[Snort-users] help us help you

Brian bmc at ...950...
Mon Nov 1 14:34:13 EST 2004


Do you find yourself wishing you could contribute to the cause without
knowing where to start?  Don't know how to write rules, but you wish
you could help make the rules better?

Here is your chance to help us help you.

I'm working on cleaning up the netbios rules, and need a bit of "real
world" testing.  Please add these rules to your IDS installation and
send me packet payload of any alerts that are generated.  

   alert tcp any any -> any 139 (msg:"RESEARCH NETBIOS AndX stacked commands"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB((\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(?!\xff)|(\x73).{28}(?!\xff|\x75))/si";)
   alert tcp any any -> any 445 (msg:"RESEARCH NETBIOS AndX stacked commands"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB((\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(?!\xff)|(\x73).{28}(?!\xff|\x75))/si";)

Are you in a sensitive environment and just can't get that packet
payload to me?  Well, I can still use your help.  Run the packet
payload for each alert through the attached perl script, and send me
the output.

Brian

[0] By "packet payload", I mean the hex ascii output generated by
    snort, but only the payload portion.  If you look at the attached
    script, the __DATA__ section is an example payload.  When using
    the example payload, the script outputs the following:

73
75
FF
-------------- next part --------------
#!/usr/bin/perl
#

my $bin;
while (<STDIN>) {
    if ($_ =~ /^((?:\w{2}\s){1,16})\s/) {
        my $string = $1;
        $string =~ s/\s+//g;
        $string =~ s/([a-f0-9]{2})/pack("C",hex($1))/ieg;
        $bin .= $string;
    }
}
my @commands;
if (substr($bin, 8, 1) =~ /(\x2f|\xa2|\x73|\x2d|\x74|\x2e|\x24|\x75)/) {
    push (@commands, $1);
    my $base = 32;
    while (1) {
        my $command = substr($bin, $base + 5, 1);
        $base = unpack("v", substr($bin, $base + 7, 2));
        push (@commands, $command);
        last if ($command eq "\xff");
    }
}

foreach my $cmd (@commands) {
   printf("%2.2X\n", unpack("C",$cmd));
}

__DATA__
00 00 00 85 FF 53 4D 42 73 00 00 00 00 18 07 48  .....SMBs......H
00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE  ................
00 00 40 00 0D 75 00 64 00 FF FF 32 00 00 00 1F  .. at ...12620...
06 00 00 01 00 00 00 00 00 00 00 D4 00 00 00 27  ...............'
00 00 00 00 57 69 6E 64 6F 77 73 20 32 30 30 30  ....Windows 2000
20 32 31 39 35 00 57 69 6E 64 6F 77 73 20 32 30   2195.Windows 20
30 30 20 35 2E 30 00 00 04 FF 00 85 00 08 00 01  00 5.0..........
00 16 00 00 5C 5C 48 41 42 55 2D 49 49 5C 49 50  ....\\HABU-II\IP
43 24 00 3F 3F 3F 3F 3F 00                       C$.?????.



More information about the Snort-users mailing list