Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in 2.02 found getting this SMB rule to work

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 14 Oct 2003 13:08:40 +1300
I was trying to get the following rule to work under RH7.1, snort-2.02

alert tcp any 445 -> any any (msg:"Test Scan for SMB Login Failure";
flow:from_server,established; content:"|FF 53 4D 42 73 6D 00 00 C0|";
classtype:attempted-user; )

I even went as far as running "snort -c config.file -X" as I purposefully
failed to log into a remote SMB server - I saw "FF 53 4D 42 73 6D 00 00 C0"
in the output from "snort -X" - but the alert never triggered. I removed the
"flow" option - no help.

I happened to have snort 2.01 and 2.00 lying around on the same system, so I
ran the same config under both too. 2.01 didn't work either - but 2.00 did!

I'd say something snuck in after 2.00 was released...


Here's the packet that should have triggered an alert (from "snort -X")

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/13/03-23:52:28.718487 0:6:D7:43:42:C1 -> 0:6:D7:43:2E:80 type:0x800
len:0x69
10.1.2.3:445 -> 10.5.6.7:3104 TCP TTL:126 TOS:0x0 ID:47895 IpLen:20
DgmLen:9
1 DF
***AP*** Seq: 0xF24FA416  Ack: 0xFC347CDE  Win: 0x407D  TcpLen: 32
TCP Options (3) => NOP NOP TS: 635687 10353632 
0x0000: 00 06 D7 43 2E 80 00 06 D7 43 42 C1 08 00 45 00  ...C.....CB...E.
0x0010: 00 5B BB 17 40 00 7E 06 2B 6D 0A 01 01 71 0A 03  .[..@.~.+m...q..
0x0020: 00 A4 01 BD 0C 20 F2 4F A4 16 FC 34 7C DE 80 18  ..... .O...4|...
0x0030: 40 7D 47 FD 00 00 01 01 08 0A 00 09 B3 27 00 9D  @}G..........'..
0x0040: FB E0 00 00 00 23 FF 53 4D 42 73 6D 00 00 C0 98  .....#.SMBsm....
0x0050: 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0060: FF FE 02 68 80 07 00 00 00                       ...h.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: