[Snort-sigs] Rules to detect netbios unauthorized access

Joseph Gama josephgama at ...144...
Mon Jul 19 19:44:06 EDT 2004


Hello,

These rules try to detect rogue users, boxes or
domains. The names must be encoded but there is a
small C code for that with this email. There is also a
little example of use because these rules require
hardcoded names.

Peace,

Joseph Gama

#Rules to detect unauthorized NETBIOS access
#workgroup: WORKGROUP FHEPFCELEHFCEPFFFA
#system workgroup browse:  __MSBROSWE__    
ABACFPFPENFDECFCEPFHFDEFFPFPACAB
#user: TESTUSER FEEFFDFEFFFDEFFC
#machine: MYBOX ENFJECEPFI

alert udp any 137 -> any 137 (msg:"Netbios
registration from unauthorized box/user/node";
content:"|28 10|"; depth:2; offset:2;  content:"|00
00|"; depth:2; offset:62;
pcre:!"/..(\x28\x10).{8}(\x20)(FEEFFDFEFFFDEFFC|ENFJECEPFI|FHEPFCELEHFCEPFFFA)(CA)*[A-Z]*(\x00\x00).{15}(\x00\x00)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10085; rev:1;)

alert udp any 137 -> any 137 (msg:"Netbios
registration from unauthorized box/user/node";
content:"|29 10|"; depth:2; offset:2;  content:"|00
00|"; depth:2; offset:62;
pcre:!"/..(\x29\x10).{8}(\x20)(FEEFFDFEFFFDEFFC|ENFJECEPFI|FHEPFCELEHFCEPFFFA)(CA)*[A-Z]*(\x00\x00).{15}(\x00\x00)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10085; rev:1;)

alert udp any 137 -> any 137 (msg:"Netbios
registration from unauthorized workgroup";
content:"|28 10|"; depth:2; offset:2;  content:"|80
00|"; depth:2; offset:62;
pcre:!"/..(\x28\x10).{8}(\x20)(FHEPFCELEHFCEPFFFA|ABACFPFPENFDECFCEPFHFDEFFPFPACAB)(CA)*[A-Z]*(\x00\x00).{15}(\x80\x00)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10085; rev:1;)

alert udp any 137 -> any 137 (msg:"Netbios
registration from unauthorized workgroup";
content:"|29 10|"; depth:2; offset:2;  content:"|80
00|"; depth:2; offset:62;
pcre:!"/..(\x29\x10).{8}(\x20)(FHEPFCELEHFCEPFFFA|ABACFPFPENFDECFCEPFHFDEFFPFPACAB)(CA)*[A-Z]*(\x00\x00).{15}(\x80\x00)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10085; rev:1;)

alert udp any 137 -> any 137 (msg:"Netbios release
from unauthorized box/user/node"; content:"|30 10|";
offset:2; depth:2;  content:"|00 00|"; depth:2;
offset:62;
pcre:!"/..(\x30\x10).{8}(\x20)(FEEFFDFEFFFDEFFC|ENFJECEPFI|FHEPFCELEHFCEPFFFA)(CA)*[A-Z]*(\x00\x00).{15}(\x00\x00)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10085; rev:1;)

alert udp any 137 -> any 137 (msg:"Netbios release
from unauthorized workgroup"; content:"|30 10|";
offset:2;  content:"|80 00|"; depth:2; offset:62;
pcre:!"/..(\x30\x10).{8}(\x20)(FHEPFCELEHFCEPFFFA|ABACFPFPENFDECFCEPFHFDEFFPFPACAB)(CA)*[A-Z]*(\x00\x00).{15}(\x80\x00)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10085; rev:1;)

alert udp any 137 -> any 137 (msg:"Netbios name query
from unauthorized box"; content:"|01 10|"; offset:2;
depth:2;
pcre:!"/..(\x01\x10).{8}(\x20)(FHEPFCELEHFCEPFFFA)(CA)*[A-Z]*(\x00\x00\x20\x00\x01)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10087; rev:1;)

alert udp any 137 -> any 137 (msg:"Netbios name query
response from unauthorized box"; content:"|85 00|";
offset:2; depth:2;
pcre:!"/..(\x85\x00).{8}(\x20)(FHEPFCELEHFCEPFFFA)(CA)*[A-Z]*(\x00\x00\x20\x00\x01)/";
reference:url, www.faqs.org/rfcs/rfc1002.html;
classtype:attempted-user; sid:10087; rev:1;)


C program to encode names:

#include <stdio.h>
//returns a netbios name
//code written by Joseph Gama 2004
int main(){
	unsigned char i, j;
	int position;
	char 

code[512]={"AAABACADAEAFAGAHAIAJAKALAMANAOAPBABBBCBDBEBFBGBHBIBJBKBLBMBNBOBPCACBCCCDCECFCGCHCICJCKCLCMCNCOCPDADBDCDD

DEDFDGDHDIDJDKDLDMDNDODPEAEBECEDEEEFEGEHEIEJEKELEMENEOEPFAFBFCFDFEFFFGFHFIFJFKFLFMFNFOFPGAGBGCGDGEGFGGGHGIGJGKGLG

MGNGOGPHAHBHCHDHEHFHGHHHIHJHKHLHMHNHOHPIAIBICIDIEIFIGIHIIIJIKILIMINIOIPJAJBJCJDJEJFJGJHJIJJJKJLJMJNJOJPKAKBKCKDKEKFKGKHKIKJKKKLK

MKNKOKPLALBLCLDLELFLGLHLILJLKLLLMLNLOLPMAMBMCMDMEMFMGMHMIMJMKMLMMMNMOMPNANBNCNDNENFNGNHNINJNKNLNMNNNONPOAOBOCOD

OEOFOGOHOIOJOKOLOMONOOOPPAPBPCPDPEPFPGPHPIPJPKPLPMPNPOPP"};
	char ch;
	char name[50];
	printf("Netbios name?");
	scanf("%s",name);
	for(i=0;i<strlen(name);i++){
		j=(unsigned char)(name[i]);
		if (name[i]>'Z')
			j-=32;
		position=j * 2;
		printf("%c",code[position]);
		printf("%c",code[position+1]);
		}
	printf("\n\n");
	return 0;
	}







	
		
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/




More information about the Snort-sigs mailing list