Snort mailing list archives
Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal?
From: "Jake Schneider" <j4k3 () charter net>
Date: Sat, 31 Aug 2002 22:37:15 -0500
I'm at the end of my rope with this rule set, let me describe my situation first. I compiled snort version 1.8.7 on Slackware 8.1. It's all up and running, and alerts are getting posted in the DB and everything. Hunky dory. Well one of the really important pieces of this install is the ability to detect folks from $EXTERNAL_NET trying to connect to the administrative share of a Windows 2000/ NT4 Boxen; ie. C$ ADMIN$, what have you. And in the netbios.rules that I installed (the snort.rules.tgz from snort.org - since the snortrules-current.tgz is apparently for versions above 1.8.x), sure enough there are provisions for detecting connects to TCP 139 with the rule set options with content:"\\ADMIN$|00 41 3a 00|" and content: "|5c|C$|00 41 3a 00|" One for matching a connect to I guess \\ADMIN$ <file:///\\ADMIN$> which wouldn't necessarily work, because in the dumps I've seen, it's only \ADMIN$ the other being "\C$" which would detect connects to the administrative C share. Testing to see if it works!: I fired up snort and started attempting to connect with my windows 2000 server to the target windows 2000 server by mapping a drive to \\target\C$ <file:///\\target\C$> and \\target\ADMIN$ <file:///\\target\ADMIN$> in both upper and lower case, and passing and failing the COMPUTER\User authentication. To my surprise, nothing was logged. I changed the rule in snort temporarily to record any connect from my server to the target server in effort to analyze the exact packets the snort IDS was seeing. Sure enough "\ADMIN$" and "\C$" show up, however they show up on port 445 not 139. Here is how ACID displays the snorted packet on 445 with the "\C$" in the packet: 000 : 00 00 00 68 FF 53 4D 42 32 00 00 00 00 18 07 C8 ...h.SMB2....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 01 08 84 04 ................ 020 : 02 20 00 02 0F 24 00 00 00 00 00 00 10 00 00 00 . ...$.......... 030 : 00 00 00 00 00 00 00 24 00 44 00 00 00 00 00 01 .......$.D...... 040 : 00 10 00 27 00 02 00 00 03 00 5C 00 32 00 31 00 ...'......\.2.1. 050 : 36 00 2E 00 30 00 2E 00 31 00 35 00 35 00 2E 00 6...0...1.5.5... 060 : 32 00 31 00 5C 00 43 00 24 00 00 00 2.1.\.C.$... ^^ ^^ ^^ ^^ ^^ ^^^^^ Okay, now I notice that the content option in the snort.rules is trying to match "|5c|C$|00 41 3a 00|" and from what I can see here, it needs to match "|5C 00 43 00 24|" So I changed the rule to instead try and match "|5C 00 43 00 24|" and still nothing! I also tried: "|5C 43 24|" "|5C00430024|" "\C$" "|5C|00|43|00|24|" "\C$|5C 00 43 00 24|" "\C$|5C 43 24|" "\C$|5C4324|" I've poured over snort's documentation over and over again, specifically regarding the content rule options, I even tried the rawbits option, but I believe that's only for telnet decodes. I guess I don't understand the Boyer-Moore pattern match function. These are my questions regarding netbios.rules. 1) How do I match a string like \C$ or any part of an UNC within the current rule set? 2) Am I barking up the wrong tree with port 445 microsoft-ds, when this is the only port I see strings matching the UNCs when I want to log SMB connects? I never saw any of these strings on 135, 137, or 139. 3) Is there a difference with regards to the client connecting on this matter of ports? If I connect with a Windows 95 machine to the server will the string show up on port 139? Was the fact that I connected from a 2000 box make it connect on 445? (I'm far from understanding the intricacies of Microsoft SMB client/server interaction. 4) What the heck am I doing wrong?! Well thanks for taking the time reading this, if you can offer any insight into my problem, I would greatly appreciate it. If there is not enough detail here, just let me know, I can provide more. Thank You group, Jake Schneider
Current thread:
- Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal? Jake Schneider (Aug 31)