[Snort-sigs] Problem with SID 2514?

Jason security at ...704...
Fri May 28 11:33:34 EDT 2004


Apologies for the HTML, it works best this way.

The packet matches, I think what is being overlooked is that the 
"content:"|05|"; distance:59;" check is not limited by a within 
statement so it can continue to look deeper than you may be looking.

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC
LSASS DsRolerUpgradeDownlevelServer exploit attempt";
flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt;
content:"|FF|SMB"; depth:4; offset:4; nocase:; content:"|05|"; distance:59;
content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2;
distance:19; reference:cve,CAN-2003-0533;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx;
classtype:attempted-admin; sid:2514; rev:5;)

Header cut off
----------------------------------------------------------------
00 00 10 40 FF 53 4D 42 2F 00 00 00 00 18 07 E8    ... at ...2523.../.......
00 00 00 00 00 00 00 00 00 00 00 00 07 10 FF FE    ................
02 20 81 FD 0E FF 00 DE DE 02 C0 00 F0 0D 00 FF    . ..............
FF FF FF 00 00 00 00 00 00 00 10 40 00 00 00 00    ........... at ...552...
00 01 10 EE 00 22 00 2C 02 00 00 FD 00 0A 00 8E    .....".,........
00 05 00 22 00 E1 01 00 00 FD 00 0A 00 8E 00 06    ..."............
00 22 00 F8 02 00 00 FD 00 0A 00 8E 00 07 00 22    ."............."
00 F8 02 00 00 FD 00 0A 00 8E 00 08 00 22 00 E7    ............."..
01 00 00 FD 00 0A 00 8E 00 09 00 22 00 C6 02 00    ..........."....
00 FD 00 0A 00 8E 00 0A 00 22 00 C5 02 00 00 FD    ........."......
00 0A 00 8E 00 0B 00 22 00 E2 01 00 00 FD 00 0A    ......."........
00 8E 00 0C 00 22 00 E7 01 00 00 FD 00 0A 00 8E    ....."..........
00 0D 00 22 00 6F 07 00 00 FD 00 0A 00 8E 00 0E    ...".o..........
00 22 00 C6 02 00 00 FD 00 0A 00 8F 00 00 00 22    ."............."
00 40 05 00 00 FD 00 0A 00 8F 00 01 00 22 00 DE    . at ...1226..."..
01 00 00 FD 00 0A 00 8F 00 02 00 22 00 3A 09 00    ...........".:..
00 FD 00 0A 00 8F 00 03 00 22 00 DF 01 00 00 FD    ........."......
00 0A 00 8F 00 04 00 22 00 56 02 00 00 FD 00 0A    .......".V......
00 8F 00 05 00 22 00 E1 01 00 00 FD 00 0A 00 8F    ....."..........
00 06 00 22 00 43 07 00 00 FD 00 0A 00 8F 00 07    ...".C..........
00 22 00 43 07 00 00 FD 00 0A 00 8F 00 08 00 22    .".C..........."
00 DE 01 00 00 FD 00 0A 00 8F 00 09 00 22 00 04    ............."..
03 00 00 FD 00 0A 00 8F 00 0A 00 22 00 03 03 00    ..........."....
00 FD 00 0A 00 8F 00 0B 00 22 00 E2 01 00 00 FD    ........."......
00 0A 00 8F 00 0C 00 22 00 DE 01 00 00 FD 00 0A    ......."........
00 8F 00 0D 00 22 00 6F 07 00 00 FD 00 0A 00 8F    .....".o........
00 0E 00 22 00 04 03 00 00 FD 00 0A 00 90 00 00    ..."............
00 22 00 40 05 00 00 FD 00 0A 00 90 00 01 00 22    .". at ...1226..."
00 DE 01 00 00 FD 00 0A 00 90 00 02 00 22 00 3B    .............".;
09 00 00 FD 00 0A 00 90 00 03 00 22 00 DF 01 00    ..........."....
[...]




larosa, vjay wrote:

>Ok,
>
>Can some one explain to me how this rule would trigger on the payload from
>the packets below? If you look at the first packet, I can see the |FF|SMB
>match, but in the next 59 bytes after the B there is no |05| found. Maybe I
>just do not understand the distance keyword, but this is not matching up to
>me.
>
>  
>





More information about the Snort-sigs mailing list