[Snort-sigs] Problem with SID 2514?

larosa, vjay larosa_vjay at ...375...
Fri May 28 08:27:23 EDT 2004


Ok,

Can some one explain to me how this rule would trigger on the payload from
the packets below? If you look at the first packet, I can see the |FF|SMB
match, but in the next 59 bytes after the B there is no |05| found. Maybe I
just do not understand the distance keyword, but this is not matching up to
me.

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC
LSASS DsRolerUpgradeDownlevelServer exploit attempt";
flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt;
content:"|FF|SMB"; depth:4; offset:4; nocase:; content:"|05|"; distance:59;
content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2;
distance:19; reference:cve,CAN-2003-0533;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx;
classtype:attempted-admin; sid:2514; rev:5;)

Header cut off
----------------------------------------------------------------
00 00 00 7C FF 53 4D 42 25 00 00 00 00 18 07 C8	...|.SMB%.......
00 00 00 00 00 00 00 00 00 00 00 00 00 08 60 0D	..............`.
00 08 40 3E 10 00 00 28 00 00 00 B8 10 00 00 00	..@>...(........
00 00 00 00 00 00 00 00 00 54 00 28 00 54 00 02	.........T.(.T..
00 26 00 0C 40 39 00 00 5C 00 50 00 49 00 50 00	.&.. at ...2522...\.P.I.P.
45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00	E.\.............
28 00 00 00 AA 04 00 00 10 00 00 00 00 00 09 00	(...............
02 00 00 00 24 00 00 00 27 00 00 00 00 00 00 00	....$...'.......


Header cut off
----------------------------------------------------------------
00 00 10 40 FF 53 4D 42 2F 00 00 00 00 18 07 E8	... at ...2523.../.......
00 00 00 00 00 00 00 00 00 00 00 00 07 10 FF FE	................
02 20 81 FD 0E FF 00 DE DE 02 C0 00 F0 0D 00 FF	. ..............
FF FF FF 00 00 00 00 00 00 00 10 40 00 00 00 00	........... at ...552...
00 01 10 EE 00 22 00 2C 02 00 00 FD 00 0A 00 8E	.....".,........
00 05 00 22 00 E1 01 00 00 FD 00 0A 00 8E 00 06	..."............
00 22 00 F8 02 00 00 FD 00 0A 00 8E 00 07 00 22	."............."
00 F8 02 00 00 FD 00 0A 00 8E 00 08 00 22 00 E7	............."..
01 00 00 FD 00 0A 00 8E 00 09 00 22 00 C6 02 00	..........."....
00 FD 00 0A 00 8E 00 0A 00 22 00 C5 02 00 00 FD	........."......
00 0A 00 8E 00 0B 00 22 00 E2 01 00 00 FD 00 0A	......."........
00 8E 00 0C 00 22 00 E7 01 00 00 FD 00 0A 00 8E	....."..........
00 0D 00 22 00 6F 07 00 00 FD 00 0A 00 8E 00 0E	...".o..........
00 22 00 C6 02 00 00 FD 00 0A 00 8F 00 00 00 22	."............."
00 40 05 00 00 FD 00 0A 00 8F 00 01 00 22 00 DE	. at ...1226..."..
01 00 00 FD 00 0A 00 8F 00 02 00 22 00 3A 09 00	...........".:..
00 FD 00 0A 00 8F 00 03 00 22 00 DF 01 00 00 FD	........."......
00 0A 00 8F 00 04 00 22 00 56 02 00 00 FD 00 0A	.......".V......
00 8F 00 05 00 22 00 E1 01 00 00 FD 00 0A 00 8F	....."..........
00 06 00 22 00 43 07 00 00 FD 00 0A 00 8F 00 07	...".C..........
00 22 00 43 07 00 00 FD 00 0A 00 8F 00 08 00 22	.".C..........."
00 DE 01 00 00 FD 00 0A 00 8F 00 09 00 22 00 04	............."..
03 00 00 FD 00 0A 00 8F 00 0A 00 22 00 03 03 00	..........."....
00 FD 00 0A 00 8F 00 0B 00 22 00 E2 01 00 00 FD	........."......
00 0A 00 8F 00 0C 00 22 00 DE 01 00 00 FD 00 0A	......."........
00 8F 00 0D 00 22 00 6F 07 00 00 FD 00 0A 00 8F	.....".o........
00 0E 00 22 00 04 03 00 00 FD 00 0A 00 90 00 00	..."............
00 22 00 40 05 00 00 FD 00 0A 00 90 00 01 00 22	.". at ...1226..."
00 DE 01 00 00 FD 00 0A 00 90 00 02 00 22 00 3B	.............".;
09 00 00 FD 00 0A 00 90 00 03 00 22 00 DF 01 00	..........."....
00 FD 00 0A 00 90 00 04 00 22 00 E3 01 00 00 FD	........."......
00 0A 00 90 00 05 00 22 00 E1 01 00 00 FD 00 0A	......."........
00 90 00 06 00 22 00 43 07 00 00 FD 00 0A 00 90	.....".C........
00 07 00 22 00 43 07 00 00 FD 00 0A 00 90 00 08	...".C..........
00 22 00 DE 01 00 00 FD 00 0A 00 90 00 09 00 22	."............."
00 04 03 00 00 FD 00 0A 00 90 00 0A 00 22 00 03	............."..
03 00 00 FD 00 0A 00 90 00 0B 00 22 00 E2 01 00	..........."....
00 FD 00 0A 00 90 00 0C 00 22 00 DE 01 00 00 FD	........."......
00 0A 00 90 00 0D 00 22 00 6F 07 00 00 FD 00 0A	.......".o......
00 90 00 0E 00 22 00 04 03 00 00 FD 00 0A 00 91	....."..........
00 00 00 22 00 01 07 00 00 FD 00 0A 00 91 00 01	..."............
00 22 00 E7 01 00 00 FD 00 0A 00 91 00 02 00 22	."............."
00 57 02 00 00 FD 00 0A 00 91 00 03 00 22 00 47	.W...........".G
02 00 00 FD 00 0A 00 91 00 04 00 22 00 58 02 00	...........".X..
00 FD 00 0A 00 91 00 05 00 22 00 E1 01 00 00 FD	........."......
00 0A 00 91 00 06 00 22 00 FE 09 00 00 FD 00 0A	......."........
00 91 00 07 00 22 00 FE 09 00 00 FD 00 0A 00 91	....."..........
00 08 00 22 00 E7 01 00 00 FD 00 0A 00 91 00 09	..."............
00 22 00 8B 02 00 00 FD 00 0A 00 91 00 0A 00 22	."............."
00 02 05 00 00 FD 00 0A 00 91 00 0B 00 22 00 EC	............."..
01 00 00 FD 00 0A 00 91 00 0C 00 22 00 E7 01 00	..........."....
00 FD 00 0A 00 91 00 0D 00 22 00 A8 02 00 00 FD	........."......
00 0A 00 91 00 0E 00 22 00 8B 02 00 00 FD 00 0A	......."........
00 92 00 00 00 22 00 01 07 00 00 FD 00 0A 00 92	....."..........
00 01 00 22 00 E7 01 00 00 FD 00 0A 00 92 00 02	..."............
00 22 00 59 02 00 00 FD 00 0A 00 92 00 03 00 22	.".Y..........."
00 47 02 00 00 FD 00 0A 00 92 00 04 00 22 00 5A	.G...........".Z
02 00 00 FD 00 0A 00 92 00 05 00 22 00 E1 01 00	..........."....
00 FD 00 0A 00 92 00 06 00 22 00 FE 09 00 00 FD	........."......
00 0A 00 92 00 07 00 22 00 FE 09 00 00 FD 00 0A	......."........
00 92 00 08 00 22 00 E7 01 00 00 FD 00 0A 00 92	....."..........
00 09 00 22 00 8B 02 00 00 FD 00 0A 00 92 00 0A	..."............
00 22 00 02 05 00 00 FD 00 0A 00 92 00 0B 00 22	."............."
00 E2 01 00 00 FD 00 0A 00 92 00 0C 00 22 00 E7	............."..
01 00 00 FD 00 0A 00 92 00 0D 00 22 00 A8 02 00	..........."....
00 FD 00 0A 00 92 00 0E 00 22 00 8B 02 00 00 FD	........."......
00 0A 00 93 00 00 00 22 00 01 07 00 00 FD 00 0A	......."........
00 93 00 01 00 22 00 E7 01 00 00 FD 00 0A 00 93	....."..........
00 02 00 22 00 5B 02 00 00 FD 00 0A 00 93 00 03	...".[..........
00 22 00 35 02 00 00 FD 00 0A 00 93 00 04 00 22	.".5..........."
00 5C 02 00 00 FD 00 0A 00 93 00 05 00 22 00 E1	.\..........."..
01 00 00 FD 00 0A 00 93 00 06 00 22 00 1F 03 00	..........."....
00 FD 00 0A 00 93 00 07 00 22 00 1F 03 00 00 FD	........."......
00 0A 00 93 00 08 00 22 00 E7 01 00 00 FD 00 0A	......."........
00 93 00 09 00 22 00 7F 02 00 00 FD 00 0A 00 93	....."..........
00 0A 00 22 00 1E 03 00 00 FD 00 0A 00 93 00 0B	..."............
00 22 00 E2 01 00 00 FD 00 0A 00 93 00 0C 00 22	."............."
00 E7 01 00 00 FD 00 0A 00 93 00 0D 00 22 00 A8	............."..
02 00 00 FD 00 0A 00 93 00 0E 00 22 00 7F 02 00	..........."....
00 FD 00 0A 00 94 00 00 00 22 00 01 07 00 00 FD	........."......
00 0A 00 94 00 01 00 22 00 DE 01 00 00 FD 00 0A	......."........
00 94 00 02 00 22 00 5D 02 00 00 FD 00 0A 00 94	.....".]........
00 03 00 22 00 DF 01 00 00 FD 00 0A 00 94 00 04	..."............
00 22 00 16 02 00 00 FD 00 0A 00 94 00 05 00 22	."............."
00 E1 01 00 00 FD 00 0A 00 94 00 06 00 22 00 43	.............".C
07 00 00 FD 00 0A 00 94 00 07 00 22 00 43 07 00	...........".C..
00 FD 00 0A 00 94 00 08 00 22 00 DE 01 00 00 FD	........."......
00 0A 00 94 00 09 00 22 00 FC 08 00 00 FD 00 0A	......."........
00 94 00 0A 00 22 00 03 03 00 00 FD 00 0A 00 94	....."..........
00 0B 00 22 00 E2 01 00 00 FD 00 0A 00 94 00 0C	..."............
00 22 00 DE 01 00 00 FD 00 0A 00 94 00 0D 00 22	."............."
00 A8 02 00	....

vjl

V.Jay LaRosa              EMC Corporation
EMC OneSecure Group       4400 Computer Dr.
(508)898-7433 Office      Westboro, MA 01580
(508)962-1482 Cell        www.emc.com
888-799-9750 Pager        vjl at ...375...

Disclaimer: The information contained in this communication is confidential
and may be legally privileged. It is intended solely for the use of the
individual or entity to whom it is addressed and others authorized to
receive it. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Thank you. 






More information about the Snort-sigs mailing list