[Oisf-devel] FP on complex netbios sig

Anoop Saldanha anoopsaldanha at gmail.com
Wed Aug 22 10:31:45 UTC 2012 

rmkml,

Can you open a ticket on this?

On Wed, Aug 22, 2012 at 2:49 AM, Peter Manev <petermanev at gmail.com> wrote:
> sorry,
> I meant
> content:"|00 5C 00 77 00 69 00 .......|" so o
>
>
> On Tue, Aug 21, 2012 at 11:18 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> Hi,
>>
>> What happens if you change all the contents ...
>>
>> content:"|00 5C 00|w|00|i|00|n|00|r|00|e|00|g|
>> 00 00 00|"
>> change to content:"5C 00 77 00 69 00 ......." so on ?
>>
>>
>> Thanks
>>
>> On Wed, Aug 22, 2012 at 1:08 AM, rmkml <rmkml at yahoo.fr> wrote:
>>>
>>> Hi,
>>>
>>> First, Congratulations for a new Suricata v1.3.1 !
>>>
>>> ok Im test this new version, and I have a complex netbios FP, based on
>>> this old netbios sig:
>>>  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg
>>> unicode create tree attempt"; flow:established,to_server;
>>> flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1;
>>> content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative;
>>> pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|";
>>> within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg;
>>> classtype:protocol-command-decode; sid:2477; rev:6;)
>>>
>>>
>>> ok I small change on this for reply FP with my joigned pcap file:
>>> (removed established and two flowbits)
>>>  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg
>>> unicode create tree attempt"; flow:to_server; content:"|00|"; depth:1;
>>> content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative;
>>> pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|";
>>> within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2477;
>>> rev:66;)
>>>
>>> ok when I start v1.3.1, suricata fire:
>>>  06/11/2012-11:51:51.690598  [**] [1:2477:66] NETBIOS SMB-DS winreg
>>> unicode create tree attempt [**] [Classification: Generic Protocol Command
>>> Decode] [Priority: 3] {TCP} 172.21.35.149:4345 -> 172.16.142.24:445
>>> Of course, snort not fire.
>>>
>>> ok hexa dump my pcap file:
>>> #000000C8 13 38 01 0A 96 A7 00 00 00 64 FF 53 4D 42 A2 00 00 00 00 18
>>> .8.......d.SMB......
>>> #                            +          ++++ ++++++++   1  2  3  4  5
>>> #000000DC 07 C8 00 00 67 E1 67 45 78 C7 9C F1 00 00 06 10 B4 16 02 20
>>> ....g.gEx..........
>>> #           &128
>>> #          6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
>>> #000000F0 80 02 18 FF 00 DE DE 00 0E 00 16 00 00 00 00 00 00 00 9F 01
>>> ....................
>>> #         26 27  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17
>>> #00000104 02 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 01 00
>>> ....................
>>> #         18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
>>> #00000118 00 00 40 00 00 00 02 00 00 00 03 11 00 00 5C 00 77 00 69 00
>>> .. at ...........\.w.i.
>>> #                                                    ^
>>> #         38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
>>> #0000012C 6E 00 72 00 65 00 67 00 00 00 00 00 CC 00 00 00
>>> n.r.e.g.........
>>>
>>>
>>> Why Suricata fire?
>>>
>>> ok modified sig for firing snort with my pcap: (added 0x00 and changed 16
>>> -> 17)
>>>  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg
>>> unicode create tree attempt"; flow:to_server; content:"|00|"; depth:1;
>>> content:"|FF|SMB|A2|"; within:5; distance:3;
>>> byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|00 5C
>>> 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|";
>>> within:17; distance:51; nocase; classtype:protocol-command-decode;
>>> sid:2477; rev:67;)
>>> and Suricata fire again.
>>>
>>> If anyone confirm, Im open a new redmine ticket...
>>>
>>> Regards
>>> Rmkml
>>>
>>> http://twitter.com/rmkml
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel



-- 
Anoop Saldanha

More information about the Oisf-devel mailing list