together,
>2050 and 2003 also get trigered together.
>
>I sent an email to snort-users list on Jun 14th about this issue and
>then followed up a few days later.  Nobody was interested so I dropped
>it.
>
>On Tue, 13 Jul 2004 21:36:16 +0200, erik at ...835... <erik at ...835...> wrote:
>  
>
>>Hi,
>>
>>There seem to be a "bug" in the Snort rulebase regarding signatures
>>matching IPC$ and C$ share access. The signatures which are suppose to
>>alert on ipc$ access are overlapping the signatures regarding c$.
>>
>>This causes the following problem:
>>Events matching sid:537:11 also matches sid:533:8 (false positive)
>>Events matching sid:2465:3 also matches sid:2471:3 (false positive)
>>Events matching sid:538:10 also matches sid:2470:3 (false positive)
>>Events matching sid:2466:3 also matches sid:2472:3 (false positive)
>>
>>(I assume that this was not the original intention)
>>
>>I've done some changes to my local copy of the signatures to
>>eliminate these false positives. What I've done is to add a negated
>>expression, which matches the corresponding IPC$ signature.
>>
>>I'm not sure if this is the most efficient way of correcting the problem,
>>but it seems to work. I've tested that my version of SID:2472 and
>>SID:2470 does in fact detect C$ access and that they don't alert on
>>IPC$ access. I'm not sure if I'm causing any more false positives with
>>these changes, but I do know that one false positive is eliminated.
>>
>>I have not verified the changes done to 2471 and 533, but my guess is
>>that they will probably have the same result as the other two changes.
>>
>>The way I've changed the rules also raises another question, which
>>is not clearly answered in the documentation and I have'nt read the
>>source. When the preceding expression is negated, how does this effect
>>the "distance" option. I would guess that the distance is still
>>relative to the end of last match and that the negated match/nomatch
>>does'nt affect this?
>>
>>Below are new signatures (I've bumped the revision number, but these
>>changes are not "official" and have been limited tested):
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:9;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:4;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:4;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:4;)
>>
>>These are the original signatures and their corresponding IPC$ signatures:
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:8;)
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:11;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:3;)
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:3;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:3;)
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:10;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:3;)
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2466; rev:3;)
>>
>>/erik
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by BEA Weblogic Workshop
>>FREE Java Enterprise J2EE developer tools!
>>Get your free copy of BEA WebLogic Workshop 8.1 today.
>>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>    
>>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>  
>





More information about the Snort-sigs mailing list