[Snort-sigs] MSSQL False Neg

Matt Olney molney at ...435...
Tue Dec 1 17:53:17 EST 2009


Bill,

Don't worry about the PCAP.  Alex is slammed right now, he just got
back from a speaking engagement in Brazil, so he's still catching up.
I hand decoded your first packet, I'll post my findings here in a few.

Matt

On Tue, Dec 1, 2009 at 5:50 PM, Nigel Houghton <nhoughton at ...435...> wrote:
> On Tue, Dec 1, 2009 at 5:40 PM, Bill Scherr IV <bschnzl at ...3374...> wrote:
>> Alex,
>>
>> I would rather not post unobfuscated packets to a mailing list, as a matter of practice!  So here:
>>
>> {prior headers omitted}
>> Transmission Control Protocol, Src Port: 2091 (2091), Dst Port: 1433 (1433), Seq: 1, Ack: 1, Len: 148
>>    Source port: 2091 (2091)
>>    Destination port: 1433 (1433)
>>    [Stream index: 38]
>>    Sequence number: 1    (relative sequence number)
>>    [Next sequence number: 149    (relative sequence number)]
>>    Acknowledgement number: 1    (relative ack number)
>>    Header length: 20 bytes
>>    Flags: 0x18 (PSH, ACK)
>>        0... .... = Congestion Window Reduced (CWR): Not set
>>        .0.. .... = ECN-Echo: Not set
>>        ..0. .... = Urgent: Not set
>>        ...1 .... = Acknowledgement: Set
>>        .... 1... = Push: Set
>>        .... .0.. = Reset: Not set
>>        .... ..0. = Syn: Not set
>>        .... ...0 = Fin: Not set
>>    Window size: 65535
>>    Checksum: 0x3d81 [correct]
>>        [Good Checksum: True]
>>        [Bad Checksum: False]
>>    [SEQ/ACK analysis]
>>        [Number of bytes in flight: 148]
>>    [Timestamps]
>>        [Time since first frame in this TCP stream: 0.260313000 seconds]
>>        [Time since previous frame in this TCP stream: 0.000455000 seconds]
>> Tabular Data Stream
>>    Type: TDS7/8 Login Packet (0x10)
>>    Status: Last buffer in request or response (1)
>>    Size: 148
>>    Channel: 0
>>    Packet Number: 1
>>    Window: 0
>>    TDS7 Login Packet
>>        Login Packet Header
>>            Total Packet Length: 140
>>            TDS version: 0x01000071
>>            Packet Size: 0
>>            Client version: 7
>>            Client PID: 6608
>>            Connection ID: 0
>>            Option Flags 1: 0xe0
>>            Option Flags 2: 0x03
>>            SQL Type Flags: 0x00
>>            Reserved Flags: 0x00
>>            Time Zone: 0x20feffff
>>            Collation: 0x04080000
>>        Lengths and offsets
>>            Client Name offset: 86
>>            Client Name length: 6
>>            Username offset: 98
>>            Username length: 2
>>            Password offset: 102
>>            Password length: 1
>>            App Name offset: 104
>>            App Name length: 0
>>            Server Name offset: 104
>>            Server Name length: 14
>>            Unknown1 offset: 0
>>            Unknown1 length: 0
>>            Library Name offset: 132
>>            Library Name length: 4
>>            Locale offset: 140
>>            Locale length: 0
>>            Database Name offset: 140
>>            Database Name length: 0
>>        Client Name: DWDW4D
>>        Username: sa
>>        Password: a
>>        Server Name: xx.xx.xx.122
>>        Library Name: ODBC
>>
>> 0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R. at ...3428......+wu...E
>> 0010  00 bc 1e 56 40 00 6c 06 xx xx 79 0b 50 ce xx xx   ...V at ...3433......
>> 0020  xx 7a 08 2b 05 99 a4 51 cc 4d b1 be 2b 43 50 18   xz.+...Q.M..+CP.
>> 0030  ff ff 3d 81 00 00 10 01 00 94 00 00 01 00 8c 00   ..=.............
>> 0040  00 00 01 00 00 71 00 00 00 00 00 00 00 07 d0 19   .....q..........
>> 0050  00 00 00 00 00 00 e0 03 00 00 20 fe ff ff 04 08   .......... .....
>> 0060  00 00 56 00 06 00 62 00 02 00 66 00 01 00 68 00   ..V...b...f...h.
>> 0070  00 00 68 00 0e 00 00 00 00 00 84 00 04 00 8c 00   ..h.............
>> 0080  00 00 8c 00 00 00 00 1c 25 5b 6f ff 00 00 00 00   ........%[o.....
>> 0090  8c 00 00 00 44 00 57 00 44 00 57 00 34 00 44 00   ....D.W.D.W.4.D.
>> 00a0  73 00 61 00 b3 a5 xx 00 xx 00 xx 00 xx 00 xx 00   s.a...x.x.x.x.x.
>> 00b0  xx 00 xx 00 xx 00 xx 00 xx 00 2e 00 31 00 32 00   x.x.x.x.x...1.2.
>> 00c0  32 00 4f 00 44 00 42 00 43 00                     2.O.D.B.C.
>>
>> And the rule:
>> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS
>> v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34;
>> content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi";
>> byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type
>> threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209;
>> reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)
>>
>> enjoy!
>>
>> B.
>>
>> Circa 16:22, 1 Dec 2009, a note, claiming source Alex Kirk <akirk at ...3404......>, was sent to me:
>>
>> Date sent:      Tue, 1 Dec 2009 16:22:04 -0500
>> Subject:        Re: [Snort-sigs] MSSQL False Neg
>> From:   Alex Kirk <akirk at ...435...>
>> To:     bschnzl at ...3374...
>> Copies to:      snort-sigs at lists.sourceforge.net
>>
>>> Can you please send a PCAP? Having one would make debugging this much
>>> easier.
>>>
>>> On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl at ...3374...> wrote:
>>>
>>> > Folks...
>>> >
>>> >   Snort has a sig that should fire on these packets (IMHO).  The packet
>>> > indicates the distance of the
>>> > username (offset 0x0066) from the TDS Login data of the packet (beginning
>>> > at offset 0x003e).  There
>>> > are lots of length indicators, but they all start from 0x003e.  The
>>> > byte_jump starts from the beginning of
>>> > data (offset 0x0036), if I read right.  I am thinking
>>> > /content:"s|00|a|00|"; within:8; distance:8;/
>>> >
>>> >   I am using the reference @ http://www.freetds.org/tds.html#login7
>>> >
>>> >   The threshold was met, several times over, but nothing fired!  Am I on
>>> > track here?
>>> >
>>> > -------  Data  -------
>>> >
>>
>> {snip}
>>
>>
>> Bill Scherr IV, GSEC, GCIA
>> Principal Security Engineer
>> EWA Information and Infrastructure Technologies
>> bscherr at ...3384...
>> bscherr at ...3385...
>> 703-478-7608
>>
>>
>> ------------------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
> If you use snort -O you can obfuscate the addresses, and I think Alex
> probably meant "send me a pcap" as opposed to the list.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list