[Snort-sigs] Sig Not Firing

Bill Scherr IV bschnzl at ...3374...
Thu Aug 6 07:44:35 EDT 2009


Folks...

This rule:

/etc/snort/rules/netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,1024:2048] (msg:"NETBIOS DCERPC 
rpcmgmt ifids Unauthenticated BIND"; flow:established,to_server; content:"|05|"; content:"|80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 
10 29 89|"; distance:31; reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; 
reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; 
reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html;classtype:attempted-recon; sid:2999001; rev:5;)

Gave this and 37 others (First and Last):

Generated by BASE v1.4.1 (lara) on Wed, 05 Aug 2009 20:38:02 -0400

------------------------------------------------------------------------------
#(4 - 14071) [2009-08-04 19:31:48]
[url/seclists.org/fulldisclosure/2003/Aug/0432.html]
[url/www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf]
[url/www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf]
[local/2999001] [snort/1:2999001]  NETBIOS DCERPC rpcmgmt ifids Unauthenticated
BIND
IPv4: 221.4.145.37 -> 67.166.xx.xx
      hlen=5 TOS=32 dlen=112 ID=41935 flags=0 offset=0 TTL=105 chksum=xxxx
TCP:  port=4289 -> dport: 1034  flags=***AP*** seq=3054919032
      ack=1626252042 off=5 res=0 win=32768 urp=0 chksum=38075
Payload:  length = 72

000 : 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00   ........H.......
010 : D0 16 D0 16 00 00 00 00 01 00 00 00 00 00 01 00   ................
020 : 80 BD A8 AF 8A 7D C9 11 BE F4 08 00 2B 10 29 89   .....}......+.).
030 : 01 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
040 : 2B 10 48 60 02 00 00 00                           +.H`....
------------------------------------------------------------------------------
#(4 - 14109) [2009-08-04 19:32:22]
{repeated msg snip}
IPv4: 221.4.145.37 -> 67.166.xx.xx
      hlen=5 TOS=32 dlen=112 ID=63932 flags=0 offset=0 TTL=105 chksum=xxxx
TCP:  port=2309 -> dport: 2030  flags=***AP*** seq=1423264478
      ack=2149827416 off=5 res=0 win=32768 urp=0 chksum=52459
Payload:  length = 72

000 : 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00   ........H.......
010 : D0 16 D0 16 00 00 00 00 01 00 00 00 00 00 01 00   ................
020 : 80 BD A8 AF 8A 7D C9 11 BE F4 08 00 2B 10 29 89   .....}......+.).
030 : 01 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
040 : 2B 10 48 60 02 00 00 00                           +.H`....

Thanks for all of your help!  

B.

Circa 22:04, 8 Jul 2009, a note, claiming source Bill Scherr IV <bschnzl at ...3374...>, was sent to me:

From:           	Bill Scherr IV <bschnzl at ...3374...>
To:             	Todd Wease <twease at ...435...>, snort-sigs at lists.sourceforge.net
Subject:        	Re: [Snort-sigs] Sig Not Firing
Send reply to:  	bschnzl at ...3374...
Date sent:      	Wed, 08 Jul 2009 22:04:10 -0400

> Todd (et al),
> 
>    Thanks for the rule!  I see what you guys are saying about the
> "distance" modifier now.  Here is the rule I have running now: 
> 
> {snip}
> 



Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
703-478-7608





More information about the Snort-sigs mailing list