Snort mailing list archives
Bug in 2.02 found getting this SMB rule to work
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 14 Oct 2003 13:08:40 +1300
I was trying to get the following rule to work under RH7.1, snort-2.02 alert tcp any 445 -> any any (msg:"Test Scan for SMB Login Failure"; flow:from_server,established; content:"|FF 53 4D 42 73 6D 00 00 C0|"; classtype:attempted-user; ) I even went as far as running "snort -c config.file -X" as I purposefully failed to log into a remote SMB server - I saw "FF 53 4D 42 73 6D 00 00 C0" in the output from "snort -X" - but the alert never triggered. I removed the "flow" option - no help. I happened to have snort 2.01 and 2.00 lying around on the same system, so I ran the same config under both too. 2.01 didn't work either - but 2.00 did! I'd say something snuck in after 2.00 was released... Here's the packet that should have triggered an alert (from "snort -X") =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/13/03-23:52:28.718487 0:6:D7:43:42:C1 -> 0:6:D7:43:2E:80 type:0x800 len:0x69 10.1.2.3:445 -> 10.5.6.7:3104 TCP TTL:126 TOS:0x0 ID:47895 IpLen:20 DgmLen:9 1 DF ***AP*** Seq: 0xF24FA416 Ack: 0xFC347CDE Win: 0x407D TcpLen: 32 TCP Options (3) => NOP NOP TS: 635687 10353632 0x0000: 00 06 D7 43 2E 80 00 06 D7 43 42 C1 08 00 45 00 ...C.....CB...E. 0x0010: 00 5B BB 17 40 00 7E 06 2B 6D 0A 01 01 71 0A 03 .[..@.~.+m...q.. 0x0020: 00 A4 01 BD 0C 20 F2 4F A4 16 FC 34 7C DE 80 18 ..... .O...4|... 0x0030: 40 7D 47 FD 00 00 01 01 08 0A 00 09 B3 27 00 9D @}G..........'.. 0x0040: FB E0 00 00 00 23 FF 53 4D 42 73 6D 00 00 C0 98 .....#.SMBsm.... 0x0050: 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0060: FF FE 02 68 80 07 00 00 00 ...h..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug in 2.02 found getting this SMB rule to work Jason Haar (Oct 13)