[Snort-sigs] MSSQL False Neg

Nigel Houghton nhoughton at ...435...
Tue Dec 1 17:50:00 EST 2009


On Tue, Dec 1, 2009 at 5:40 PM, Bill Scherr IV <bschnzl at ...3374...> wrote:
> Alex,
>
> I would rather not post unobfuscated packets to a mailing list, as a matter of practice!  So here:
>
> {prior headers omitted}
> Transmission Control Protocol, Src Port: 2091 (2091), Dst Port: 1433 (1433), Seq: 1, Ack: 1, Len: 148
>    Source port: 2091 (2091)
>    Destination port: 1433 (1433)
>    [Stream index: 38]
>    Sequence number: 1    (relative sequence number)
>    [Next sequence number: 149    (relative sequence number)]
>    Acknowledgement number: 1    (relative ack number)
>    Header length: 20 bytes
>    Flags: 0x18 (PSH, ACK)
>        0... .... = Congestion Window Reduced (CWR): Not set
>        .0.. .... = ECN-Echo: Not set
>        ..0. .... = Urgent: Not set
>        ...1 .... = Acknowledgement: Set
>        .... 1... = Push: Set
>        .... .0.. = Reset: Not set
>        .... ..0. = Syn: Not set
>        .... ...0 = Fin: Not set
>    Window size: 65535
>    Checksum: 0x3d81 [correct]
>        [Good Checksum: True]
>        [Bad Checksum: False]
>    [SEQ/ACK analysis]
>        [Number of bytes in flight: 148]
>    [Timestamps]
>        [Time since first frame in this TCP stream: 0.260313000 seconds]
>        [Time since previous frame in this TCP stream: 0.000455000 seconds]
> Tabular Data Stream
>    Type: TDS7/8 Login Packet (0x10)
>    Status: Last buffer in request or response (1)
>    Size: 148
>    Channel: 0
>    Packet Number: 1
>    Window: 0
>    TDS7 Login Packet
>        Login Packet Header
>            Total Packet Length: 140
>            TDS version: 0x01000071
>            Packet Size: 0
>            Client version: 7
>            Client PID: 6608
>            Connection ID: 0
>            Option Flags 1: 0xe0
>            Option Flags 2: 0x03
>            SQL Type Flags: 0x00
>            Reserved Flags: 0x00
>            Time Zone: 0x20feffff
>            Collation: 0x04080000
>        Lengths and offsets
>            Client Name offset: 86
>            Client Name length: 6
>            Username offset: 98
>            Username length: 2
>            Password offset: 102
>            Password length: 1
>            App Name offset: 104
>            App Name length: 0
>            Server Name offset: 104
>            Server Name length: 14
>            Unknown1 offset: 0
>            Unknown1 length: 0
>            Library Name offset: 132
>            Library Name length: 4
>            Locale offset: 140
>            Locale length: 0
>            Database Name offset: 140
>            Database Name length: 0
>        Client Name: DWDW4D
>        Username: sa
>        Password: a
>        Server Name: xx.xx.xx.122
>        Library Name: ODBC
>
> 0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R. at ...3386.....+wu...E
> 0010  00 bc 1e 56 40 00 6c 06 xx xx 79 0b 50 ce xx xx   ...V at ...3431.....
> 0020  xx 7a 08 2b 05 99 a4 51 cc 4d b1 be 2b 43 50 18   xz.+...Q.M..+CP.
> 0030  ff ff 3d 81 00 00 10 01 00 94 00 00 01 00 8c 00   ..=.............
> 0040  00 00 01 00 00 71 00 00 00 00 00 00 00 07 d0 19   .....q..........
> 0050  00 00 00 00 00 00 e0 03 00 00 20 fe ff ff 04 08   .......... .....
> 0060  00 00 56 00 06 00 62 00 02 00 66 00 01 00 68 00   ..V...b...f...h.
> 0070  00 00 68 00 0e 00 00 00 00 00 84 00 04 00 8c 00   ..h.............
> 0080  00 00 8c 00 00 00 00 1c 25 5b 6f ff 00 00 00 00   ........%[o.....
> 0090  8c 00 00 00 44 00 57 00 44 00 57 00 34 00 44 00   ....D.W.D.W.4.D.
> 00a0  73 00 61 00 b3 a5 xx 00 xx 00 xx 00 xx 00 xx 00   s.a...x.x.x.x.x.
> 00b0  xx 00 xx 00 xx 00 xx 00 xx 00 2e 00 31 00 32 00   x.x.x.x.x...1.2.
> 00c0  32 00 4f 00 44 00 42 00 43 00                     2.O.D.B.C.
>
> And the rule:
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS
> v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34;
> content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi";
> byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type
> threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209;
> reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)
>
> enjoy!
>
> B.
>
> Circa 16:22, 1 Dec 2009, a note, claiming source Alex Kirk <akirk at ...3432.....>, was sent to me:
>
> Date sent:      Tue, 1 Dec 2009 16:22:04 -0500
> Subject:        Re: [Snort-sigs] MSSQL False Neg
> From:   Alex Kirk <akirk at ...435...>
> To:     bschnzl at ...3374...
> Copies to:      snort-sigs at lists.sourceforge.net
>
>> Can you please send a PCAP? Having one would make debugging this much
>> easier.
>>
>> On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl at ...3374...> wrote:
>>
>> > Folks...
>> >
>> >   Snort has a sig that should fire on these packets (IMHO).  The packet
>> > indicates the distance of the
>> > username (offset 0x0066) from the TDS Login data of the packet (beginning
>> > at offset 0x003e).  There
>> > are lots of length indicators, but they all start from 0x003e.  The
>> > byte_jump starts from the beginning of
>> > data (offset 0x0036), if I read right.  I am thinking
>> > /content:"s|00|a|00|"; within:8; distance:8;/
>> >
>> >   I am using the reference @ http://www.freetds.org/tds.html#login7
>> >
>> >   The threshold was met, several times over, but nothing fired!  Am I on
>> > track here?
>> >
>> > -------  Data  -------
>> >
>
> {snip}
>
>
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> bscherr at ...3384...
> bscherr at ...3385...
> 703-478-7608
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>


If you use snort -O you can obfuscate the addresses, and I think Alex
probably meant "send me a pcap" as opposed to the list.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list