Snort mailing list archives
Re: RE: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal?
From: Chris Green <cmg () sourcefire com>
Date: Wed, 09 Oct 2002 12:12:53 -0400
"Giles Coochey" <g.coochey () btinternet com> writes:
Jake, You are not the first person to look at the NetBIOS rules and figure that they are a nightmare. First, some points: 1. The NetBIOS header, below the TCP layer, contains bytes with bit-flags. One of these bits decides whether strings are going to use Unicode (2-bytes per character) or Ascii (1-byte per character). I believe this is negotiated between the hosts. 2. All Snort NetBIOS rules (AFAIK!), only check for port 139. As you seen to be aware, Win2k boxes send simultaneous requests on port 445, and if the remote host responds on that port then it negotiates to that port only. As I say, all the Vanilla rules check for the old NT SMB ports. So if NT or earlier networking hosts connect to a Win2k box then they will use the port 139 (137,138 etc...). You should only see 445 in Win2k-Win2k communications.
Yes. Need to correct this ASAP.
3. If you want to check for Win2k-Win2k communications then you can copy all the TCP samba rules and substitute the TCP/139 for 445, this should work in most cases.
Yup, need to revisit them however.
4. If you want to be able to check for unicode and ASCII (i.e. know when packets are ASCII or Unicode) then I can recommend a plug-in I developed for an earlier version of snort that allows you to check for Bit flags below the TCP layer. You can obtain it from http://www.coochey.net which I hacked together to get round that stupid Unicode rule - unfortunately this means creating yet another set of NetBIOS rules (now, together with the Win2k-Win2k problem we have 4x as many rules for SMB protocol as before :-( YMMV). Try (off the top of my head, untested): alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Win2k Admin C$ Share connect attempt"; flags:A+; content:"|5C|00|43|00|24|") Check the rule example at http://www.coochey.net to work out how the bitcheck patch works, it was built as a patch for 1.8.3, but I don't think the detection plugin subsystem has changed all that much in 1.8.7, so it may patch without problems.
It should work pretty well in 1.9. plugin_enum.h and directory structure is the biggest things that have changed.
If you want any help, or can provide some (re-writing rules, suggestions to snort-devel etc...) then let me know, I meant to spend some time on this myself ages ago, but other things came up. I remember Chris Green giving some nice suggestions as to improving the syntax of the bit-check plugin - I think that is why it's not included in vanilla snort, just as well, it's literally a hack around other code.
Yup, I dropped the ball on this one. Let's correct it in HEAD of CVS. I'll look up what my suggestions were and what the code is looking like these days.
Quick Answers to your Qs: 1) See above, all possible permutations require more rules; 2) Not Barking up the wrong tree 445 will replace the old NetBIOS ports; 3) I believe all Win2k-Win2k or Win2k-WinXP traffic will try to connect on 445, if that port is filtered then they might negotiate to 139 again. 4) Working with a pretty-much unmaintained and outdated rule-set that is snort-netbios.
-- Chris Green <cmg () sourcefire com> Fame may be fleeting but obscurity is forever. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: RE: [Snort-sigs] Current rule set for snort 1.8.7 netbios.rules -- Windows 2000 to Windows 2000 mapping detecting C$ and ADMIN$ whats the deal? Chris Green (Oct 09)