Snort mailing list archives
Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal?
From: "Jake Schneider" <j4k3 () charter net>
Date: Sat, 31 Aug 2002 22:37:15 -0500
I'm at the end of my rope with this rule set, let me describe my
situation first. I compiled snort version 1.8.7 on Slackware 8.1. It's
all up and running, and alerts are getting posted in the DB and
everything. Hunky dory. Well one of the really important pieces of this
install is the ability to detect folks from $EXTERNAL_NET trying to
connect to the administrative share of a Windows 2000/ NT4 Boxen; ie. C$
ADMIN$, what have you. And in the netbios.rules that I installed (the
snort.rules.tgz from snort.org - since the snortrules-current.tgz is
apparently for versions above 1.8.x), sure enough there are provisions
for detecting connects to TCP 139 with the rule set options with
content:"\\ADMIN$|00 41 3a 00|" and content: "|5c|C$|00 41 3a 00|" One
for matching a connect to I guess \\ADMIN$ <file:///\\ADMIN$> which
wouldn't necessarily work, because in the dumps I've seen, it's only
\ADMIN$ the other being "\C$" which would detect connects to the
administrative C share.
Testing to see if it works!: I fired up snort and started attempting to
connect with my windows 2000 server to the target windows 2000 server by
mapping a drive to \\target\C$ <file:///\\target\C$> and
\\target\ADMIN$ <file:///\\target\ADMIN$> in both upper and lower case,
and passing and failing the COMPUTER\User authentication. To my
surprise, nothing was logged. I changed the rule in snort temporarily to
record any connect from my server to the target server in effort to
analyze the exact packets the snort IDS was seeing. Sure enough
"\ADMIN$" and "\C$" show up, however they show up on port 445 not 139.
Here is how ACID displays the snorted packet on 445 with the "\C$" in
the packet:
000 : 00 00 00 68 FF 53 4D 42 32 00 00 00 00 18 07 C8 ...h.SMB2.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 01 08 84 04 ................
020 : 02 20 00 02 0F 24 00 00 00 00 00 00 10 00 00 00 . ...$..........
030 : 00 00 00 00 00 00 00 24 00 44 00 00 00 00 00 01 .......$.D......
040 : 00 10 00 27 00 02 00 00 03 00 5C 00 32 00 31 00 ...'......\.2.1.
050 : 36 00 2E 00 30 00 2E 00 31 00 35 00 35 00 2E 00 6...0...1.5.5...
060 : 32 00 31 00 5C 00 43 00 24 00 00 00 2.1.\.C.$...
^^ ^^ ^^ ^^ ^^ ^^^^^
Okay, now I notice that the content option in the snort.rules is trying
to match "|5c|C$|00 41 3a 00|" and from what I can see here, it needs to
match "|5C 00 43 00 24|"
So I changed the rule to instead try and match "|5C 00 43 00 24|" and
still nothing!
I also tried: "|5C 43 24|"
"|5C00430024|"
"\C$"
"|5C|00|43|00|24|"
"\C$|5C 00 43 00 24|"
"\C$|5C 43 24|"
"\C$|5C4324|"
I've poured over snort's documentation over and over again, specifically
regarding the content rule options, I even tried the rawbits option, but
I believe that's only for telnet decodes. I guess I don't understand the
Boyer-Moore pattern match function.
These are my questions regarding netbios.rules.
1) How do I match a string like \C$ or any part of an UNC within the
current rule set?
2) Am I barking up the wrong tree with port 445 microsoft-ds, when
this is the only port I see strings matching the UNCs when I want to log
SMB connects? I never saw any of these strings on 135, 137, or 139.
3) Is there a difference with regards to the client connecting on
this matter of ports? If I connect with a Windows 95 machine to the
server will the string show up on port 139? Was the fact that I
connected from a 2000 box make it connect on 445? (I'm far from
understanding the intricacies of Microsoft SMB client/server
interaction.
4) What the heck am I doing wrong?!
Well thanks for taking the time reading this, if you can offer any
insight into my problem, I would greatly appreciate it. If there is not
enough detail here, just let me know, I can provide more.
Thank You group,
Jake Schneider
Current thread:
- Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal? Jake Schneider (Aug 31)