Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hello,

From: Rodrigo Borges Pereira <rodrigoborgespereira () gmail com>
Date: Fri, 22 Jul 2016 17:43:29 +0000
Hi Joel,

Of course, I can give more details.

I'm attempting to match exact filename on SMB2 0x05 Create Requests. I'm
able to use byte-jumps in order to get to the beginning of the filename
buffer. Then I can search from there. However, due to the way SMB2
sometimes are constructed, it's getting very  difficult to achieve 100%
accuracy, and in some cases I'm losing positives.

Here's the current rule. For example, this one tries to match a filename
just named "x", either in the root dir or inside a sub-dir.

content: "|FE|SMB"; offset: 4; content: "|00 05|"; distance: 7; within: 2;
byte_jump: 2, 8, from_beginning, little, post_offset +48; byte_jump: 2, 0,
from_beginning, little, post_offset +4; content: "|00|"; distance: -1;
pcre:
"/^\x00(\x00x\x00|.*\x5c\x00x\x00)(\x00){0,8}\x28\x00\x00\x00\x10\x00\x04/R";

This works most of the time, because usually, after the filename buffer,
you have an 8-byte 00 padding until |28 00 00 00 10 00 04|

In some cases though, there's some different bytes in that padding, and
couldn't find any information about that. when that happens, the rule does
not match. Here's a printout of two example packets:

UNDETECTED POSITIVE

0000   00 00 00 c0 fe 53 4d 42 40 00 01 00 00 00 00 00  .....SMB@.......
0010   05 00 01 00 00 00 00 00 00 00 00 00 3f 07 00 00  ............?...
0020   00 00 00 00 ff fe 00 00 d0 0d 81 18 b0 bd ba 2a  ...............*
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 39 00 00 00 02 00 00 00 00 00 00 00  ....9...........
0050   00 00 00 00 00 00 00 00 00 00 00 00 80 00 01 00  ................
0060   00 00 00 00 04 00 00 00 01 00 00 00 40 10 00 00  ............@...
0070   78 00 02 00 80 00 00 00 40 00 00 00 78 00 9e 6f  x.......@...x..o
0080   23 e4 d1 01 28 00 00 00 10 00 04 00 00 00 18 00  #...(...........
0090   10 00 00 00 44 48 6e 51 00 00 00 00 00 00 00 00  ....DHnQ........
00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00b0   10 00 04 00 00 00 18 00 00 00 00 00 4d 78 41 63  ............MxAc
00c0   00 00 00 00                                      ....

0000   00 00 00 d8 fe 53 4d 42 40 00 01 00 00 00 00 00  .....SMB@.......
0010   05 00 01 00 00 00 00 00 00 00 00 00 3f 00 00 00  ............?...
0020   00 00 00 00 ff fe 00 00 df 9e 28 43 d8 19 30 16  ..........(C..0.
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 39 00 00 09 02 00 00 00 00 00 00 00  ....9...........
0050   00 00 00 00 00 00 00 00 00 00 00 00 9f 01 17 00  ................
0060   20 00 00 00 00 00 00 00 02 00 00 00 44 00 00 00   ...........D...
0070   78 00 02 00 80 00 00 00 58 00 00 00 78 00 00 00  x.......X...x...
0080   00 00 00 00 28 00 00 00 10 00 04 00 00 00 18 00  ....(...........
0090   10 00 00 00 44 48 6e 51 00 00 00 00 00 00 00 00  ....DHnQ........
00a0   00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00  ................
00b0   10 00 04 00 00 00 18 00 00 00 00 00 4d 78 41 63  ............MxAc
00c0   00 00 00 00 00 00 00 00 10 00 04 00 00 00 18 00  ................
00d0   00 00 00 00 51 46 69 64 00 00 00 00              ....QFid....

Thanks!!

On Fri, Jul 22, 2016 at 6:26 PM Joel Esler (jesler) <jesler () cisco com>
wrote:


You can't use a variable from a byte_extract within a pcre.   We can
probably help you with what you are trying to do, if you have a pcap and
describe the problem.

--
Joel Esler
iPhone

On Jul 22, 2016, at 1:24 PM, Rodrigo Borges Pereira <
rodrigoborgespereira () gmail com> wrote:

Is there a way to limit the depth of a pcre search? I can use byte_extract
to get the length of a variable buffer to which the pcre expression should
apply, but there doesn't seem to be an option to do this.

Appreciate any hints.

Rgds.


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and
traffic
patterns at an interface-level. Reveals which users, apps, and protocols
are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning
reports.http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: