Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Is there a bug in "nocase"?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 30 May 2003 10:46:27 +1200
I'm trying to reduce the FPs on the Nimda rules (we run Snort over our WAN
traffic - bl**dy great for picking up trojans). I've talked to the Samba
group and came to the conclusion that at least for WinNT+, any reference to
a "create filename" SMB call will always begin with the data stream
'content:"|ff 53 4d 42 a2|"'

So I tried:

alert tcp any any -> any 139 (msg:"NETBIOS nimda .EML"; \
 content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L|00 00|"; \
 nocase; within:500; flow:established; classtype:bad-unknown;

Note the "nocase".

Then I copied a file "xxxx.eml" between two Win2K servers - it didn't
trigger. I captured the transfer and ran "snort -v" over it, and that
'content' matched up - except the it was ".eml" instead of ".EML".... 

So then I added a new rule

alert tcp any any -> any 139 (msg:"NETBIOS nimda .eml"; \
 content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L|00 00|"; \
 nocase; within:500; flow:established; classtype:bad-unknown;
  
..and that caught it. 

Then I created a file "copy.EML" and copied that - the "NETBIOS nimda .eml"
caught that one *instead of* the ""NETBIOS nimda .EML" one!!!


So my question is: is "nocase" broken in the case where you "mix mode" it
with HEX? It looks like it's only broken when you are nocasing capitals...????

Snort 2.0 under RH7.3

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: