[Snort-users] Explanation of Rule 1:19189:4

rmkml rmkml at ...1855...
Tue Jan 29 10:32:08 EST 2013


Thx for reply,

How long time have you enabled this rule (sid19189) please?
It's first time this rule fire please?

If IP src and dst are trust, certainly a FP:
-maybe fix FP
-or simply exclude IP on this rule
-or disable this rule

The best is start a network capture like tcpdump on snort sensor please 
(bpf filter like two IP and netbios ports).

Best Regards
Rmkml


On Tue, 29 Jan 2013, Nicholas Horton wrote:

> Thanks Rmkml.
>
> I don't have a pcap at this time but can record one.  What I do have is 2 alerts from 2 different sources going to the same destination ip generating this alert.
>
> Sources are windows 2003 server titanium and the destination is a xp pro box.
>
> Both sources seem to already have patch KB2535512 installed. I'm not sure about the destination ip box.
>
> I would like to see who has the vulnerability or where the issues is. For example when I get another netbios alert such as 1:14782 (conficker) I'm able to verify with nmap that it has the conficker infection.
>
> So with the new netbios alert is there a possible infection. It lists no know false positives. So if both sources have the patch should I check the destination since this rule is flow to client?
>
> I read CVE-2011-1869 but I'm still not sure if this is an issue or not.
>
> I guess I should turn of pcap output along with unified2. I can do both simultaneously right?
>
> Thanks again
> Nick
>
> On Jan 29, 2013, at 7:50 AM, rmkml <rmkml at ...1855...> wrote:
>
>> Hi Nicholas,
>>
>> This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"
>>
>> CVE:
>> The Distributed File System (DFS) implementation in Microsoft Windows
>> XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
>> in DFS responses, which allows remote DFS servers to execute arbitrary
>> code via a crafted response, aka "DFS Memory Corruption
>> Vulnerability."
>>
>> Please post pcap if you have FP.
>>
>> Best Regards
>> Rmkml
>>
>>
>> On Tue, 29 Jan 2013, Nicholas Horton wrote:
>>
>>> What is important to check with this alert?
>>>
>>> Does the vulnerability reside on the source or destination and what am I looking for?
>>>
>>> I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.
>>>
>>> Thanks
>>>>
>>>> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
>> flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4;
>> content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral;
>> metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)
>>>>
>




More information about the Snort-users mailing list