Snort mailing list archives

Previous By Date Next
Previous By Thread Next

NETBIOS Unicode Access - False Positives

From: "Gross, Mark" <mgross () microstrategy com>
Date: Wed, 18 Aug 2004 22:55:40 -0400
Hi all,

 

I checked out the list regarding a lot of the NETBIOS rules and there seemed to be some others who are having similar 
(or the same) issues as I. Alerts are being generated for packets that are part of normal traffic. I am sure that this 
has been covered somewhere, so if it's a duplicate, or you are aware of this, then please disregard it.  If there are 
updated rules they are not official as the below listed rule was taken from the daily Aug. 18th, 2004 and I found no 
updates in the database (with or without documentation).

 

The rules that are causing ALERTS:

 

NETBIOS SMB C$ share unicode access (sid:2470), NETBIOS SMB IPC$ share unicode access (sid:538), NETBIOS SMB-DS C$ 
share unicode access (sid:2472) and NETBIOS SMB-DS IPC$ share unicode access (sid:2466).

 

Apparently this is triggered anytime that anyone accesses a network share on a 2002 server (maybe others too) with the 
NETBIOS command "Tree Connect AndX Request".

 

The alerts are generated by accessing  ANY/EVERY network share weather a user has the rights or not.

 

I only listed one of the four rules, however the other three are matched later in the stream.

 

Here is the rule and one packet (Tree Connect AndX Request).

 

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; 
content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,>,127,7,relative; content:"I|00|P|00|C|00 24 
00 00|"; distance:33; nocase; classtype:protocol-command-decode; sid:538; rev:11;)

 

 

000005D3  00 00 00 5a ff 53 4d 42  75 00 00 00 00 18 07 c8       ...Z.SMB u......È

000005E3  00 00 48 92 dd 80 0b bb  2c bd 00 00 00 00 ff fe        ..H'Ý..» ,......þ

000005F3  03 48 40 2e 04 ff 00 5a  00 08 00 01 00 2f 00 00        .H@....Z ...../..

00000603  5c 00 5c 00 ff 00 ff 00  ff 00 ff 00 ff 00 ff 00                \.\.S.E. R.V.E.R.

00000613  ff 00 ff 00 ff 00 ff 00  ff 00 ff 00 5c 00 49 00                -.1.-.I. A.S.\.I.

00000623  50 00 43 00 24 00 00 00  3f 3f 3f 3f 3f 00                   P.C.$... ?????.

 

 

There were a total of 33 packets from the time that the Tree Request was made to the time that the Tree Disconnect was 
made.  In those 33 packets all 4 of the above listed rules were true.

 

It would seem that the rule needs to be modified to ALERT if the "NT Status: STATUS_ACCESS_DENIED (0x0000022)" is 
returned anywhere in the stream.
Previous By Date Next
Previous By Thread Next

Current thread: