Actions
Bug #1853
closedsuricata is matching everything on dce_stub_data buffer
Affected Versions:
Effort:
Difficulty:
Label:
Description
Suricata is matching everything on dce_stub_data buffer. I have the pcap if anyone wants to test. Not sre if it is possible to upload a pcap here. So these sigs sets a flowbits to the last sig that i was building to detect an exploit attempt when i found out that everything matches on dce_stub_data buffer.
alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; sid:650002952;) alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS SMB NT Create AndX Request \\lsarpc"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2|"; byte_test:1,&,128,6,relative; content:"|00|L|00|S|00|A|00|R|00|P|00|C|00|"; fast_pattern; nocase; flowbits:set,smb.tree.create.lsarpc; flowbits:noalert; reference:cve,2006-4688; classtype:protocol-command-decode; sid:116518; rev:5;) #sig that matches on everything even two bytes on the same offset alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS Samba NDR Parsing MS-RPC Request Handling Buffer Overflow (CVE-2007-2446) Two contents same offset cafe"; flow:established,to_server; flowbits:isset,smb.tree.create.lsarpc; dce_iface:12345778-1234-abcd-ef00-0123456789ab,any_frag; dce_opnum:15,19; dce_stub_data; content:"|ca|"; offset:0; depth:1; content:"|fe|"; offset:0; depth:1; reference:cve,2007-2446; classtype:attempted-admin; sid:123033; rev:1;)
Files
Updated by Pedro Marinho over 8 years ago
- File 2007-2446.BP.pcap 2007-2446.BP.pcap added
now hat i saw there is a way of upload a pcap here i am blind
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien over 8 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 3.1.2
Updated by Victor Julien over 8 years ago
- Status changed from Assigned to Closed
Actions