[Snort-users] RE: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal?

Chris Green cmg at ...1935...
Wed Oct 9 09:17:06 EDT 2002

"Giles Coochey" <g.coochey at ...1985...> writes:

> Jake,
> You are not the first person to look at the NetBIOS rules and figure that
> they are a nightmare.
> First, some points:
> 1. The NetBIOS header, below the TCP layer, contains bytes with bit-flags.
> One of these bits decides whether strings are going to use Unicode (2-bytes
> per character) or Ascii (1-byte per character). I believe this is negotiated
> between the hosts.
> 2. All Snort NetBIOS rules (AFAIK!), only check for port 139. As you seen to
> be aware, Win2k boxes send simultaneous requests on port 445, and if the
> remote host responds on that port then it negotiates to that port only. As I
> say, all the Vanilla rules check for the old NT SMB ports. So if NT or
> earlier networking hosts connect to a Win2k box then they will use the port
> 139 (137,138 etc...). You should only see 445 in Win2k-Win2k communications.

Yes. Need to correct this ASAP.  

> 3. If you want to check for Win2k-Win2k communications then you can
>copy all the TCP samba rules and substitute the TCP/139 for 445, this
>should work in most cases.

Yup, need to revisit them however.

> 4. If you want to be able to check for unicode and ASCII (i.e. know when
> packets are ASCII or Unicode) then I can recommend a plug-in I developed for
> an earlier version of snort that allows you to check for Bit flags below the
> TCP layer. You can obtain it from http://www.coochey.net which I hacked
> together to get round that stupid Unicode rule - unfortunately this means
> creating yet another set of NetBIOS rules (now, together with the
> Win2k-Win2k problem we have 4x as many rules for SMB protocol as before
> :-( YMMV).
> Try (off the top of my head, untested):
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Win2k Admin C$ Share
> connect attempt"; flags:A+; content:"|5C|00|43|00|24|")
> Check the rule example at http://www.coochey.net to work out how the
> bitcheck patch works, it was built as a patch for 1.8.3, but I don't think
> the detection plugin subsystem has changed all that much in 1.8.7, so it may
> patch without problems.

It should work pretty well in 1.9. plugin_enum.h and directory
structure is the biggest things that have changed.

> If you want any help, or can provide some (re-writing rules, suggestions to
> snort-devel etc...) then let me know, I meant to spend some time on this
> myself ages ago, but other things came up. I remember Chris Green giving
> some nice suggestions as to improving the syntax of the bit-check plugin - I
> think that is why it's not included in vanilla snort, just as well, it's
> literally a hack around other code.

Yup, I dropped the ball on this one.  Let's correct it in HEAD of
CVS.  I'll look up what my suggestions were and what the code is
looking like these days.

> Quick Answers to your Qs: 1) See above, all possible permutations require
> more rules; 2) Not Barking up the wrong tree 445 will replace the old
> NetBIOS ports; 3) I believe all Win2k-Win2k or Win2k-WinXP traffic will try
> to connect on 445, if that port is filtered then they might negotiate to 139
> again. 4) Working with a pretty-much unmaintained and outdated rule-set that
> is snort-netbios.

Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.

More information about the Snort-users mailing list