Project

General

Profile

Actions

Bug #1853

closed

suricata is matching everything on dce_stub_data buffer

Added by Pedro Marinho about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata is matching everything on dce_stub_data buffer. I have the pcap if anyone wants to test. Not sre if it is possible to upload a pcap here. So these sigs sets a flowbits to the last sig that i was building to detect an exploit attempt when i found out that everything matches on dce_stub_data buffer.

alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; sid:650002952;)

alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS SMB NT Create AndX Request \\lsarpc"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2|"; byte_test:1,&,128,6,relative; content:"|00|L|00|S|00|A|00|R|00|P|00|C|00|"; fast_pattern; nocase; flowbits:set,smb.tree.create.lsarpc; flowbits:noalert; reference:cve,2006-4688; classtype:protocol-command-decode; sid:116518; rev:5;)

#sig that matches on everything even two bytes on the same offset
alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS Samba NDR Parsing MS-RPC Request Handling Buffer Overflow (CVE-2007-2446) Two contents same offset cafe"; flow:established,to_server; flowbits:isset,smb.tree.create.lsarpc; dce_iface:12345778-1234-abcd-ef00-0123456789ab,any_frag; dce_opnum:15,19; dce_stub_data; content:"|ca|"; offset:0; depth:1; content:"|fe|"; offset:0; depth:1; reference:cve,2007-2446; classtype:attempted-admin; sid:123033; rev:1;)


Files

2007-2446.BP.pcap (6.67 KB) 2007-2446.BP.pcap Pedro Marinho, 07/27/2016 02:22 PM
Actions #1

Updated by Pedro Marinho about 5 years ago

now hat i saw there is a way of upload a pcap here i am blind

Actions #2

Updated by Andreas Herz about 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #3

Updated by Victor Julien about 5 years ago

  • Description updated (diff)
Actions #4

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 3.1.2
Actions #5

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF