Project

General

Profile

Actions

Bug #5162

closed

inspection of smb traffic without smb/dcerpc doesn't work correct.

Added by Brandon Murphy almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is a very strange issue, I haven't a clue what is going on. In trying to figure out how to write this up, I seem to have found multiple ways to reproduce it.

Suricata 4.0.x appears to be unaffected by this.

Method 1

Consider the following rules.

alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:1;)
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:2;)

The only difference in these two signatures is that sid:2; contains and extra byte in the first content match.

Only sid:2; alerts, despite, logically sid:1; should as well.

02/25/2022-16:33:47.258334  [**] [1:2:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685  [**] [1:2:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445

Method 1 - Workaround

Making use of a standalone "within" instead of a distance/within combination appears to work

alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; within:24; sid:10;)

02/25/2022-16:33:47.258334  [**] [1:10:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685  [**] [1:10:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445

I have no idea why this works....


Method 2

Consider the following rules (separate or combined with the above rules, doesn't seem to matter) - I've just used the version that includes the |fe| to isolate/replicate the problem in another way.

alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00|"; distance:20; within:5; sid:3;)
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; pcre:"/^\x00/R"; sid:4;)

Only sid:4; alerts, despite, the logic contained in sid:4; proving that sid:3 should have alerted as well.

02/25/2022-16:33:47.258334  [**] [1:4:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685  [**] [1:4:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445


Files

cool_1.pcap (377 KB) cool_1.pcap Brandon Murphy, 02/26/2022 04:38 PM

Subtasks 2 (0 open2 closed)

Bug #5396: inspection of smb traffic without smb/dcerpc doesn't work correct (6.0.x backport)ClosedVictor JulienActions
Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Has duplicate Suricata - Bug #5197: fast_pattern assignment of specific content results in FNClosedVictor JulienActions
Actions #1

Updated by Brandon Murphy almost 3 years ago

I forgot the pcap

Actions #2

Updated by Brandon Murphy almost 3 years ago

Quick update - this appears, to maybe be related to https://redmine.openinfosecfoundation.org/issues/5197? I'm not 100% sure, but I was able to replicate the same behavior with the following rules. sid:1; is the same as previously reported in this ticket and the only difference between these two rules is the fast_pattern assignment to "SMB" on sid:11;

alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:1;)
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; fast_pattern; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:11;)

Fast Pattern analysis

-------------------------------------------------------------------
Date: 19/3/2022 -- 00:50:03
-------------------------------------------------------------------
== Sid: 1 ==
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:1;)
    Fast Pattern analysis:
        Fast pattern matcher: content
        Flags: Within Distance
        Fast pattern set: no
        Fast pattern only set: no
        Fast pattern chop set: no
        Original content: \x15\x00\x00\x00
        Final content: \x15\x00\x00\x00

== Sid: 11 ==
alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; fast_pattern; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:11;)
    Fast Pattern analysis:
        Fast pattern matcher: content
        Flags: Depth
        Fast pattern set: yes
        Fast pattern only set: no
        Fast pattern chop set: no
        Original content: SMB
        Final content: SMB

============
Summary:
============
packet/stream payload, smallest pattern 3 byte(s), longest pattern 4 byte(s), number of patterns 2, avg pattern len 3.50 byte(s)

Only sid:11; fires

02/25/2022-16:33:47.258334  [**] [1:11:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62618 -> 192.168.56.102:445
02/25/2022-16:33:47.426685  [**] [1:11:0] SVCCTL CreateService Command via SMB [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.104:62619 -> 192.168.56.102:445

Actions #3

Updated by Victor Julien almost 3 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 7.0.0-beta1
Actions #5

Updated by Victor Julien over 2 years ago

  • Status changed from Assigned to In Progress
  • Label Needs backport to 5.0, Needs backport to 6.0 added
Actions #6

Updated by Victor Julien over 2 years ago

  • Status changed from In Progress to In Review
Actions #8

Updated by Victor Julien over 2 years ago

  • Status changed from In Progress to Resolved
Actions #9

Updated by Victor Julien over 2 years ago

  • Label deleted (Needs backport to 6.0)
Actions #10

Updated by Victor Julien over 2 years ago

  • Label deleted (Needs backport to 5.0)
Actions #11

Updated by Victor Julien over 2 years ago

  • Status changed from Resolved to Closed
Actions #12

Updated by Victor Julien over 2 years ago

  • Has duplicate Bug #5197: fast_pattern assignment of specific content results in FN added
Actions

Also available in: Atom PDF