Snort mailing list archives

Re: MSSQL False Neg

From: "Bill Scherr IV" <bschnzl () cotse net>
Date: Tue, 01 Dec 2009 17:04:46 -0500

Wally...

   Yes it is!  TYVM.

B.

Circa 16:27, 1 Dec 2009, a note, claiming source Jason Wallace <jason.r.wallace () gmail com>, was 
sent to me:

Date sent:              Tue, 1 Dec 2009 16:27:16 -0500
Subject:                Re: [Snort-sigs] MSSQL False Neg
From:                   Jason Wallace <jason.r.wallace () gmail com>
To:                     bschnzl () cotse net

Just a thought... is 1433 included in your stream5 config? I typically
use "ports both" for this port. If it is not in there the the flow:
stuff will not work.

On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl () cotse net> wrote:

Folks...

  Snort has a sig that should fire on these packets (IMHO).  The packet indicates the distance of the
username (offset 0x0066) from the TDS Login data of the packet (beginning at offset 0x003e).  There
are lots of length indicators, but they all start from 0x003e.  The byte_jump starts from the beginning of
data (offset 0x0036), if I read right.  I am thinking /content:"s|00|a|00|"; within:8; distance:8;/

  I am using the reference @ http://www.freetds.org/tds.html#login7

  The threshold was met, several times over, but nothing fired!  Am I on track here?

-------  Data  -------

Original Sig (False Neg?)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS
v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34;
content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi";
byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type
threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209;
reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)

Typical Packet (82 each, this event):

0000  00 14 bf 52 fe 40 00 d0  2b 77 75 01 08 00 45 20   ...R.@.. +wu...E
0010  00 bc 1e 56 40 00 6c 06  xx xx 79 0b 50 ce xx xx   ...V@.l. xxy.P.xx
0020  xx 7a 08 2b 05 99 a4 51  cc 4d b1 be 2b 43 50 18   xz.+...Q .M..+CP.
0030  ff ff 3d 81 00 00 10 01  00 94 00 00 01 00 8c 00   ..=..... ........
0040  00 00 01 00 00 71 00 00  00 00 00 00 00 07 d0 19   .....q.. ........
0050  00 00 00 00 00 00 e0 03  00 00 20 fe ff ff 04 08   ........ .. .....
0060  00 00 56 00 06 00 62 00  02 00 66 00 01 00 68 00   ..V...b. ..f...h.
0070  00 00 68 00 0e 00 00 00  00 00 84 00 04 00 8c 00   ..h..... ........
0080  00 00 8c 00 00 00 00 1c  25 5b 6f ff 00 00 00 00   ........ %[o.....
0090  8c 00 00 00 44 00 57 00  44 00 57 00 34 00 44 00   ....D.W. D.W.4.D.
00a0  73 00 61 00 b3 a5 xx 00  xx 00 2e 00 xx 00 xx 00   s.a...x. x...x.x.
00b0  xx 00 2e 00 xx 00 xx 00  xx 00 2e 00 31 00 32 00   x...x.x. x...1.2.
00c0  32 00 4f 00 44 00 42 00  43 00                     2.O.D.B. C.

-------  End Data  -------


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr () iit-tek com
bscherr () ewa com
703-478-7608


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr () iit-tek com
bscherr () ewa com
703-478-7608


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Alex Kirk (Dec 01)
  - Re: MSSQL False Neg Bill Scherr IV (Dec 01)
    - Re: MSSQL False Neg Nigel Houghton (Dec 01)
    - Re: MSSQL False Neg Matt Olney (Dec 01)
    - Re: MSSQL False Neg Matt Olney (Dec 01)
    - Re: MSSQL False Neg Bill Scherr IV (Dec 01)
- Message not available
  - Re: MSSQL False Neg Bill Scherr IV (Dec 01)