[Snort-sigs] MS05-039 Updated Rules

Chris Baker cbaker at ...1256...
Tue Aug 16 19:01:21 EDT 2005


The Alert Logic research team has revised the initial set of rules for
the MS05-039 vulnerability in PnP. While the initial rules focused on
the known exploits used in the Zotob worm, the new rules detect the
actual vulnerability described in MS05-039.

The most recent set of rules provide wider coverage for possible exploit
and worm variations that may appear in the future. These rules cover
most common avenues of attack, excluding big-endian and unicode vectors.

The latest MS05-039 rules have been tested in Alert Logic labs and we
are satisfied with their performance. Your mileage may vary. Please let
us know if there are any false-positives. PCAPs are greatly appreciated.

:: Rules ::

Update your stream4_reassemble args to include ports 139 and 445. 
	ex.  preprocessor stream4_reassemble: clientonly, ports 21 23 25 53 80 110 111 139 143 445 513 1433

alert tcp any any -> any 445 (msg:"NETBIOS SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:1000135; rev:2;)

alert tcp any any -> any 445 (msg:"NETBIOS SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:1000139; rev:1;)

alert tcp any any -> any 445 (msg:"NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000136; rev:2;)

alert tcp any any -> any 139 (msg:"NETBIOS SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:1000137; rev:1;)

alert tcp any any -> any 139 (msg:"NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000138; rev:1;)

:: end ::

Thank you,
AlertLogic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050816/83ca0e5c/attachment.sig>


More information about the Snort-sigs mailing list