[Snort-sigs] MSSQL False Neg

Alex Kirk akirk at ...435...
Tue Dec 1 16:22:04 EST 2009


Can you please send a PCAP? Having one would make debugging this much
easier.

On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl at ...3374...> wrote:

> Folks...
>
>   Snort has a sig that should fire on these packets (IMHO).  The packet
> indicates the distance of the
> username (offset 0x0066) from the TDS Login data of the packet (beginning
> at offset 0x003e).  There
> are lots of length indicators, but they all start from 0x003e.  The
> byte_jump starts from the beginning of
> data (offset 0x0036), if I read right.  I am thinking
> /content:"s|00|a|00|"; within:8; distance:8;/
>
>   I am using the reference @ http://www.freetds.org/tds.html#login7
>
>   The threshold was met, several times over, but nothing fired!  Am I on
> track here?
>
> -------  Data  -------
>
> Original Sig (False Neg?)
>
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force
> login attempt TDS
> v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00
> 00|"; depth:2; offset:34;
> content:"|00 00 00 00|"; depth:4; offset:64;
> pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi";
> byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4;
> distance:8; nocase; threshold:type
> threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797;
> reference:cve,2000-1209;
> reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)
>
> Typical Packet (82 each, this event):
>
> 0000  00 14 bf 52 fe 40 00 d0  2b 77 75 01 08 00 45 20   ...R. at ...202... +wu...E
> 0010  00 bc 1e 56 40 00 6c 06  xx xx 79 0b 50 ce xx xx   ...V at ...3427... xxy.P.xx
> 0020  xx 7a 08 2b 05 99 a4 51  cc 4d b1 be 2b 43 50 18   xz.+...Q .M..+CP.
> 0030  ff ff 3d 81 00 00 10 01  00 94 00 00 01 00 8c 00   ..=..... ........
> 0040  00 00 01 00 00 71 00 00  00 00 00 00 00 07 d0 19   .....q.. ........
> 0050  00 00 00 00 00 00 e0 03  00 00 20 fe ff ff 04 08   ........ .. .....
> 0060  00 00 56 00 06 00 62 00  02 00 66 00 01 00 68 00   ..V...b. ..f...h.
> 0070  00 00 68 00 0e 00 00 00  00 00 84 00 04 00 8c 00   ..h..... ........
> 0080  00 00 8c 00 00 00 00 1c  25 5b 6f ff 00 00 00 00   ........ %[o.....
> 0090  8c 00 00 00 44 00 57 00  44 00 57 00 34 00 44 00   ....D.W. D.W.4.D.
> 00a0  73 00 61 00 b3 a5 xx 00  xx 00 2e 00 xx 00 xx 00   s.a...x. x...x.x.
> 00b0  xx 00 2e 00 xx 00 xx 00  xx 00 2e 00 31 00 32 00   x...x.x. x...1.2.
> 00c0  32 00 4f 00 44 00 42 00  43 00                     2.O.D.B. C.
>
> -------  End Data  -------
>
>
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> bscherr at ...3384...
> bscherr at ...3385...
> 703-478-7608
>
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091201/745e6766/attachment.html>


More information about the Snort-sigs mailing list