Re: MSSQL False Neg

[Matt Olney <molney () sourcefire com>]

Bill,

Don't worry about the PCAP.  Alex is slammed right now, he just got
back from a speaking engagement in Brazil, so he's still catching up.
I hand decoded your first packet, I'll post my findings here in a few.

Matt

On Tue, Dec 1, 2009 at 5:50 PM, Nigel Houghton <nhoughton () sourcefire com> wrote:
> On Tue, Dec 1, 2009 at 5:40 PM, Bill Scherr IV <bschnzl () cotse net> wrote:
> > Alex,
> >
> > I would rather not post unobfuscated packets to a mailing list, as a matter of practice!  So here:
> >
> > {prior headers omitted}
> > Transmission Control Protocol, Src Port: 2091 (2091), Dst Port: 1433 (1433), Seq: 1, Ack: 1, Len: 148
> >    Source port: 2091 (2091)
> >    Destination port: 1433 (1433)
> >    [Stream index: 38]
> >    Sequence number: 1    (relative sequence number)
> >    [Next sequence number: 149    (relative sequence number)]
> >    Acknowledgement number: 1    (relative ack number)
> >    Header length: 20 bytes
> >    Flags: 0x18 (PSH, ACK)
> >        0... .... = Congestion Window Reduced (CWR): Not set
> >        .0.. .... = ECN-Echo: Not set
> >        ..0. .... = Urgent: Not set
> >        ...1 .... = Acknowledgement: Set
> >        .... 1... = Push: Set
> >        .... .0.. = Reset: Not set
> >        .... ..0. = Syn: Not set
> >        .... ...0 = Fin: Not set
> >    Window size: 65535
> >    Checksum: 0x3d81 [correct]
> >        [Good Checksum: True]
> >        [Bad Checksum: False]
> >    [SEQ/ACK analysis]
> >        [Number of bytes in flight: 148]
> >    [Timestamps]
> >        [Time since first frame in this TCP stream: 0.260313000 seconds]
> >        [Time since previous frame in this TCP stream: 0.000455000 seconds]
> > Tabular Data Stream
> >    Type: TDS7/8 Login Packet (0x10)
> >    Status: Last buffer in request or response (1)
> >    Size: 148
> >    Channel: 0
> >    Packet Number: 1
> >    Window: 0
> >    TDS7 Login Packet
> >        Login Packet Header
> >            Total Packet Length: 140
> >            TDS version: 0x01000071
> >            Packet Size: 0
> >            Client version: 7
> >            Client PID: 6608
> >            Connection ID: 0
> >            Option Flags 1: 0xe0
> >            Option Flags 2: 0x03
> >            SQL Type Flags: 0x00
> >            Reserved Flags: 0x00
> >            Time Zone: 0x20feffff
> >            Collation: 0x04080000
> >        Lengths and offsets
> >            Client Name offset: 86
> >            Client Name length: 6
> >            Username offset: 98
> >            Username length: 2
> >            Password offset: 102
> >            Password length: 1
> >            App Name offset: 104
> >            App Name length: 0
> >            Server Name offset: 104
> >            Server Name length: 14
> >            Unknown1 offset: 0
> >            Unknown1 length: 0
> >            Library Name offset: 132
> >            Library Name length: 4
> >            Locale offset: 140
> >            Locale length: 0
> >            Database Name offset: 140
> >            Database Name length: 0
> >        Client Name: DWDW4D
> >        Username: sa
> >        Password: a
> >        Server Name: xx.xx.xx.122
> >        Library Name: ODBC
> >
> > 0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R.@..+wu...E
> > 0010  00 bc 1e 56 40 00 6c 06 xx xx 79 0b 50 ce xx xx   ...V ()  l xxy P xx
> > 0020  xx 7a 08 2b 05 99 a4 51 cc 4d b1 be 2b 43 50 18   xz.+...Q.M..+CP.
> > 0030  ff ff 3d 81 00 00 10 01 00 94 00 00 01 00 8c 00   ..=.............
> > 0040  00 00 01 00 00 71 00 00 00 00 00 00 00 07 d0 19   .....q..........
> > 0050  00 00 00 00 00 00 e0 03 00 00 20 fe ff ff 04 08   .......... .....
> > 0060  00 00 56 00 06 00 62 00 02 00 66 00 01 00 68 00   ..V...b...f...h.
> > 0070  00 00 68 00 0e 00 00 00 00 00 84 00 04 00 8c 00   ..h.............
> > 0080  00 00 8c 00 00 00 00 1c 25 5b 6f ff 00 00 00 00   ........%[o.....
> > 0090  8c 00 00 00 44 00 57 00 44 00 57 00 34 00 44 00   ....D.W.D.W.4.D.
> > 00a0  73 00 61 00 b3 a5 xx 00 xx 00 xx 00 xx 00 xx 00   s.a...x.x.x.x.x.
> > 00b0  xx 00 xx 00 xx 00 xx 00 xx 00 2e 00 31 00 32 00   x.x.x.x.x...1.2.
> > 00c0  32 00 4f 00 44 00 42 00 43 00                     2.O.D.B.C.
> >
> > And the rule:
> > alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS
> > v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34;
> > content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi";
> > byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type
> > threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209;
> > reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)
> >
> > enjoy!
> >
> > B.
> >
> > Circa 16:22, 1 Dec 2009, a note, claiming source Alex Kirk <akirk () sourcefire com>, was sent to me:
> >
> > Date sent:      Tue, 1 Dec 2009 16:22:04 -0500
> > Subject:        Re: [Snort-sigs] MSSQL False Neg
> > From:   Alex Kirk <akirk () sourcefire com>
> > To:     bschnzl () cotse net
> > Copies to:      snort-sigs () lists sourceforge net
> >
> > > Can you please send a PCAP? Having one would make debugging this much
> > > easier.
> > >
> > > On Tue, Dec 1, 2009 at 3:34 PM, Bill Scherr IV <bschnzl () cotse net> wrote:
> > >
> > > > Folks...
> > > >
> > > >   Snort has a sig that should fire on these packets (IMHO).  The packet
> > > > indicates the distance of the
> > > > username (offset 0x0066) from the TDS Login data of the packet (beginning
> > > > at offset 0x003e).  There
> > > > are lots of length indicators, but they all start from 0x003e.  The
> > > > byte_jump starts from the beginning of
> > > > data (offset 0x0036), if I read right.  I am thinking
> > > > /content:"s|00|a|00|"; within:8; distance:8;/
> > > >
> > > >   I am using the reference @ http://www.freetds.org/tds.html#login7
> > > >
> > > >   The threshold was met, several times over, but nothing fired!  Am I on
> > > > track here?
> > > >
> > > > -------  Data  -------
> >
> > {snip}
> >
> >
> > Bill Scherr IV, GSEC, GCIA
> > Principal Security Engineer
> > EWA Information and Infrastructure Technologies
> > bscherr () iit-tek com
> > bscherr () ewa com
> > 703-478-7608
> >
> >
> > ------------------------------------------------------------------------------
> > Join us December 9, 2009 for the Red Hat Virtual Experience,
> > a free event focused on virtualization and cloud computing.
> > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > http://p.sf.net/sfu/redhat-sfdev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> If you use snort -O you can obfuscate the addresses, and I think Alex
> probably meant "send me a pcap" as opposed to the list.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs