Actions
Bug #5162
closedinspection of smb traffic without smb/dcerpc doesn't work correct.
Affected Versions:
Effort:
Difficulty:
Label:
Description
This is a very strange issue, I haven't a clue what is going on. In trying to figure out how to write this up, I seem to have found multiple ways to reproduce it.
Suricata 4.0.x appears to be unaffected by this.
Method 1¶
Consider the following rules.
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:1;) alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:2;)
The only difference in these two signatures is that sid:2; contains and extra byte in the first content match.
Only sid:2; alerts, despite, logically sid:1; should as well.
02/25/2022-16:33:47.258334 [**] [1:2:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685 [**] [1:2:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445
Method 1 - Workaround¶
Making use of a standalone "within" instead of a distance/within combination appears to work
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; within:24; sid:10;)
02/25/2022-16:33:47.258334 [**] [1:10:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685 [**] [1:10:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445
I have no idea why this works....
Method 2¶
Consider the following rules (separate or combined with the above rules, doesn't seem to matter) - I've just used the version that includes the |fe| to isolate/replicate the problem in another way.
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00|"; distance:20; within:5; sid:3;) alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; pcre:"/^\x00/R"; sid:4;)
Only sid:4; alerts, despite, the logic contained in sid:4; proving that sid:3 should have alerted as well.
02/25/2022-16:33:47.258334 [**] [1:4:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685 [**] [1:4:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445
Files
Updated by Brandon Murphy over 2 years ago
Quick update - this appears, to maybe be related to https://redmine.openinfosecfoundation.org/issues/5197? I'm not 100% sure, but I was able to replicate the same behavior with the following rules. sid:1; is the same as previously reported in this ticket and the only difference between these two rules is the fast_pattern assignment to "SMB" on sid:11;
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:1;) alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; fast_pattern; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:11;)
Fast Pattern analysis
-------------------------------------------------------------------
Date: 19/3/2022 -- 00:50:03
-------------------------------------------------------------------
== Sid: 1 ==
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:1;)
Fast Pattern analysis:
Fast pattern matcher: content
Flags: Within Distance
Fast pattern set: no
Fast pattern only set: no
Fast pattern chop set: no
Original content: \x15\x00\x00\x00
Final content: \x15\x00\x00\x00
== Sid: 11 ==
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; fast_pattern; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:11;)
Fast Pattern analysis:
Fast pattern matcher: content
Flags: Depth
Fast pattern set: yes
Fast pattern only set: no
Fast pattern chop set: no
Original content: SMB
Final content: SMB
============
Summary:
============
packet/stream payload, smallest pattern 3 byte(s), longest pattern 4 byte(s), number of patterns 2, avg pattern len 3.50 byte(s)
Only sid:11; fires
02/25/2022-16:33:47.258334 [**] [1:11:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685 [**] [1:11:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445
Updated by Victor Julien over 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 7.0.0-beta1
Updated by Shivani Bhardwaj over 2 years ago
Updated by Victor Julien over 2 years ago
- Status changed from Assigned to In Progress
- Label Needs backport to 5.0, Needs backport to 6.0 added
Updated by Victor Julien over 2 years ago
- Status changed from In Progress to In Review
Updated by Victor Julien over 2 years ago
- Status changed from In Review to In Progress
Updated by Victor Julien over 2 years ago
- Status changed from In Progress to Resolved
Updated by Victor Julien over 2 years ago
- Label deleted (
Needs backport to 5.0)
Updated by Victor Julien over 2 years ago
- Status changed from Resolved to Closed
Updated by Victor Julien over 2 years ago
- Has duplicate Bug #5197: fast_pattern assignment of specific content results in FN added
Actions