[Snort-users] Regarding GID 1, SID 33429 - Microsoft Windows SMB potential group policy fallback exploit attempt

Al Lewis (allewi) allewi at ...589...
Sat Feb 14 09:11:21 EST 2015


Hello Sandeep,

Can you provide a packet capture please?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Sandeep Singh [mailto:ctrlaltdelngone at ...11827...]
Sent: Saturday, February 14, 2015 2:22 AM
To: Snort Users
Subject: [Snort-users] Regarding GID 1, SID 33429 - Microsoft Windows SMB potential group policy fallback exploit attempt

Hi all,
I am seeing a lot of noise for the recently pushed rule with GID 1, SID 33429 which works for detection of attempts towards vulnerability mentioned in MS15-014 (https://technet.microsoft.com/library/security/ms15-014.

Rule -->

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB potential group policy fallback exploit attempt"; flow:to_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"|5C 00|g|00|p|00|t|00|T|00|m|00|p|00|l|00|.|00|i|00|n|00|f|00 00|"; fast_pattern:only; detection_filter:track by_src,count 5,seconds 2; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service netbios-ssn; reference:cve,2015-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-014<http://technet.microsoft.com/en-us/security/bulletin/ms15-014>; classtype:attempted-user; sid:33429; rev:1; )

From what I can understand from the rule and the alerts is that it triggers every time a computer tries to query a shared folder (which contains the group policies) for settings that applies to the current computer or user it fires an alarm which is of course causing huge number of false positives.

We are already in process of deploying an enterprise wide patch for MS15-014 but in the meantime is there anything that can be done to tune this detection rule.

If required I can provide a packet capture

Any suggestions?

Thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150214/356c2717/attachment.html>


More information about the Snort-users mailing list