[Snort-sigs] Sig Not Firing

Matt Watchinski mwatchinski at ...435...
Tue Jul 7 16:04:45 EDT 2009


What is snorts output when you run this pcap with your rule?  IE whats
in the DCERPC stats section when snort exists.

-matt

On Tue, Jul 7, 2009 at 3:17 PM, Bill Scherr IV<bschnzl at ...3374...> wrote:
> Hi Folks...
>
> Why wont this rule fire???
>
> Here is the rule:
> alert tcp $EXTERNAL_NET ANY -> $HOME_NET 1024:2048 (msg:"NETBIOS DCERPC
> rpcmgmt ifids Unauthenticated Access"; flow:established,to_server; content:"|05|";
> dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;
> reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf;
> reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf;
> reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; classtype:attempted-recon;
> sid:2999001; rev:1;)
>
> Here is the packet Hex:
> 0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R. at ...3386.....+wu...E
> 0010  00 70 14 b4 40 00 6b 06 xx xx dc a3 fc 38 43 a6   .p.. at ...3387.....
> 0020  xx xx 04 27 04 00 00 84 61 c8 c9 20 c2 24 50 18   xx.'....a.. .$P.
> 0030  ff ff e0 a3 00 00 05 00 0b 03 10 00 00 00 48 00   ..............H.
> 0040  00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
> 0050  00 00 00 00 01 00 80 bd a8 af 8a 7d c9 11 be f4   ...........}....
> 0060  08 00 2b 10 29 89 01 00 00 00 04 5d 88 8a eb 1c   ..+.)......]....
> 0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....
>
> I believe that snort is configured properly:
> [...]
> #
> preprocessor dcerpc2: \
>    memcap 100000
>    preprocessor dcerpc2_server: default, policy WinXP, \
>    detect tcp [135,139,445,1025:2048]
> #
> [...]
> include $RULE_PATH/netbios.rules
> [...]
>
> I currently have 2005 alerts in the BASE alerts database.  I want a rule to fire on the above packet.
> What is happening???
>
> tshark analysis of above packet:
>
> Frame 1 (126 bytes on wire, 126 bytes captured)
>    Arrival Time: Jul  7, 2009 12:17:45.246381000
>    [Time delta from previous captured frame: 0.000000000 seconds]
>    [Time delta from previous displayed frame: 0.000000000 seconds]
>    [Time since reference or first frame: 0.000000000 seconds]
>    Frame Number: 1
>    Frame Length: 126 bytes
>    Capture Length: 126 bytes
>    [Frame is marked: False]
>    [Protocols in frame: eth:ip:tcp:dcerpc]
> Ethernet II, Src: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01), Dst: 00:14:bf:my:box:card
> (00:14:bf:my:box:card)
>    Destination: 00:14:bf:my:box:card (00:14:bf:my:box:card)
>        Address: 00:14:bf:my:box:card (00:14:bf:my:box:card)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
>    Source: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01)
>        Address: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
>    Type: IP (0x0800)
> Internet Protocol, Src: 220.163.252.56 (220.163.252.56), Dst: 67.166.my.box (67.166.my.box)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN: 0x00)
>        0010 00.. = Differentiated Services Codepoint: Class Selector 1 (0x08)
>        .... ..0. = ECN-Capable Transport (ECT): 0
>        .... ...0 = ECN-CE: 0
>    Total Length: 112
>    Identification: 0x14b4 (5300)
>    Flags: 0x04 (Don't Fragment)
>        0... = Reserved bit: Not set
>        .1.. = Don't fragment: Set
>        ..0. = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 107
>    Protocol: TCP (0x06)
>    Header checksum: 0xxxxx [correct]
>        [Good: True]
>        [Bad : False]
>    Source: 220.163.252.56 (220.163.252.56)
>    Destination: 67.166.my.box (67.166.my.box)
> Transmission Control Protocol, Src Port: 1063 (1063), Dst Port: 1024 (1024), Seq: 1, Ack: 1, Len:
> 72
>    Source port: 1063 (1063)
>    Destination port: 1024 (1024)
>    Sequence number: 1    (relative sequence number)
>    [Next sequence number: 73    (relative sequence number)]
>    Acknowledgement number: 1    (relative ack number)
>    Header length: 20 bytes
>    Flags: 0x18 (PSH, ACK)
>        0... .... = Congestion Window Reduced (CWR): Not set
>        .0.. .... = ECN-Echo: Not set
>        ..0. .... = Urgent: Not set
>        ...1 .... = Acknowledgment: Set
>        .... 1... = Push: Set
>        .... .0.. = Reset: Not set
>        .... ..0. = Syn: Not set
>        .... ...0 = Fin: Not set
>    Window size: 65535
>    Checksum: 0xe0a3 [correct]
>        [Good Checksum: True]
>        [Bad Checksum: False]
> DCE RPC Bind, Fragment: Single, FragLen: 72, Call: 1
>    Version: 5
>    Version (minor): 0
>    Packet type: Bind (11)
>    Packet Flags: 0x03
>        0... .... = Object: Not set
>        .0.. .... = Maybe: Not set
>        ..0. .... = Did Not Execute: Not set
>        ...0 .... = Multiplex: Not set
>        .... 0... = Reserved: Not set
>        .... .0.. = Cancel Pending: Not set
>        .... ..1. = Last Frag: Set
>        .... ...1 = First Frag: Set
>    Data Representation: 10000000
>        Byte order: Little-endian (1)
>        Character: ASCII (0)
>        Floating-point: IEEE (0)
>    Frag Length: 72
>    Auth Length: 0
>    Call ID: 1
>    Max Xmit Frag: 5840
>    Max Recv Frag: 5840
>    Assoc Group: 0x00000000
>    Num Ctx Items: 1
>    Ctx Item[1]: ID:0
>        Context ID: 0
>        Num Trans Items: 1
>        Abstract Syntax: MGMT V1.0
>            Interface: MGMT UUID: afa8bd80-7d8a-11c9-bef4-08002b102989
>            Interface Ver: 1
>            Interface Ver Minor: 0
>        Transfer Syntax[1]: 8a885d04-1ceb-11c9-9fe8-08002b104860 V2
>            Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860
>            ver: 2
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> bscherr at ...3384...
> bscherr at ...3385...
> 703-478-7608
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/blackberry
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list