[Snort-sigs] False positive C$ - signatures 2470, 2472, 2471 and 533

sekure sekure at ...2420...
Mon Jul 19 06:27:09 EDT 2004


Matt,

2050 is the MS02-023 MySQL overflow, and 2003 is a worm trying to take
advantage of the vulnerability.  So one is just more generic than the
other.  If you still want to see the pcap, contact me off the list.

On Fri, 16 Jul 2004 19:35:38 -0400, Matthew Watchinski
<mwatchinski at ...435...> wrote:
> From looking at sid 1113, 1002, 2050, and 2003 it doesn't look like
> this is an overlap issue.  Do you have a pcap that creates this
> behavior?  I'd assume that in most situations 1113 and 1002 will go off
> on the same attack as cmd.exe and ../ kind of go together.  This is
> normal attack behavior.  However, 2050 and 2003 looks to be pretty
> different, if you have pcap of this I'd like to see it.
> 
> Thanks
> -matt
> 
> 
> 
> sekure wrote:
> 
> >That's not all:
> >
> >1113 and 1002 often get triggered together,
> >2050 and 2003 also get trigered together.
> >
> >I sent an email to snort-users list on Jun 14th about this issue and
> >then followed up a few days later.  Nobody was interested so I dropped
> >it.
> >
> >On Tue, 13 Jul 2004 21:36:16 +0200, erik at ...835... <erik at ...835...> wrote:
> >
> >
> >>Hi,
> >>
> >>There seem to be a "bug" in the Snort rulebase regarding signatures
> >>matching IPC$ and C$ share access. The signatures which are suppose to
> >>alert on ipc$ access are overlapping the signatures regarding c$.
> >>
> >>This causes the following problem:
> >>Events matching sid:537:11 also matches sid:533:8 (false positive)
> >>Events matching sid:2465:3 also matches sid:2471:3 (false positive)
> >>Events matching sid:538:10 also matches sid:2470:3 (false positive)
> >>Events matching sid:2466:3 also matches sid:2472:3 (false positive)
> >>
> >>(I assume that this was not the original intention)
> >>
> >>I've done some changes to my local copy of the signatures to
> >>eliminate these false positives. What I've done is to add a negated
> >>expression, which matches the corresponding IPC$ signature.
> >>
> >>I'm not sure if this is the most efficient way of correcting the problem,
> >>but it seems to work. I've tested that my version of SID:2472 and
> >>SID:2470 does in fact detect C$ access and that they don't alert on
> >>IPC$ access. I'm not sure if I'm causing any more false positives with
> >>these changes, but I do know that one false positive is eliminated.
> >>
> >>I have not verified the changes done to 2471 and 533, but my guess is
> >>that they will probably have the same result as the other two changes.
> >>
> >>The way I've changed the rules also raises another question, which
> >>is not clearly answered in the documentation and I have'nt read the
> >>source. When the preceding expression is negated, how does this effect
> >>the "distance" option. I would guess that the distance is still
> >>relative to the end of last match and that the negated match/nomatch
> >>does'nt affect this?
> >>
> >>Below are new signatures (I've bumped the revision number, but these
> >>changes are not "official" and have been limited tested):
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:9;)
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:!"IPC|24 00|"; nocase; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:4;)
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:4;)
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:!"I|00|P|00|C|00 24 00 00|"; nocase; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:4;)
> >>
> >>These are the original signatures and their corresponding IPC$ signatures:
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:8;)
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:11;)
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:3;)
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:3;)
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:3;)
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:10;)
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:3;)
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2466; rev:3;)
> >>
> >>/erik
> >>
> >>-------------------------------------------------------
> >>This SF.Net email is sponsored by BEA Weblogic Workshop
> >>FREE Java Enterprise J2EE developer tools!
> >>Get your free copy of BEA WebLogic Workshop 8.1 today.
> >>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> >>_______________________________________________
> >>Snort-sigs mailing list
> >>Snort-sigs at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >>
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by BEA Weblogic Workshop
> >FREE Java Enterprise J2EE developer tools!
> >Get your free copy of BEA WebLogic Workshop 8.1 today.
> >http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> >
> 
>




More information about the Snort-sigs mailing list