[Snort-users] Explanation of Rule 1:19189:4

Nicholas Horton fivetenets at ...14399...
Tue Jan 29 12:00:25 EST 2013


It has been enable for a few months but it could be the first time I've noticed it. Ill search with what data I have to see if it has fired before now. 

Thx for the reply. Ill look deeper to see if the destination has the patch for the venerability.

Nick

On Jan 29, 2013, at 10:32 AM, rmkml <rmkml at ...1855...> wrote:

> Thx for reply,
> 
> How long time have you enabled this rule (sid19189) please?
> It's first time this rule fire please?
> 
> If IP src and dst are trust, certainly a FP:
> -maybe fix FP
> -or simply exclude IP on this rule
> -or disable this rule
> 
> The best is start a network capture like tcpdump on snort sensor please (bpf filter like two IP and netbios ports).
> 
> Best Regards
> Rmkml
> 
> 
> On Tue, 29 Jan 2013, Nicholas Horton wrote:
> 
>> Thanks Rmkml.
>> 
>> I don't have a pcap at this time but can record one.  What I do have is 2 alerts from 2 different sources going to the same destination ip generating this alert.
>> 
>> Sources are windows 2003 server titanium and the destination is a xp pro box.
>> 
>> Both sources seem to already have patch KB2535512 installed. I'm not sure about the destination ip box.
>> 
>> I would like to see who has the vulnerability or where the issues is. For example when I get another netbios alert such as 1:14782 (conficker) I'm able to verify with nmap that it has the conficker infection.
>> 
>> So with the new netbios alert is there a possible infection. It lists no know false positives. So if both sources have the patch should I check the destination since this rule is flow to client?
>> 
>> I read CVE-2011-1869 but I'm still not sure if this is an issue or not.
>> 
>> I guess I should turn of pcap output along with unified2. I can do both simultaneously right?
>> 
>> Thanks again
>> Nick
>> 
>> On Jan 29, 2013, at 7:50 AM, rmkml <rmkml at ...1855...> wrote:
>> 
>>> Hi Nicholas,
>>> 
>>> This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"
>>> 
>>> CVE:
>>> The Distributed File System (DFS) implementation in Microsoft Windows
>>> XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
>>> in DFS responses, which allows remote DFS servers to execute arbitrary
>>> code via a crafted response, aka "DFS Memory Corruption
>>> Vulnerability."
>>> 
>>> Please post pcap if you have FP.
>>> 
>>> Best Regards
>>> Rmkml
>>> 
>>> 
>>> On Tue, 29 Jan 2013, Nicholas Horton wrote:
>>> 
>>>> What is important to check with this alert?
>>>> 
>>>> Does the vulnerability reside on the source or destination and what am I looking for?
>>>> 
>>>> I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.
>>>> 
>>>> Thanks
>>>>> 
>>>>> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
>>> flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4;
>>> content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral;
>>> metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)
>> 




More information about the Snort-users mailing list