[Snort-users] Explanation of Rule 1:19189:4
rmkml at ...1855...
Tue Jan 29 10:32:08 EST 2013
Thx for reply,
How long time have you enabled this rule (sid19189) please?
It's first time this rule fire please?
If IP src and dst are trust, certainly a FP:
-maybe fix FP
-or simply exclude IP on this rule
-or disable this rule
The best is start a network capture like tcpdump on snort sensor please
(bpf filter like two IP and netbios ports).
On Tue, 29 Jan 2013, Nicholas Horton wrote:
> Thanks Rmkml.
> I don't have a pcap at this time but can record one. What I do have is 2 alerts from 2 different sources going to the same destination ip generating this alert.
> Sources are windows 2003 server titanium and the destination is a xp pro box.
> Both sources seem to already have patch KB2535512 installed. I'm not sure about the destination ip box.
> I would like to see who has the vulnerability or where the issues is. For example when I get another netbios alert such as 1:14782 (conficker) I'm able to verify with nmap that it has the conficker infection.
> So with the new netbios alert is there a possible infection. It lists no know false positives. So if both sources have the patch should I check the destination since this rule is flow to client?
> I read CVE-2011-1869 but I'm still not sure if this is an issue or not.
> I guess I should turn of pcap output along with unified2. I can do both simultaneously right?
> Thanks again
> On Jan 29, 2013, at 7:50 AM, rmkml <rmkml at ...1855...> wrote:
>> Hi Nicholas,
>> This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"
>> The Distributed File System (DFS) implementation in Microsoft Windows
>> XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
>> in DFS responses, which allows remote DFS servers to execute arbitrary
>> code via a crafted response, aka "DFS Memory Corruption
>> Please post pcap if you have FP.
>> Best Regards
>> On Tue, 29 Jan 2013, Nicholas Horton wrote:
>>> What is important to check with this alert?
>>> Does the vulnerability reside on the source or destination and what am I looking for?
>>> I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.
>>>> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
>> flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4;
>> content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral;
>> metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)
More information about the Snort-users