Project

General

Profile

Bug #529

Updated by Victor Julien about 12 years ago

Hi, 
 ok Im test this new version, and I have a complex netbios FP, based on this old netbios sig: 

 <pre> 
 
  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; 
 within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; 
 classtype:protocol-command-decode; sid:2477; rev:6;) 
 </pre> 

 ok I small change on this for reply FP with my joigned pcap file: (removed established and two flowbits) 

 <pre> 
 
  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flow:to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; 
 pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2477; rev:66;) 
 </pre> 

 ok when I start v1.3.1, suricata fire: 

 <pre> 
 
  06/11/2012-11:51:51.690598    [**] [1:2477:66] NETBIOS SMB-DS winreg unicode create tree attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.21.35.149:4345 -> 172.16.142.24:445 
 </pre> 

 Of course, snort not fire. 

 ok hexa dump my pcap file: 
 <pre> 
 #000000C8 13 38 01 0A 96 A7 00 00 00 64 FF 53 4D 42 A2 00 00 00 00 18 .8.......d.SMB...... 
 #                              +            ++++ ++++++++     1    2    3    4    5 
 #000000DC 07 C8 00 00 67 E1 67 45 78 C7 9C F1 00 00 06 10 B4 16 02 20 ....g.gEx.......... 
 #             &128 
 #            6    7    8    9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
 #000000F0 80 02 18 FF 00 DE DE 00 0E 00 16 00 00 00 00 00 00 00 9F 01 .................... 
 #           26 27    0    1    2    3    4    5    6    7    8    9 10 11 12 13 14 15 16 17 
 #00000104 02 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 01 00 .................... 
 #           18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 
 #00000118 00 00 40 00 00 00 02 00 00 00 03 11 00 00 5C 00 77 00 69 00 ..@...........\.w.i. 
 #                                                      ^ 
 #           38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 
 #0000012C 6E 00 72 00 65 00 67 00 00 00 00 00 CC 00 00 00               n.r.e.g......... 
 </pre> 

 Why Suricata fire? 

 ok modified sig for firing snort with my pcap: (added 0x00 and changed 16 -> 17) 
 <pre> 
 
  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flow:to_server; content:"|00|"; depth:1; 
 content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|00 5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; 
 within:17; distance:51; nocase; classtype:protocol-command-decode; sid:2477; rev:67;) 
 </pre> 
 and Suricata fire again. 

 Regards 
 Rmkml 

Back