[Snort-sigs] Problem with SID 2514?

Matthew Watchinski mwatchinski at ...435...
Fri May 28 11:18:08 EDT 2004


Distance works in the following way:

1. If there is a previous content match, set a pointer.
2. Add the distance value to the pointer and begin looking for the next match.

It does not work by adding the distance value to the pointer and checking if the 
value at that location is exactly at that distance.

Example:
 From below

alert tcp $EXTERNAL_NET any -> $HOME_NET 445
(msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt";
flow:to_server,established;
flowbits:isset,netbios.lsass.bind.attempt;
content:"|FF|SMB"; depth:4; offset:4; nocase:;
content:"|05|"; distance:59;
content:"|00|"; within:1; distance:1;
content:"|09 00|"; within:2; distance:19;
reference:cve,CAN-2003-0533;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx;
classtype:attempted-admin; sid:2514; rev:5;)

Check if the flowbit netbios.lsass.bind.attempt is set.

Find "\xFFSMB" at offset 4 from start of payload 4 bytes from that offset;

Start looking for "\x05" 59 bytes from the end of "\xFFSMB"

If I find that see if the next byte is \x00 1 byte from that content match

If I find that see if \x09\x00 is 19 bytes from there within 2 bytes of that offset.

..snip

Some from the code

if(doe_ptr)
{
     DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH,
                                 "Using Doe Ptr\n"););

     base_ptr = doe_ptr;
     depth = dlen - ((char *) doe_ptr - data);
}

..snip

if(pmd->distance)
{
     /* set the base pointer up for the distance */
     base_ptr += pmd->distance;
     depth -= pmd->distance;
}


So in simple terms at the end of this base_ptr is now where you are going to 
start to search from, till the end of packet.

Cheers,
-matt

larosa, vjay wrote:
> Ok,
> 
> Can some one explain to me how this rule would trigger on the payload from
> the packets below? If you look at the first packet, I can see the |FF|SMB
> match, but in the next 59 bytes after the B there is no |05| found. Maybe I
> just do not understand the distance keyword, but this is not matching up to
> me.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC
> LSASS DsRolerUpgradeDownlevelServer exploit attempt";
> flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt;
> content:"|FF|SMB"; depth:4; offset:4; nocase:; content:"|05|"; distance:59;
> content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2;
> distance:19; reference:cve,CAN-2003-0533;
> reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx;
> classtype:attempted-admin; sid:2514; rev:5;)
> 
> Header cut off
> ----------------------------------------------------------------
> 00 00 00 7C FF 53 4D 42 25 00 00 00 00 18 07 C8	...|.SMB%.......
> 00 00 00 00 00 00 00 00 00 00 00 00 00 08 60 0D	..............`.
> 00 08 40 3E 10 00 00 28 00 00 00 B8 10 00 00 00	..@>...(........
> 00 00 00 00 00 00 00 00 00 54 00 28 00 54 00 02	.........T.(.T..
> 00 26 00 0C 40 39 00 00 5C 00 50 00 49 00 50 00	.&.. at ...2522...\.P.I.P.
> 45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00	E.\.............
> 28 00 00 00 AA 04 00 00 10 00 00 00 00 00 09 00	(...............
> 02 00 00 00 24 00 00 00 27 00 00 00 00 00 00 00	....$...'.......
> 
> 
> Header cut off
> ----------------------------------------------------------------
> 00 00 10 40 FF 53 4D 42 2F 00 00 00 00 18 07 E8	... at ...2523.../.......
> 00 00 00 00 00 00 00 00 00 00 00 00 07 10 FF FE	................
> 02 20 81 FD 0E FF 00 DE DE 02 C0 00 F0 0D 00 FF	. ..............
> FF FF FF 00 00 00 00 00 00 00 10 40 00 00 00 00	........... at ...552...
> 00 01 10 EE 00 22 00 2C 02 00 00 FD 00 0A 00 8E	.....".,........
> 00 05 00 22 00 E1 01 00 00 FD 00 0A 00 8E 00 06	..."............
> 00 22 00 F8 02 00 00 FD 00 0A 00 8E 00 07 00 22	."............."
> 00 F8 02 00 00 FD 00 0A 00 8E 00 08 00 22 00 E7	............."..
> 01 00 00 FD 00 0A 00 8E 00 09 00 22 00 C6 02 00	..........."....
> 00 FD 00 0A 00 8E 00 0A 00 22 00 C5 02 00 00 FD	........."......
> 00 0A 00 8E 00 0B 00 22 00 E2 01 00 00 FD 00 0A	......."........
> 00 8E 00 0C 00 22 00 E7 01 00 00 FD 00 0A 00 8E	....."..........
> 00 0D 00 22 00 6F 07 00 00 FD 00 0A 00 8E 00 0E	...".o..........
> 00 22 00 C6 02 00 00 FD 00 0A 00 8F 00 00 00 22	."............."
> 00 40 05 00 00 FD 00 0A 00 8F 00 01 00 22 00 DE	. at ...1226..."..
> 01 00 00 FD 00 0A 00 8F 00 02 00 22 00 3A 09 00	...........".:..
> 00 FD 00 0A 00 8F 00 03 00 22 00 DF 01 00 00 FD	........."......
> 00 0A 00 8F 00 04 00 22 00 56 02 00 00 FD 00 0A	.......".V......
> 00 8F 00 05 00 22 00 E1 01 00 00 FD 00 0A 00 8F	....."..........
> 00 06 00 22 00 43 07 00 00 FD 00 0A 00 8F 00 07	...".C..........
> 00 22 00 43 07 00 00 FD 00 0A 00 8F 00 08 00 22	.".C..........."
> 00 DE 01 00 00 FD 00 0A 00 8F 00 09 00 22 00 04	............."..
> 03 00 00 FD 00 0A 00 8F 00 0A 00 22 00 03 03 00	..........."....
> 00 FD 00 0A 00 8F 00 0B 00 22 00 E2 01 00 00 FD	........."......
> 00 0A 00 8F 00 0C 00 22 00 DE 01 00 00 FD 00 0A	......."........
> 00 8F 00 0D 00 22 00 6F 07 00 00 FD 00 0A 00 8F	.....".o........
> 00 0E 00 22 00 04 03 00 00 FD 00 0A 00 90 00 00	..."............
> 00 22 00 40 05 00 00 FD 00 0A 00 90 00 01 00 22	.". at ...1226..."
> 00 DE 01 00 00 FD 00 0A 00 90 00 02 00 22 00 3B	.............".;
> 09 00 00 FD 00 0A 00 90 00 03 00 22 00 DF 01 00	..........."....
> 00 FD 00 0A 00 90 00 04 00 22 00 E3 01 00 00 FD	........."......
> 00 0A 00 90 00 05 00 22 00 E1 01 00 00 FD 00 0A	......."........
> 00 90 00 06 00 22 00 43 07 00 00 FD 00 0A 00 90	.....".C........
> 00 07 00 22 00 43 07 00 00 FD 00 0A 00 90 00 08	...".C..........
> 00 22 00 DE 01 00 00 FD 00 0A 00 90 00 09 00 22	."............."
> 00 04 03 00 00 FD 00 0A 00 90 00 0A 00 22 00 03	............."..
> 03 00 00 FD 00 0A 00 90 00 0B 00 22 00 E2 01 00	..........."....
> 00 FD 00 0A 00 90 00 0C 00 22 00 DE 01 00 00 FD	........."......
> 00 0A 00 90 00 0D 00 22 00 6F 07 00 00 FD 00 0A	.......".o......
> 00 90 00 0E 00 22 00 04 03 00 00 FD 00 0A 00 91	....."..........
> 00 00 00 22 00 01 07 00 00 FD 00 0A 00 91 00 01	..."............
> 00 22 00 E7 01 00 00 FD 00 0A 00 91 00 02 00 22	."............."
> 00 57 02 00 00 FD 00 0A 00 91 00 03 00 22 00 47	.W...........".G
> 02 00 00 FD 00 0A 00 91 00 04 00 22 00 58 02 00	...........".X..
> 00 FD 00 0A 00 91 00 05 00 22 00 E1 01 00 00 FD	........."......
> 00 0A 00 91 00 06 00 22 00 FE 09 00 00 FD 00 0A	......."........
> 00 91 00 07 00 22 00 FE 09 00 00 FD 00 0A 00 91	....."..........
> 00 08 00 22 00 E7 01 00 00 FD 00 0A 00 91 00 09	..."............
> 00 22 00 8B 02 00 00 FD 00 0A 00 91 00 0A 00 22	."............."
> 00 02 05 00 00 FD 00 0A 00 91 00 0B 00 22 00 EC	............."..
> 01 00 00 FD 00 0A 00 91 00 0C 00 22 00 E7 01 00	..........."....
> 00 FD 00 0A 00 91 00 0D 00 22 00 A8 02 00 00 FD	........."......
> 00 0A 00 91 00 0E 00 22 00 8B 02 00 00 FD 00 0A	......."........
> 00 92 00 00 00 22 00 01 07 00 00 FD 00 0A 00 92	....."..........
> 00 01 00 22 00 E7 01 00 00 FD 00 0A 00 92 00 02	..."............
> 00 22 00 59 02 00 00 FD 00 0A 00 92 00 03 00 22	.".Y..........."
> 00 47 02 00 00 FD 00 0A 00 92 00 04 00 22 00 5A	.G...........".Z
> 02 00 00 FD 00 0A 00 92 00 05 00 22 00 E1 01 00	..........."....
> 00 FD 00 0A 00 92 00 06 00 22 00 FE 09 00 00 FD	........."......
> 00 0A 00 92 00 07 00 22 00 FE 09 00 00 FD 00 0A	......."........
> 00 92 00 08 00 22 00 E7 01 00 00 FD 00 0A 00 92	....."..........
> 00 09 00 22 00 8B 02 00 00 FD 00 0A 00 92 00 0A	..."............
> 00 22 00 02 05 00 00 FD 00 0A 00 92 00 0B 00 22	."............."
> 00 E2 01 00 00 FD 00 0A 00 92 00 0C 00 22 00 E7	............."..
> 01 00 00 FD 00 0A 00 92 00 0D 00 22 00 A8 02 00	..........."....
> 00 FD 00 0A 00 92 00 0E 00 22 00 8B 02 00 00 FD	........."......
> 00 0A 00 93 00 00 00 22 00 01 07 00 00 FD 00 0A	......."........
> 00 93 00 01 00 22 00 E7 01 00 00 FD 00 0A 00 93	....."..........
> 00 02 00 22 00 5B 02 00 00 FD 00 0A 00 93 00 03	...".[..........
> 00 22 00 35 02 00 00 FD 00 0A 00 93 00 04 00 22	.".5..........."
> 00 5C 02 00 00 FD 00 0A 00 93 00 05 00 22 00 E1	.\..........."..
> 01 00 00 FD 00 0A 00 93 00 06 00 22 00 1F 03 00	..........."....
> 00 FD 00 0A 00 93 00 07 00 22 00 1F 03 00 00 FD	........."......
> 00 0A 00 93 00 08 00 22 00 E7 01 00 00 FD 00 0A	......."........
> 00 93 00 09 00 22 00 7F 02 00 00 FD 00 0A 00 93	....."..........
> 00 0A 00 22 00 1E 03 00 00 FD 00 0A 00 93 00 0B	..."............
> 00 22 00 E2 01 00 00 FD 00 0A 00 93 00 0C 00 22	."............."
> 00 E7 01 00 00 FD 00 0A 00 93 00 0D 00 22 00 A8	............."..
> 02 00 00 FD 00 0A 00 93 00 0E 00 22 00 7F 02 00	..........."....
> 00 FD 00 0A 00 94 00 00 00 22 00 01 07 00 00 FD	........."......
> 00 0A 00 94 00 01 00 22 00 DE 01 00 00 FD 00 0A	......."........
> 00 94 00 02 00 22 00 5D 02 00 00 FD 00 0A 00 94	.....".]........
> 00 03 00 22 00 DF 01 00 00 FD 00 0A 00 94 00 04	..."............
> 00 22 00 16 02 00 00 FD 00 0A 00 94 00 05 00 22	."............."
> 00 E1 01 00 00 FD 00 0A 00 94 00 06 00 22 00 43	.............".C
> 07 00 00 FD 00 0A 00 94 00 07 00 22 00 43 07 00	...........".C..
> 00 FD 00 0A 00 94 00 08 00 22 00 DE 01 00 00 FD	........."......
> 00 0A 00 94 00 09 00 22 00 FC 08 00 00 FD 00 0A	......."........
> 00 94 00 0A 00 22 00 03 03 00 00 FD 00 0A 00 94	....."..........
> 00 0B 00 22 00 E2 01 00 00 FD 00 0A 00 94 00 0C	..."............
> 00 22 00 DE 01 00 00 FD 00 0A 00 94 00 0D 00 22	."............."
> 00 A8 02 00	....
> 
> vjl
> 
> V.Jay LaRosa              EMC Corporation
> EMC OneSecure Group       4400 Computer Dr.
> (508)898-7433 Office      Westboro, MA 01580
> (508)962-1482 Cell        www.emc.com
> 888-799-9750 Pager        vjl at ...375...
> 
> Disclaimer: The information contained in this communication is confidential
> and may be legally privileged. It is intended solely for the use of the
> individual or entity to whom it is addressed and others authorized to
> receive it. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Thank you. 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list