[Snort-sigs] MSSQL False Neg

Bill Scherr IV bschnzl at ...3374...
Tue Dec 1 17:04:46 EST 2009


Wally...

   Yes it is!  TYVM.

B.

Circa 16:27, 1 Dec 2009, a note, claiming source Jason Wallace <jason.r.wallace at ...2420...>, was
sent to me:

Date sent:      	Tue, 1 Dec 2009 16:27:16 -0500
Subject:        	Re: [Snort-sigs] MSSQL False Neg
From:           	Jason Wallace <jason.r.wallace at ...2420...>
To:             	bschnzl at ...3374...

> Just a thought... is 1433 included in your stream5 config? I typically
> use "ports both" for this port. If it is not in there the the flow:
> stuff will not work.
>
> On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl at ...3374...> wrote:
> > Folks...
> >
> >   Snort has a sig that should fire on these packets (IMHO).  The packet indicates the distance of the
> > username (offset 0x0066) from the TDS Login data of the packet (beginning at offset 0x003e).  There
> > are lots of length indicators, but they all start from 0x003e.  The byte_jump starts from the beginning of
> > data (offset 0x0036), if I read right.  I am thinking /content:"s|00|a|00|"; within:8; distance:8;/
> >
> >   I am using the reference @ http://www.freetds.org/tds.html#login7
> >
> >   The threshold was met, several times over, but nothing fired!  Am I on track here?
> >
> > -------  Data  -------
> >
> > Original Sig (False Neg?)
> >
> > alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS
> > v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34;
> > content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi";
> > byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type
> > threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209;
> > reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)
> >
> > Typical Packet (82 each, this event):
> >
> > 0000  00 14 bf 52 fe 40 00 d0  2b 77 75 01 08 00 45 20   ...R. at ...202....202... +wu...E
> > 0010  00 bc 1e 56 40 00 6c 06  xx xx 79 0b 50 ce xx xx   ...V at ...253...3427... xxy.P.xx
> > 0020  xx 7a 08 2b 05 99 a4 51  cc 4d b1 be 2b 43 50 18   xz.+...Q .M..+CP.
> > 0030  ff ff 3d 81 00 00 10 01  00 94 00 00 01 00 8c 00   ..=..... ........
> > 0040  00 00 01 00 00 71 00 00  00 00 00 00 00 07 d0 19   .....q.. ........
> > 0050  00 00 00 00 00 00 e0 03  00 00 20 fe ff ff 04 08   ........ .. .....
> > 0060  00 00 56 00 06 00 62 00  02 00 66 00 01 00 68 00   ..V...b. ..f...h.
> > 0070  00 00 68 00 0e 00 00 00  00 00 84 00 04 00 8c 00   ..h..... ........
> > 0080  00 00 8c 00 00 00 00 1c  25 5b 6f ff 00 00 00 00   ........ %[o.....
> > 0090  8c 00 00 00 44 00 57 00  44 00 57 00 34 00 44 00   ....D.W. D.W.4.D.
> > 00a0  73 00 61 00 b3 a5 xx 00  xx 00 2e 00 xx 00 xx 00   s.a...x. x...x.x.
> > 00b0  xx 00 2e 00 xx 00 xx 00  xx 00 2e 00 31 00 32 00   x...x.x. x...1.2.
> > 00c0  32 00 4f 00 44 00 42 00  43 00                     2.O.D.B. C.
> >
> > -------  End Data  -------
> >
> >
> > Bill Scherr IV, GSEC, GCIA
> > Principal Security Engineer
> > EWA Information and Infrastructure Technologies
> > bscherr at ...3384...
> > bscherr at ...3385...
> > 703-478-7608
> >
> >
> > ------------------------------------------------------------------------------
> > Join us December 9, 2009 for the Red Hat Virtual Experience,
> > a free event focused on virtualization and cloud computing.
> > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > http://p.sf.net/sfu/redhat-sfdev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
703-478-7608





More information about the Snort-sigs mailing list