Project

General

Profile

Actions

Bug #2559

closed

DCE based rule false positives

Added by Jason Taylor over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

We are doing some testing with 4.1rc1 and are seeing what appear to be
false positives on the following rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path
canonicalization stack overflow attempt"; flow:to_server,established;
dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32;
dce_stub_data;
pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s";
byte_jump:4,-4,multiplier 2,relative,align,dce;
pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips
drop, policy connectivity-ips drop, policy max-detect-ips drop, policy
security-ips drop, service netbios-ssn;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067;
classtype:trojan-activity; sid:14782; rev:21;)

The traffic we are seeing the false positive against is http traffic
but is firing this rule (pcap in tarball).

We ran the sample pcap against 4.0.5 and do not see the false positive
alert.

We see the false positive alert against 4.1rc1 and the latest master
branch.


Files

dcerpcmisfire.tar.gz (20 KB) dcerpcmisfire.tar.gz rule and pcap Jason Taylor, 08/01/2018 02:28 PM
Actions

Also available in: Atom PDF