[Snort-sigs] MSSQL False Neg

Bill Scherr IV bschnzl at ...3374...
Tue Dec 1 17:40:40 EST 2009


Alex,

I would rather not post unobfuscated packets to a mailing list, as a matter of practice!  So here:

{prior headers omitted}
Transmission Control Protocol, Src Port: 2091 (2091), Dst Port: 1433 (1433), Seq: 1, Ack: 1, Len: 148
    Source port: 2091 (2091)
    Destination port: 1433 (1433)
    [Stream index: 38]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 149    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x3d81 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [Number of bytes in flight: 148]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.260313000 seconds]
        [Time since previous frame in this TCP stream: 0.000455000 seconds]
Tabular Data Stream
    Type: TDS7/8 Login Packet (0x10)
    Status: Last buffer in request or response (1)
    Size: 148
    Channel: 0
    Packet Number: 1
    Window: 0
    TDS7 Login Packet
        Login Packet Header
            Total Packet Length: 140
            TDS version: 0x01000071
            Packet Size: 0
            Client version: 7
            Client PID: 6608
            Connection ID: 0
            Option Flags 1: 0xe0
            Option Flags 2: 0x03
            SQL Type Flags: 0x00
            Reserved Flags: 0x00
            Time Zone: 0x20feffff
            Collation: 0x04080000
        Lengths and offsets
            Client Name offset: 86
            Client Name length: 6
            Username offset: 98
            Username length: 2
            Password offset: 102
            Password length: 1
            App Name offset: 104
            App Name length: 0
            Server Name offset: 104
            Server Name length: 14
            Unknown1 offset: 0
            Unknown1 length: 0
            Library Name offset: 132
            Library Name length: 4
            Locale offset: 140
            Locale length: 0
            Database Name offset: 140
            Database Name length: 0
        Client Name: DWDW4D
        Username: sa
        Password: a
        Server Name: xx.xx.xx.122
        Library Name: ODBC

0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R. at ...202...+wu...E 
0010  00 bc 1e 56 40 00 6c 06 xx xx 79 0b 50 ce xx xx   ...V at ...3430...
0020  xx 7a 08 2b 05 99 a4 51 cc 4d b1 be 2b 43 50 18   xz.+...Q.M..+CP.
0030  ff ff 3d 81 00 00 10 01 00 94 00 00 01 00 8c 00   ..=.............
0040  00 00 01 00 00 71 00 00 00 00 00 00 00 07 d0 19   .....q..........
0050  00 00 00 00 00 00 e0 03 00 00 20 fe ff ff 04 08   .......... .....
0060  00 00 56 00 06 00 62 00 02 00 66 00 01 00 68 00   ..V...b...f...h.
0070  00 00 68 00 0e 00 00 00 00 00 84 00 04 00 8c 00   ..h.............
0080  00 00 8c 00 00 00 00 1c 25 5b 6f ff 00 00 00 00   ........%[o.....
0090  8c 00 00 00 44 00 57 00 44 00 57 00 34 00 44 00   ....D.W.D.W.4.D.
00a0  73 00 61 00 b3 a5 xx 00 xx 00 xx 00 xx 00 xx 00   s.a...x.x.x.x.x.
00b0  xx 00 xx 00 xx 00 xx 00 xx 00 2e 00 31 00 32 00   x.x.x.x.x...1.2.
00c0  32 00 4f 00 44 00 42 00 43 00                     2.O.D.B.C.

And the rule:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS 
v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34; 
content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi"; 
byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type 
threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; 
reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)

enjoy!

B.

Circa 16:22, 1 Dec 2009, a note, claiming source Alex Kirk <akirk at ...435...>, was sent to me:

Date sent:	Tue, 1 Dec 2009 16:22:04 -0500
Subject:	Re: [Snort-sigs] MSSQL False Neg
From:	Alex Kirk <akirk at ...435...>
To:	bschnzl at ...3374...
Copies to:	snort-sigs at lists.sourceforge.net

> Can you please send a PCAP? Having one would make debugging this much
> easier.
> 
> On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl at ...3374...> wrote:
> 
> > Folks...
> >
> >   Snort has a sig that should fire on these packets (IMHO).  The packet
> > indicates the distance of the
> > username (offset 0x0066) from the TDS Login data of the packet (beginning
> > at offset 0x003e).  There
> > are lots of length indicators, but they all start from 0x003e.  The
> > byte_jump starts from the beginning of
> > data (offset 0x0036), if I read right.  I am thinking
> > /content:"s|00|a|00|"; within:8; distance:8;/
> >
> >   I am using the reference @ http://www.freetds.org/tds.html#login7
> >
> >   The threshold was met, several times over, but nothing fired!  Am I on
> > track here?
> >
> > -------  Data  -------
> >

{snip}


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
703-478-7608





More information about the Snort-sigs mailing list