[Snort-users] RE: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal?

Giles Coochey g.coochey at ...1985...
Mon Sep 2 06:51:17 EDT 2002


You are not the first person to look at the NetBIOS rules and figure that
they are a nightmare.

First, some points:

1. The NetBIOS header, below the TCP layer, contains bytes with bit-flags.
One of these bits decides whether strings are going to use Unicode (2-bytes
per character) or Ascii (1-byte per character). I believe this is negotiated
between the hosts.

2. All Snort NetBIOS rules (AFAIK!), only check for port 139. As you seen to
be aware, Win2k boxes send simultaneous requests on port 445, and if the
remote host responds on that port then it negotiates to that port only. As I
say, all the Vanilla rules check for the old NT SMB ports. So if NT or
earlier networking hosts connect to a Win2k box then they will use the port
139 (137,138 etc...). You should only see 445 in Win2k-Win2k communications.

3. If you want to check for Win2k-Win2k communications then you can copy all
the TCP samba rules and substitute the TCP/139 for 445, this should work in
most cases.

4. If you want to be able to check for unicode and ASCII (i.e. know when
packets are ASCII or Unicode) then I can recommend a plug-in I developed for
an earlier version of snort that allows you to check for Bit flags below the
TCP layer. You can obtain it from http://www.coochey.net which I hacked
together to get round that stupid Unicode rule - unfortunately this means
creating yet another set of NetBIOS rules (now, together with the
Win2k-Win2k problem we have 4x as many rules for SMB protocol as before
:-( YMMV).

Try (off the top of my head, untested):

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Win2k Admin C$ Share
connect attempt"; flags:A+; content:"|5C|00|43|00|24|")

Check the rule example at http://www.coochey.net to work out how the
bitcheck patch works, it was built as a patch for 1.8.3, but I don't think
the detection plugin subsystem has changed all that much in 1.8.7, so it may
patch without problems.

If you want any help, or can provide some (re-writing rules, suggestions to
snort-devel etc...) then let me know, I meant to spend some time on this
myself ages ago, but other things came up. I remember Chris Green giving
some nice suggestions as to improving the syntax of the bit-check plugin - I
think that is why it's not included in vanilla snort, just as well, it's
literally a hack around other code.

Quick Answers to your Qs: 1) See above, all possible permutations require
more rules; 2) Not Barking up the wrong tree 445 will replace the old
NetBIOS ports; 3) I believe all Win2k-Win2k or Win2k-WinXP traffic will try
to connect on 445, if that port is filtered then they might negotiate to 139
again. 4) Working with a pretty-much unmaintained and outdated rule-set that
is snort-netbios.


Giles Coochey

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Jake Schneider
Sent: 01 September 2002 04:37
To: snort-sigs at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules --
Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal?

I'm at the end of my rope with this rule set, let me describe my situation
first. I compiled snort version 1.8.7 on Slackware 8.1. It's all up and
running, and alerts are getting posted in the DB and everything. Hunky dory.
Well one of the really important pieces of this install is the ability to
detect folks from $EXTERNAL_NET trying to connect to the administrative
share of a Windows 2000/ NT4 Boxen; ie. C$ ADMIN$, what have you. And in the
netbios.rules that I installed (the snort.rules.tgz from snort.org - since
the snortrules-current.tgz is apparently for versions above 1.8.x), sure
enough there are provisions for detecting connects to TCP 139 with the rule
set options with content:"\\ADMIN$|00 41 3a 00|" and content: "|5c|C$|00 41
3a 00|" One for matching a connect to I guess \\ADMIN$ which wouldn't
necessarily work, because in the dumps I've seen, it's only \ADMIN$ the
other being "\C$" which would detect connects to the administrative C share.

Testing to see if it works!:  I fired up snort and started attempting to
connect with my windows 2000 server to the target windows 2000 server by
mapping a drive to \\target\C$ and \\target\ADMIN$ in both upper and lower
case, and passing and failing the COMPUTER\User authentication. To my
surprise, nothing was logged. I changed the rule in snort temporarily to
record any connect from my server to the target server in effort to analyze
the exact packets the snort IDS was seeing. Sure enough "\ADMIN$" and "\C$"
show up, however they show up on port 445 not 139. Here is how ACID displays
the snorted packet on 445 with the "\C$" in the packet:

000 : 00 00 00 68 FF 53 4D 42 32 00 00 00 00 18 07 C8   ...h.SMB2.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 01 08 84 04   ................
020 : 02 20 00 02 0F 24 00 00 00 00 00 00 10 00 00 00   . ...$..........
030 : 00 00 00 00 00 00 00 24 00 44 00 00 00 00 00 01   .......$.D......
040 : 00 10 00 27 00 02 00 00 03 00 5C 00 32 00 31 00   ...'......\.2.1.
050 : 36 00 2E 00 30 00 2E 00 31 00 35 00 35 00 2E 00   6...0...1.5.5...
060 : 32 00 31 00 5C 00 43 00 24 00 00 00               2.1.\.C.$...
                  ^^ ^^ ^^ ^^ ^^                            ^^^^^

Okay, now I notice that the content option in the snort.rules is trying to
match "|5c|C$|00 41 3a 00|" and from what I can see here, it needs to match
"|5C 00 43 00 24|"

So I changed the rule to instead try and match "|5C 00 43 00 24|" and still

I also tried: "|5C 43 24|"
              "\C$|5C 00 43 00 24|"
              "\C$|5C 43 24|"

I've poured over snort's documentation over and over again, specifically
regarding the content rule options, I even tried the rawbits option, but I
believe that's only for telnet decodes. I guess I don't understand the
Boyer-Moore pattern match function.

These are my questions regarding netbios.rules.

1)    How do I match a string like \C$ or any part of an UNC within the
current rule set?
2)    Am I barking up the wrong tree with port 445 microsoft-ds, when this
is the only port I see strings matching the UNCs when I want to log SMB
connects? I never saw any of these strings on 135, 137, or 139.
3)    Is there a difference with regards to the client connecting on this
matter of ports? If I connect with a Windows 95 machine to the server will
the string show up on port 139? Was the fact that I connected from a 2000
box make it connect on 445? (I'm far from understanding the intricacies of
Microsoft SMB client/server interaction.
4)    What the heck am I doing wrong?!

Well thanks for taking the time reading this, if you can offer any insight
into my problem, I would greatly appreciate it. If there is not enough
detail here, just let me know, I can provide more.

Thank You group,

Jake Schneider

More information about the Snort-users mailing list