Snort mailing list archives
MSSQL False Neg
From: "Bill Scherr IV" <bschnzl () cotse net>
Date: Tue, 01 Dec 2009 15:34:53 -0500
Folks... Snort has a sig that should fire on these packets (IMHO). The packet indicates the distance of the username (offset 0x0066) from the TDS Login data of the packet (beginning at offset 0x003e). There are lots of length indicators, but they all start from 0x003e. The byte_jump starts from the beginning of data (offset 0x0036), if I read right. I am thinking /content:"s|00|a|00|"; within:8; distance:8;/ I am using the reference @ http://www.freetds.org/tds.html#login7 The threshold was met, several times over, but nothing fired! Am I on track here? ------- Data ------- Original Sig (False Neg?) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34; content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi"; byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;) Typical Packet (82 each, this event): 0000 00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20 ...R.@.. +wu...E 0010 00 bc 1e 56 40 00 6c 06 xx xx 79 0b 50 ce xx xx ...V@.l. xxy.P.xx 0020 xx 7a 08 2b 05 99 a4 51 cc 4d b1 be 2b 43 50 18 xz.+...Q .M..+CP. 0030 ff ff 3d 81 00 00 10 01 00 94 00 00 01 00 8c 00 ..=..... ........ 0040 00 00 01 00 00 71 00 00 00 00 00 00 00 07 d0 19 .....q.. ........ 0050 00 00 00 00 00 00 e0 03 00 00 20 fe ff ff 04 08 ........ .. ..... 0060 00 00 56 00 06 00 62 00 02 00 66 00 01 00 68 00 ..V...b. ..f...h. 0070 00 00 68 00 0e 00 00 00 00 00 84 00 04 00 8c 00 ..h..... ........ 0080 00 00 8c 00 00 00 00 1c 25 5b 6f ff 00 00 00 00 ........ %[o..... 0090 8c 00 00 00 44 00 57 00 44 00 57 00 34 00 44 00 ....D.W. D.W.4.D. 00a0 73 00 61 00 b3 a5 xx 00 xx 00 2e 00 xx 00 xx 00 s.a...x. x...x.x. 00b0 xx 00 2e 00 xx 00 xx 00 xx 00 2e 00 31 00 32 00 x...x.x. x...1.2. 00c0 32 00 4f 00 44 00 42 00 43 00 2.O.D.B. C. ------- End Data ------- Bill Scherr IV, GSEC, GCIA Principal Security Engineer EWA Information and Infrastructure Technologies bscherr () iit-tek com bscherr () ewa com 703-478-7608 ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Alex Kirk (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Nigel Houghton (Dec 01)
- Re: MSSQL False Neg Matt Olney (Dec 01)
- Re: MSSQL False Neg Matt Olney (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Alex Kirk (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)