Snort mailing list archives
Re: Snort-sigs Digest, Vol 127, Issue 22
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Thu, 29 Dec 2016 10:41:05 -0500
A packet capture is always encouraged :) Alex McDonnell TALOS On Thu, Dec 29, 2016 at 10:36 AM, <snort-sigs-request () lists sourceforge net> wrote:
Send Snort-sigs mailing list submissions to snort-sigs () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists sourceforge net You can reach the person managing the list at snort-sigs-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Re: LDAPv3 with simple authentication (FOULDE Damien) ---------------------------------------------------------------------- Message: 1 Date: Thu, 29 Dec 2016 15:36:37 +0000 From: FOULDE Damien <damien.foulde () axians com> Subject: Re: [Snort-sigs] LDAPv3 with simple authentication To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> Message-ID: <DB6PR0501MB219840B11A8D6ACCED1D4BC88C6B0@DB6PR0501MB2198. eurprd05.prod.outlook.com> Content-Type: text/plain; charset="iso-8859-1" Hello, The previous message is currently waiting for a moderator approval. As it?s not released for the moment, I registered to the maillinglist and here it is. Regards, Damien De : FOULDE Damien Envoy? : mercredi 21 d?cembre 2016 10:51 ? : snort-sigs () lists sourceforge net Objet : RE: LDAPv3 with simple authentication Hello, Any ideas / suggestions / advices will be greatly appreciated regarding this question. In the meantime, here?s a working signature without fully decoding the BER data : alert tcp any any -> any 389 (sid:1000000; gid:1; flow:established,to_server; content:"|30|"; depth:1; content:"|02|"; distance:1; within:127; content:"|60|"; distance:1; within:5; content:"|02 01 03 04|"; fast_pattern; distance:1; within:127; content:"|80|"; distance:1; within:127; content:!"|02 01 03 04 00 a3|"; offset:7; depth:257; msg:"LDAPv3 simple Authentication"; classtype:policy-violation; rev:1; ) It would be great if it could be reviewed by Talos. I can provide a packet capture if needed. Regards, Damien De : FOULDE Damien [mailto:damien.foulde () axians com] Envoy? : lundi 19 d?cembre 2016 12:39 ? : snort-sigs () lists sourceforge net Objet : [Snort-sigs] LDAPv3 with simple authentication Hello, We need to write a signature to match on LDAPv3 with simple authentication. LDAPv3 is described in the RFC 2251 through Abstract Syntax Notation 1 (ASN.1) and encoded through a subset of Basic Encoding Rules (BER) in the packets. You may have a look to this great website http://www.selfadsi.org/ldap.htm#Frame to have a quick look over the encoding. https://en.wikipedia.org/wiki/X.690#BER_encoding is also a good source of information. As you should have seen the length can be encoded in a short or long form. When the short form is used the MSB is set to 0 and the 7 remaining bits are used to encode the length directly from 0 to 127. Using the byte_jump function we should be able to jump to the next encoded data. When the long form is used the MSB is set to 1 and the 7 remaining bits are used to encode the number of bytes that follow from 1 to 126 which will contains the actual length. Using byte_extract and byte_jump functions with bitmask we should be able to jump to the next encoded data. Before reaching the point where the LDAPv3 authentication is set to simple (encoded to 0) or sasl (encoded to 3) there?re 5 short or long length bytes. Is there a way through the subset of snort packet dissection functions to match on this without writing 32 (2^5) different signatures to match all short / long possibilities ? The BER encoding is also used to encode SNMP, the same kind of issue may have been seen there also. Thank you for your help, Damien -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5355 bytes Desc: not available ------------------------------ ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! End of Snort-sigs Digest, Vol 127, Issue 22 *******************************************
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Snort-sigs Digest, Vol 127, Issue 22 Alex McDonnell (Dec 29)
- Re: Snort-sigs Digest, Vol 127, Issue 22 FOULDE Damien (Dec 29)