[Snort-sigs] FPs on lsass DsRolerGetPrimaryDomainInformation unicode little endian attempt

Jason Haar Jason.Haar at ...651...
Thu Jan 5 13:24:02 EST 2006


[Man - I seem to be getting burnt by these pnp/lsass rules - they go off
all the time]

I just installed these rules on one site yesterday, and they triggered
10 times in 12 hours. I had a bunch of WinXP-SP2 clients trigger it when
talking to Win2K3 Domain Controllers, and have even had one Samba 3.0.10
winbindd client trigger it too! (never seen that before)

Here's the payload from a winbindd client

 length = 112

000 : 00 00 00 6C FF 53 4D 42 25 00 00 00 00 08 01 C8   ...l.SMB%.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 03 A8 1F 13   ................
020 : 03 48 06 00 10 00 00 1A 00 00 00 B8 10 00 00 00   .H..............
030 : 00 00 00 00 00 00 00 00 00 52 00 1A 00 52 00 02   .........R...R..
040 : 00 26 00 0D C0 29 00 00 5C 00 50 00 49 00 50 00   .&...)..\.P.I.P.
050 : 45 00 5C 00 00 00 05 00 00 03 10 00 00 00 1A 00   E.\.............
060 : 00 00 8C 17 00 00 0A 00 00 00 00 00 00 00 01 00   ................


Here's the payload from a XP client

 length = 132

000 : 00 00 00 80 FF 53 4D 42 25 00 00 00 00 18 07 C8   .....SMB%.......
010 : 00 00 E9 A6 BE 53 2C 45 40 EA 00 00 02 08 98 07   .....S,E at ...947...
020 : 02 08 C0 02 10 00 00 2C 00 00 00 00 04 00 00 00   .......,........
030 : 00 00 00 00 00 00 00 00 00 54 00 2C 00 54 00 02   .........T.,.T..
040 : 00 26 00 08 40 3D 00 00 5C 00 50 00 49 00 50 00   .&..@=..\.P.I.P.
050 : 45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00   E.\.............
060 : 2C 00 00 00 04 00 00 00 14 00 00 00 00 00 00 00   ,...............
070 : 00 00 00 00 58 61 8C A3 6E 73 78 4A AB 40 33 B4   ....Xa..nsxJ. at ...3189...
080 : 01 CE 72 44                                       ..rD



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list