Snort mailing list archives
RE: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal?
From: "Giles Coochey" <g.coochey () btinternet com>
Date: Sun, 1 Sep 2002 09:19:49 +0100
Jake, You are not the first person to look at the NetBIOS rules and figure that they are a nightmare. First, some points: 1. The NetBIOS header, below the TCP layer, contains bytes with bit-flags. One of these bits decides whether strings are going to use Unicode (2-bytes per character) or Ascii (1-byte per character). I believe this is negotiated between the hosts. 2. All Snort NetBIOS rules (AFAIK!), only check for port 139. As you seen to be aware, Win2k boxes send simultaneous requests on port 445, and if the remote host responds on that port then it negotiates to that port only. As I say, all the Vanilla rules check for the old NT SMB ports. So if NT or earlier networking hosts connect to a Win2k box then they will use the port 139 (137,138 etc...). You should only see 445 in Win2k-Win2k communications. 3. If you want to check for Win2k-Win2k communications then you can copy all the TCP samba rules and substitute the TCP/139 for 445, this should work in most cases. 4. If you want to be able to check for unicode and ASCII (i.e. know when packets are ASCII or Unicode) then I can recommend a plug-in I developed for an earlier version of snort that allows you to check for Bit flags below the TCP layer. You can obtain it from http://www.coochey.net which I hacked together to get round that stupid Unicode rule - unfortunately this means creating yet another set of NetBIOS rules (now, together with the Win2k-Win2k problem we have 4x as many rules for SMB protocol as before :-( YMMV). Try (off the top of my head, untested): alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Win2k Admin C$ Share connect attempt"; flags:A+; content:"|5C|00|43|00|24|") Check the rule example at http://www.coochey.net to work out how the bitcheck patch works, it was built as a patch for 1.8.3, but I don't think the detection plugin subsystem has changed all that much in 1.8.7, so it may patch without problems. If you want any help, or can provide some (re-writing rules, suggestions to snort-devel etc...) then let me know, I meant to spend some time on this myself ages ago, but other things came up. I remember Chris Green giving some nice suggestions as to improving the syntax of the bit-check plugin - I think that is why it's not included in vanilla snort, just as well, it's literally a hack around other code. Quick Answers to your Qs: 1) See above, all possible permutations require more rules; 2) Not Barking up the wrong tree 445 will replace the old NetBIOS ports; 3) I believe all Win2k-Win2k or Win2k-WinXP traffic will try to connect on 445, if that port is filtered then they might negotiate to 139 again. 4) Working with a pretty-much unmaintained and outdated rule-set that is snort-netbios. Cheers, Giles Coochey -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net]On Behalf Of Jake Schneider Sent: 01 September 2002 04:37 To: snort-sigs () lists sourceforge net; snort-users () lists sourceforge net Subject: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal? I'm at the end of my rope with this rule set, let me describe my situation first. I compiled snort version 1.8.7 on Slackware 8.1. It's all up and running, and alerts are getting posted in the DB and everything. Hunky dory. Well one of the really important pieces of this install is the ability to detect folks from $EXTERNAL_NET trying to connect to the administrative share of a Windows 2000/ NT4 Boxen; ie. C$ ADMIN$, what have you. And in the netbios.rules that I installed (the snort.rules.tgz from snort.org - since the snortrules-current.tgz is apparently for versions above 1.8.x), sure enough there are provisions for detecting connects to TCP 139 with the rule set options with content:"\\ADMIN$|00 41 3a 00|" and content: "|5c|C$|00 41 3a 00|" One for matching a connect to I guess \\ADMIN$ which wouldn't necessarily work, because in the dumps I've seen, it's only \ADMIN$ the other being "\C$" which would detect connects to the administrative C share. Testing to see if it works!: I fired up snort and started attempting to connect with my windows 2000 server to the target windows 2000 server by mapping a drive to \\target\C$ and \\target\ADMIN$ in both upper and lower case, and passing and failing the COMPUTER\User authentication. To my surprise, nothing was logged. I changed the rule in snort temporarily to record any connect from my server to the target server in effort to analyze the exact packets the snort IDS was seeing. Sure enough "\ADMIN$" and "\C$" show up, however they show up on port 445 not 139. Here is how ACID displays the snorted packet on 445 with the "\C$" in the packet: 000 : 00 00 00 68 FF 53 4D 42 32 00 00 00 00 18 07 C8 ...h.SMB2....... 010 : 00 00 00 00 00 00 00 00 00 00 00 00 01 08 84 04 ................ 020 : 02 20 00 02 0F 24 00 00 00 00 00 00 10 00 00 00 . ...$.......... 030 : 00 00 00 00 00 00 00 24 00 44 00 00 00 00 00 01 .......$.D...... 040 : 00 10 00 27 00 02 00 00 03 00 5C 00 32 00 31 00 ...'......\.2.1. 050 : 36 00 2E 00 30 00 2E 00 31 00 35 00 35 00 2E 00 6...0...1.5.5... 060 : 32 00 31 00 5C 00 43 00 24 00 00 00 2.1.\.C.$... ^^ ^^ ^^ ^^ ^^ ^^^^^ Okay, now I notice that the content option in the snort.rules is trying to match "|5c|C$|00 41 3a 00|" and from what I can see here, it needs to match "|5C 00 43 00 24|" So I changed the rule to instead try and match "|5C 00 43 00 24|" and still nothing! I also tried: "|5C 43 24|" "|5C00430024|" "\C$" "|5C|00|43|00|24|" "\C$|5C 00 43 00 24|" "\C$|5C 43 24|" "\C$|5C4324|" I've poured over snort's documentation over and over again, specifically regarding the content rule options, I even tried the rawbits option, but I believe that's only for telnet decodes. I guess I don't understand the Boyer-Moore pattern match function. These are my questions regarding netbios.rules. 1) How do I match a string like \C$ or any part of an UNC within the current rule set? 2) Am I barking up the wrong tree with port 445 microsoft-ds, when this is the only port I see strings matching the UNCs when I want to log SMB connects? I never saw any of these strings on 135, 137, or 139. 3) Is there a difference with regards to the client connecting on this matter of ports? If I connect with a Windows 95 machine to the server will the string show up on port 139? Was the fact that I connected from a 2000 box make it connect on 445? (I'm far from understanding the intricacies of Microsoft SMB client/server interaction. 4) What the heck am I doing wrong?! Well thanks for taking the time reading this, if you can offer any insight into my problem, I would greatly appreciate it. If there is not enough detail here, just let me know, I can provide more. Thank You group, Jake Schneider ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal? Jake Schneider (Aug 31)
- RE: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal? Giles Coochey (Sep 02)