[Snort-users] netbios rules

Tim Slighter tslighter at ...5174...
Wed Nov 24 10:52:32 EST 2004


Using Snort 2.20, in the netbios rules, there are some questionable uses 
for the "tag" keyword:


alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote 
Activation bind attempt"; flow:to_server,established; content:"|05|"; 
within:1; content:"|0B|"; within:1; distance:1; 
byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| 
|AF|n|7C|W"; within:16; distance:29; tag:session,5,*packets*; 
reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; 
reference:cve,2003-0605; reference:cve,2003-0715; 
reference:nessus,11798; reference:nessus,11835; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; 
classtype:attempted-admin; sid:2251; rev:14;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC 
Remote Activation bind attempt"; flow:to_server,established; 
content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; 
within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; 
within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; 
within:1; distance:1; byte_test:1,&,1,0,relative; 
content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; 
distance:29; tag:session,5,*packets*; reference:bugtraq,8234; 
reference:bugtraq,8458; reference:cve,2003-0528; 
reference:cve,2003-0605; reference:cve,2003-0715; 
reference:nessus,11798; reference:nessus,11835; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; 
classtype:attempted-admin; sid:2252; rev:14;)



The use of the word "packets" instead of "seconds" caused my snortdb to 
overflow with about 2000 "tagged" alerts every hour.  I changed this 
back to tag: session,5,seconds; and these excessive alerts went away. 




More information about the Snort-users mailing list