[Snort-sigs] Sig Not Firing

Bill Scherr IV bschnzl at ...3374...
Tue Jul 7 15:17:40 EDT 2009


Hi Folks...

Why wont this rule fire???

Here is the rule:
alert tcp $EXTERNAL_NET ANY -> $HOME_NET 1024:2048 (msg:"NETBIOS DCERPC 
rpcmgmt ifids Unauthenticated Access"; flow:established,to_server; content:"|05|"; 
dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989; 
reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; 
reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; 
reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; classtype:attempted-recon; 
sid:2999001; rev:1;)

Here is the packet Hex:
0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R. at ...202...+wu...E 
0010  00 70 14 b4 40 00 6b 06 xx xx dc a3 fc 38 43 a6   .p.. at ...3383...
0020  xx xx 04 27 04 00 00 84 61 c8 c9 20 c2 24 50 18   xx.'....a.. .$P.
0030  ff ff e0 a3 00 00 05 00 0b 03 10 00 00 00 48 00   ..............H.
0040  00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
0050  00 00 00 00 01 00 80 bd a8 af 8a 7d c9 11 be f4   ...........}....
0060  08 00 2b 10 29 89 01 00 00 00 04 5d 88 8a eb 1c   ..+.)......]....
0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....

I believe that snort is configured properly:
[...]
#
preprocessor dcerpc2: \
    memcap 100000
    preprocessor dcerpc2_server: default, policy WinXP, \
    detect tcp [135,139,445,1025:2048]
#
[...]
include $RULE_PATH/netbios.rules
[...]

I currently have 2005 alerts in the BASE alerts database.  I want a rule to fire on the above packet.  
What is happening???

tshark analysis of above packet:

Frame 1 (126 bytes on wire, 126 bytes captured)
    Arrival Time: Jul  7, 2009 12:17:45.246381000
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 126 bytes
    Capture Length: 126 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp:dcerpc]
Ethernet II, Src: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01), Dst: 00:14:bf:my:box:card 
(00:14:bf:my:box:card)
    Destination: 00:14:bf:my:box:card (00:14:bf:my:box:card)
        Address: 00:14:bf:my:box:card (00:14:bf:my:box:card)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01)
        Address: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 220.163.252.56 (220.163.252.56), Dst: 67.166.my.box (67.166.my.box)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN: 0x00)
        0010 00.. = Differentiated Services Codepoint: Class Selector 1 (0x08)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 112
    Identification: 0x14b4 (5300)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 107
    Protocol: TCP (0x06)
    Header checksum: 0xxxxx [correct]
        [Good: True]
        [Bad : False]
    Source: 220.163.252.56 (220.163.252.56)
    Destination: 67.166.my.box (67.166.my.box)
Transmission Control Protocol, Src Port: 1063 (1063), Dst Port: 1024 (1024), Seq: 1, Ack: 1, Len: 
72
    Source port: 1063 (1063)
    Destination port: 1024 (1024)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 73    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0xe0a3 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
DCE RPC Bind, Fragment: Single, FragLen: 72, Call: 1
    Version: 5
    Version (minor): 0
    Packet type: Bind (11)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 72
    Auth Length: 0
    Call ID: 1
    Max Xmit Frag: 5840
    Max Recv Frag: 5840
    Assoc Group: 0x00000000
    Num Ctx Items: 1
    Ctx Item[1]: ID:0
        Context ID: 0
        Num Trans Items: 1
        Abstract Syntax: MGMT V1.0
            Interface: MGMT UUID: afa8bd80-7d8a-11c9-bef4-08002b102989
            Interface Ver: 1
            Interface Ver Minor: 0
        Transfer Syntax[1]: 8a885d04-1ceb-11c9-9fe8-08002b104860 V2
            Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860
            ver: 2
Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
703-478-7608





More information about the Snort-sigs mailing list