[Snort-sigs] Snort-sigs Digest, Vol 127, Issue 22

FOULDE Damien damien.foulde at ...4205...
Thu Dec 29 10:44:47 EST 2016


Hello Alex,

 

Here it is.

 

Regards,


Damien

 

De : Alex McDonnell [mailto:amcdonnell at ...435...] 
Envoyé : jeudi 29 décembre 2016 16:41
À : snort-sigs at lists.sourceforge.net
Objet : Re: [Snort-sigs] Snort-sigs Digest, Vol 127, Issue 22

 

A packet capture is always encouraged :)

 

Alex McDonnell

TALOS

 

On Thu, Dec 29, 2016 at 10:36 AM, <snort-sigs-request at lists.sourceforge.net> wrote:

Send Snort-sigs mailing list submissions to
        snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
        snort-sigs-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Re: LDAPv3 with simple authentication (FOULDE Damien)


----------------------------------------------------------------------

Message: 1
Date: Thu, 29 Dec 2016 15:36:37 +0000
From: FOULDE Damien <damien.foulde at ...4205...>
Subject: Re: [Snort-sigs] LDAPv3 with simple authentication
To: "snort-sigs at lists.sourceforge.net"
        <snort-sigs at lists.sourceforge.net>
Message-ID:
        <DB6PR0501MB219840B11A8D6ACCED1D4BC88C6B0 at ...4206...>

Content-Type: text/plain; charset="iso-8859-1"

Hello,



The previous message is currently waiting for a moderator approval.

As it?s not released for the moment, I registered to the maillinglist and
here it is.



Regards,



Damien



De : FOULDE Damien
Envoy? : mercredi 21 d?cembre 2016 10:51
? : snort-sigs at lists.sourceforge.net
Objet : RE: LDAPv3 with simple authentication



Hello,



Any ideas / suggestions / advices will be greatly appreciated regarding this
question.



In the meantime, here?s a working signature without fully decoding the BER
data :

alert tcp any any -> any 389 (sid:1000000; gid:1;
flow:established,to_server; content:"|30|"; depth:1; content:"|02|";
distance:1; within:127; content:"|60|"; distance:1; within:5; content:"|02
01 03 04|"; fast_pattern; distance:1; within:127; content:"|80|";
distance:1; within:127; content:!"|02 01 03 04 00 a3|"; offset:7; depth:257;
msg:"LDAPv3 simple Authentication"; classtype:policy-violation; rev:1; )



It would be great if it could be reviewed by Talos.

I can provide a packet capture if needed.



Regards,



Damien



De : FOULDE Damien [mailto:damien.foulde at ...4205...]
Envoy? : lundi 19 d?cembre 2016 12:39
? : snort-sigs at lists.sourceforge.net
Objet : [Snort-sigs] LDAPv3 with simple authentication



Hello,



We need to write a signature to match on LDAPv3 with simple authentication.

LDAPv3 is described in the RFC 2251 through Abstract Syntax Notation 1
(ASN.1) and encoded through a subset of Basic Encoding Rules (BER) in the
packets.

You may have a look to this great website
http://www.selfadsi.org/ldap.htm#Frame to have a quick look over the
encoding.

https://en.wikipedia.org/wiki/X.690#BER_encoding is also a good source of
information.

As you should have seen the length can be encoded in a short or long form.

When the short form is used the MSB is set to 0 and the 7 remaining bits are
used to encode the length directly from 0 to 127.

Using the byte_jump function we should be able to jump to the next encoded
data.

When the long form is used the MSB is set to 1 and the 7 remaining bits are
used to encode the number of bytes that follow from 1 to 126 which will
contains the actual length.

Using byte_extract and byte_jump functions with bitmask we should be able to
jump to the next encoded data.

Before reaching the point where the LDAPv3 authentication is set to simple
(encoded to 0) or sasl (encoded to 3) there?re 5 short or long length bytes.

Is there a way through the subset of snort packet dissection functions to
match on this without writing 32 (2^5) different signatures to match all
short / long possibilities ?

The BER encoding is also used to encode SNMP, the same kind of issue may
have been seen there also.



Thank you for your help,



Damien

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5355 bytes
Desc: not available

------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

End of Snort-sigs Digest, Vol 127, Issue 22
*******************************************

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161229/532c4705/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LDAP_simple.pcap
Type: application/octet-stream
Size: 364 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161229/532c4705/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5355 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161229/532c4705/attachment.bin>


More information about the Snort-sigs mailing list