[Snort-sigs] Snort-sigs Digest, Vol 127, Issue 22

Alex McDonnell amcdonnell at ...435...
Thu Dec 29 10:41:05 EST 2016


A packet capture is always encouraged :)

Alex McDonnell
TALOS

On Thu, Dec 29, 2016 at 10:36 AM, <snort-sigs-request at lists.sourceforge.net>
wrote:

> Send Snort-sigs mailing list submissions to
>         snort-sigs at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
>         snort-sigs-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-sigs-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
>
>
> Today's Topics:
>
>    1. Re: LDAPv3 with simple authentication (FOULDE Damien)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 29 Dec 2016 15:36:37 +0000
> From: FOULDE Damien <damien.foulde at ...4205...>
> Subject: Re: [Snort-sigs] LDAPv3 with simple authentication
> To: "snort-sigs at lists.sourceforge.net"
>         <snort-sigs at lists.sourceforge.net>
> Message-ID:
>         <DB6PR0501MB219840B11A8D6ACCED1D4BC88C6B0 at ...4210...
> eurprd05.prod.outlook.com>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
>
>
> The previous message is currently waiting for a moderator approval.
>
> As it?s not released for the moment, I registered to the maillinglist and
> here it is.
>
>
>
> Regards,
>
>
>
> Damien
>
>
>
> De : FOULDE Damien
> Envoy? : mercredi 21 d?cembre 2016 10:51
> ? : snort-sigs at lists.sourceforge.net
> Objet : RE: LDAPv3 with simple authentication
>
>
>
> Hello,
>
>
>
> Any ideas / suggestions / advices will be greatly appreciated regarding
> this
> question.
>
>
>
> In the meantime, here?s a working signature without fully decoding the BER
> data :
>
> alert tcp any any -> any 389 (sid:1000000; gid:1;
> flow:established,to_server; content:"|30|"; depth:1; content:"|02|";
> distance:1; within:127; content:"|60|"; distance:1; within:5; content:"|02
> 01 03 04|"; fast_pattern; distance:1; within:127; content:"|80|";
> distance:1; within:127; content:!"|02 01 03 04 00 a3|"; offset:7;
> depth:257;
> msg:"LDAPv3 simple Authentication"; classtype:policy-violation; rev:1; )
>
>
>
> It would be great if it could be reviewed by Talos.
>
> I can provide a packet capture if needed.
>
>
>
> Regards,
>
>
>
> Damien
>
>
>
> De : FOULDE Damien [mailto:damien.foulde at ...4205...]
> Envoy? : lundi 19 d?cembre 2016 12:39
> ? : snort-sigs at lists.sourceforge.net
> Objet : [Snort-sigs] LDAPv3 with simple authentication
>
>
>
> Hello,
>
>
>
> We need to write a signature to match on LDAPv3 with simple authentication.
>
> LDAPv3 is described in the RFC 2251 through Abstract Syntax Notation 1
> (ASN.1) and encoded through a subset of Basic Encoding Rules (BER) in the
> packets.
>
> You may have a look to this great website
> http://www.selfadsi.org/ldap.htm#Frame to have a quick look over the
> encoding.
>
> https://en.wikipedia.org/wiki/X.690#BER_encoding is also a good source of
> information.
>
> As you should have seen the length can be encoded in a short or long form.
>
> When the short form is used the MSB is set to 0 and the 7 remaining bits
> are
> used to encode the length directly from 0 to 127.
>
> Using the byte_jump function we should be able to jump to the next encoded
> data.
>
> When the long form is used the MSB is set to 1 and the 7 remaining bits are
> used to encode the number of bytes that follow from 1 to 126 which will
> contains the actual length.
>
> Using byte_extract and byte_jump functions with bitmask we should be able
> to
> jump to the next encoded data.
>
> Before reaching the point where the LDAPv3 authentication is set to simple
> (encoded to 0) or sasl (encoded to 3) there?re 5 short or long length
> bytes.
>
> Is there a way through the subset of snort packet dissection functions to
> match on this without writing 32 (2^5) different signatures to match all
> short / long possibilities ?
>
> The BER encoding is also used to encode SNMP, the same kind of issue may
> have been seen there also.
>
>
>
> Thank you for your help,
>
>
>
> Damien
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 5355 bytes
> Desc: not available
>
> ------------------------------
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> End of Snort-sigs Digest, Vol 127, Issue 22
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161229/bbb55446/attachment.html>


More information about the Snort-sigs mailing list