Snort mailing list archives
Re: MSSQL False Neg
From: "Bill Scherr IV" <bschnzl () cotse net>
Date: Tue, 01 Dec 2009 17:04:46 -0500
Wally... Yes it is! TYVM. B. Circa 16:27, 1 Dec 2009, a note, claiming source Jason Wallace <jason.r.wallace () gmail com>, was sent to me: Date sent: Tue, 1 Dec 2009 16:27:16 -0500 Subject: Re: [Snort-sigs] MSSQL False Neg From: Jason Wallace <jason.r.wallace () gmail com> To: bschnzl () cotse net
Just a thought... is 1433 included in your stream5 config? I typically use "ports both" for this port. If it is not in there the the flow: stuff will not work. On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl () cotse net> wrote:Folks... Snort has a sig that should fire on these packets (IMHO). The packet indicates the distance of the username (offset 0x0066) from the TDS Login data of the packet (beginning at offset 0x003e). There are lots of length indicators, but they all start from 0x003e. The byte_jump starts from the beginning of data (offset 0x0036), if I read right. I am thinking /content:"s|00|a|00|"; within:8; distance:8;/ I am using the reference @ http://www.freetds.org/tds.html#login7 The threshold was met, several times over, but nothing fired! Am I on track here? ------- Data ------- Original Sig (False Neg?) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34; content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi"; byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;) Typical Packet (82 each, this event): 0000 00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20 ...R.@.. +wu...E 0010 00 bc 1e 56 40 00 6c 06 xx xx 79 0b 50 ce xx xx ...V@.l. xxy.P.xx 0020 xx 7a 08 2b 05 99 a4 51 cc 4d b1 be 2b 43 50 18 xz.+...Q .M..+CP. 0030 ff ff 3d 81 00 00 10 01 00 94 00 00 01 00 8c 00 ..=..... ........ 0040 00 00 01 00 00 71 00 00 00 00 00 00 00 07 d0 19 .....q.. ........ 0050 00 00 00 00 00 00 e0 03 00 00 20 fe ff ff 04 08 ........ .. ..... 0060 00 00 56 00 06 00 62 00 02 00 66 00 01 00 68 00 ..V...b. ..f...h. 0070 00 00 68 00 0e 00 00 00 00 00 84 00 04 00 8c 00 ..h..... ........ 0080 00 00 8c 00 00 00 00 1c 25 5b 6f ff 00 00 00 00 ........ %[o..... 0090 8c 00 00 00 44 00 57 00 44 00 57 00 34 00 44 00 ....D.W. D.W.4.D. 00a0 73 00 61 00 b3 a5 xx 00 xx 00 2e 00 xx 00 xx 00 s.a...x. x...x.x. 00b0 xx 00 2e 00 xx 00 xx 00 xx 00 2e 00 31 00 32 00 x...x.x. x...1.2. 00c0 32 00 4f 00 44 00 42 00 43 00 2.O.D.B. C. ------- End Data ------- Bill Scherr IV, GSEC, GCIA Principal Security Engineer EWA Information and Infrastructure Technologies bscherr () iit-tek com bscherr () ewa com 703-478-7608 ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Bill Scherr IV, GSEC, GCIA Principal Security Engineer EWA Information and Infrastructure Technologies bscherr () iit-tek com bscherr () ewa com 703-478-7608 ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Alex Kirk (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Nigel Houghton (Dec 01)
- Re: MSSQL False Neg Matt Olney (Dec 01)
- Re: MSSQL False Neg Matt Olney (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)
- Re: MSSQL False Neg Alex Kirk (Dec 01)
- Re: MSSQL False Neg Bill Scherr IV (Dec 01)