[Snort-users] Is there a bug in "nocase"?

Jason Haar Jason.Haar at ...294...
Thu May 29 16:28:07 EDT 2003


I'm trying to reduce the FPs on the Nimda rules (we run Snort over our WAN
traffic - bl**dy great for picking up trojans). I've talked to the Samba
group and came to the conclusion that at least for WinNT+, any reference to
a "create filename" SMB call will always begin with the data stream
'content:"|ff 53 4d 42 a2|"'

So I tried:

alert tcp any any -> any 139 (msg:"NETBIOS nimda .EML"; \
 content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L|00 00|"; \
 nocase; within:500; flow:established; classtype:bad-unknown;

Note the "nocase".

Then I copied a file "xxxx.eml" between two Win2K servers - it didn't
trigger. I captured the transfer and ran "snort -v" over it, and that
'content' matched up - except the it was ".eml" instead of ".EML".... 

So then I added a new rule

alert tcp any any -> any 139 (msg:"NETBIOS nimda .eml"; \
 content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L|00 00|"; \
 nocase; within:500; flow:established; classtype:bad-unknown;
  
..and that caught it. 

Then I created a file "copy.EML" and copied that - the "NETBIOS nimda .eml"
caught that one *instead of* the ""NETBIOS nimda .EML" one!!!


So my question is: is "nocase" broken in the case where you "mix mode" it
with HEX? It looks like it's only broken when you are nocasing capitals...????

Snort 2.0 under RH7.3

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list