[Snort-users] Regarding GID 1, SID 33429 - Microsoft Windows SMB potential group policy fallback exploit attempt

Sandeep Singh ctrlaltdelngone at ...11827...
Sat Feb 14 02:21:38 EST 2015


Hi all,
I am seeing a lot of noise for the recently pushed rule with GID 1, SID
33429 which works for detection of attempts towards vulnerability mentioned
in MS15-014 (https://technet.microsoft.com/library/security/ms15-014.

Rule -->

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft
Windows SMB potential group policy fallback exploit attempt";
flow:to_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"|5C
00|g|00|p|00|t|00|T|00|m|00|p|00|l|00|.|00|i|00|n|00|f|00 00|";
fast_pattern:only;
detection_filter:track by_src,count 5,seconds 2; metadata:policy
balanced-ips alert, policy connectivity-ips alert, policy security-ips
alert, service netbios-ssn; reference:cve,2015-0009; reference:url,
technet.microsoft.com/en-us/security/bulletin/ms15-014;
classtype:attempted-user; sid:33429; rev:1; )


>From what I can understand from the rule and the alerts is that it
triggers every time a computer tries to query a shared folder (which
contains the group policies) for settings that applies to the current
computer or user it fires an alarm which is of course causing huge number
of false positives.


We are already in process of deploying an enterprise wide patch for
MS15-014 but in the meantime is there anything that can be done to tune
this detection rule.


If required I can provide a packet capture


Any suggestions?


Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150214/e568a77c/attachment.html>


More information about the Snort-users mailing list