[Snort-sigs] Sig Not Firing

Todd Wease twease at ...435...
Tue Jul 7 16:26:52 EDT 2009


It won't alert on the bind, but a request using that bind's context.


Bill Scherr IV wrote:
> Hi Folks...
>
> Why wont this rule fire???
>
> Here is the rule:
> alert tcp $EXTERNAL_NET ANY -> $HOME_NET 1024:2048 (msg:"NETBIOS DCERPC 
> rpcmgmt ifids Unauthenticated Access"; flow:established,to_server; content:"|05|"; 
> dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989; 
> reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; 
> reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; 
> reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; classtype:attempted-recon; 
> sid:2999001; rev:1;)
>
> Here is the packet Hex:
> 0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R. at ...202...+wu...E 
> 0010  00 70 14 b4 40 00 6b 06 xx xx dc a3 fc 38 43 a6   .p.. at ...3383...
> 0020  xx xx 04 27 04 00 00 84 61 c8 c9 20 c2 24 50 18   xx.'....a.. .$P.
> 0030  ff ff e0 a3 00 00 05 00 0b 03 10 00 00 00 48 00   ..............H.
> 0040  00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
> 0050  00 00 00 00 01 00 80 bd a8 af 8a 7d c9 11 be f4   ...........}....
> 0060  08 00 2b 10 29 89 01 00 00 00 04 5d 88 8a eb 1c   ..+.)......]....
> 0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....
>
> I believe that snort is configured properly:
> [...]
> #
> preprocessor dcerpc2: \
>     memcap 100000
>     preprocessor dcerpc2_server: default, policy WinXP, \
>     detect tcp [135,139,445,1025:2048]
> #
> [...]
> include $RULE_PATH/netbios.rules
> [...]
>
> I currently have 2005 alerts in the BASE alerts database.  I want a rule to fire on the above packet.  
> What is happening???
>
> tshark analysis of above packet:
>
> Frame 1 (126 bytes on wire, 126 bytes captured)
>     Arrival Time: Jul  7, 2009 12:17:45.246381000
>     [Time delta from previous captured frame: 0.000000000 seconds]
>     [Time delta from previous displayed frame: 0.000000000 seconds]
>     [Time since reference or first frame: 0.000000000 seconds]
>     Frame Number: 1
>     Frame Length: 126 bytes
>     Capture Length: 126 bytes
>     [Frame is marked: False]
>     [Protocols in frame: eth:ip:tcp:dcerpc]
> Ethernet II, Src: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01), Dst: 00:14:bf:my:box:card 
> (00:14:bf:my:box:card)
>     Destination: 00:14:bf:my:box:card (00:14:bf:my:box:card)
>         Address: 00:14:bf:my:box:card (00:14:bf:my:box:card)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
>     Source: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01)
>         Address: 00:d0:2b:77:75:01 (00:d0:2b:77:75:01)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
>     Type: IP (0x0800)
> Internet Protocol, Src: 220.163.252.56 (220.163.252.56), Dst: 67.166.my.box (67.166.my.box)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN: 0x00)
>         0010 00.. = Differentiated Services Codepoint: Class Selector 1 (0x08)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 112
>     Identification: 0x14b4 (5300)
>     Flags: 0x04 (Don't Fragment)
>         0... = Reserved bit: Not set
>         .1.. = Don't fragment: Set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 107
>     Protocol: TCP (0x06)
>     Header checksum: 0xxxxx [correct]
>         [Good: True]
>         [Bad : False]
>     Source: 220.163.252.56 (220.163.252.56)
>     Destination: 67.166.my.box (67.166.my.box)
> Transmission Control Protocol, Src Port: 1063 (1063), Dst Port: 1024 (1024), Seq: 1, Ack: 1, Len: 
> 72
>     Source port: 1063 (1063)
>     Destination port: 1024 (1024)
>     Sequence number: 1    (relative sequence number)
>     [Next sequence number: 73    (relative sequence number)]
>     Acknowledgement number: 1    (relative ack number)
>     Header length: 20 bytes
>     Flags: 0x18 (PSH, ACK)
>         0... .... = Congestion Window Reduced (CWR): Not set
>         .0.. .... = ECN-Echo: Not set
>         ..0. .... = Urgent: Not set
>         ...1 .... = Acknowledgment: Set
>         .... 1... = Push: Set
>         .... .0.. = Reset: Not set
>         .... ..0. = Syn: Not set
>         .... ...0 = Fin: Not set
>     Window size: 65535
>     Checksum: 0xe0a3 [correct]
>         [Good Checksum: True]
>         [Bad Checksum: False]
> DCE RPC Bind, Fragment: Single, FragLen: 72, Call: 1
>     Version: 5
>     Version (minor): 0
>     Packet type: Bind (11)
>     Packet Flags: 0x03
>         0... .... = Object: Not set
>         .0.. .... = Maybe: Not set
>         ..0. .... = Did Not Execute: Not set
>         ...0 .... = Multiplex: Not set
>         .... 0... = Reserved: Not set
>         .... .0.. = Cancel Pending: Not set
>         .... ..1. = Last Frag: Set
>         .... ...1 = First Frag: Set
>     Data Representation: 10000000
>         Byte order: Little-endian (1)
>         Character: ASCII (0)
>         Floating-point: IEEE (0)
>     Frag Length: 72
>     Auth Length: 0
>     Call ID: 1
>     Max Xmit Frag: 5840
>     Max Recv Frag: 5840
>     Assoc Group: 0x00000000
>     Num Ctx Items: 1
>     Ctx Item[1]: ID:0
>         Context ID: 0
>         Num Trans Items: 1
>         Abstract Syntax: MGMT V1.0
>             Interface: MGMT UUID: afa8bd80-7d8a-11c9-bef4-08002b102989
>             Interface Ver: 1
>             Interface Ver Minor: 0
>         Transfer Syntax[1]: 8a885d04-1ceb-11c9-9fe8-08002b104860 V2
>             Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860
>             ver: 2
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> bscherr at ...3384...
> bscherr at ...3385...
> 703-478-7608
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge  
> This is your chance to win up to $100,000 in prizes! For a limited time, 
> vendors submitting new applications to BlackBerry App World(TM) will have 
> the opportunity to enter the BlackBerry Developer Challenge. See full prize 
> details at: http://p.sf.net/sfu/blackberry
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   





More information about the Snort-sigs mailing list