Project

General

Profile

Actions

Bug #92

closed

dce_stub_data does not respect pcre and content keywords associated with it

Added by Will Metcalf about 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In snort dce_iface is a valid previous content match for distance/within/isdataat/pcre with relative modifier etc. but our engine doesn't allow this.

^^ Correcting the initial problem statement

dce_stub_data should be associated with pcre or content keywords that are defined right after it(need to confirm this once again).


Files

rpcoversmbtraffic.pcap (20 KB) rpcoversmbtraffic.pcap rpc over smb pcap used for testing Will Metcalf, 06/21/2010 01:16 PM
Actions #1

Updated by Victor Julien about 14 years ago

How is it supposed to work?

Actions #2

Updated by Will Metcalf about 14 years ago

For examples see sids 12489,12307,11442,3591

Actions #3

Updated by Anoop Saldanha about 14 years ago

Will Metcalf wrote:

For examples see sids 12489,12307,11442,3591

where are these sigs - 12489, 12307, 11442, 3591?

Actions #4

Updated by Victor Julien about 14 years ago

  • Due date deleted (02/17/2010)
  • Target version changed from 0.8.1 to 1.0.0

They are part of the VRT ruleset, we can't post them here.

I'm reassigning this to target version 1.0.

Actions #5

Updated by Anoop Saldanha about 14 years ago

  • Subject changed from dce_iface is not considered a valid previous content match for within/distance/isdataat pcre /R etc to dce_stub_data does not respect pcre and content keywords associated with it
  • Assignee changed from OISF Dev to Anoop Saldanha
Actions #6

Updated by Victor Julien almost 14 years ago

  • Due date set to 06/11/2010
  • Assignee changed from Anoop Saldanha to Victor Julien
  • Target version changed from 1.0.0 to 0.9.2
  • Estimated time changed from 2.50 h to 0.00 h

Will be part of a task.

Actions #7

Updated by Victor Julien almost 14 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Patch is applied, thanks Gerardo.

Actions #8

Updated by Victor Julien almost 14 years ago

  • Status changed from Closed to Assigned
  • % Done changed from 100 to 0

Argh, wrong ticket :) Reopening

Actions #9

Updated by Victor Julien almost 14 years ago

  • Assignee changed from Victor Julien to Anoop Saldanha

Assigned as part of a task.

Actions #10

Updated by Victor Julien almost 14 years ago

  • % Done changed from 0 to 100

Patches applied.

Actions #11

Updated by Victor Julien almost 14 years ago

  • Status changed from Assigned to Closed
Actions #12

Updated by Will Metcalf almost 14 years ago

  • Due date changed from 06/11/2010 to 06/23/2010
  • Status changed from Closed to Assigned

reopening this ticket. The current behavior of suricata when dealing with dce/rpc according to Anoop is the following...

"whether it contains dce_stub_data or not, if the the signature contains any of the dce keywords -> dce_stub_iface, dce_opnum or dce_stub_data, then all the content based matches are on only on the stub data."

This behavior is incorrect. dce_stub_data in snort simply moves the doe_ptr to the start of the stub data. Matches can then be relative to this. Lets take a look at a couple of examples.

In snort this rule fires. Here we are matching on SMB in the first 8 bytes of the packet payload and then we are matching on parsed dce_iface and dce_opnum. We then move doe_ptr to the start of dce_stub_data and make sure that our match "|6f 3a 63 b0 07 00 00 00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|" can be found in the first 32 bytes of the stub_data. If the within modifer is removed from the content match then we should try to match on these bytes anywhere in the stub data or the rest of the payload.

#file rpcoversmbtraffic.pcap
alert tcp any any -> any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|6f 3a 63 b0 07 00 00 00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; within:32; classtype:bad-unknown; sid:56; rev:1;)

More examples... All of these signatures should load and fire interesting that sid:123 loads but does not fire, this should be looked into as well as I would think that it should be rejected with the others.

alert tcp any any -> any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; distance:7; within:25; classtype:bad-unknown; sid:44; rev:1;)

alert tcp any any -> any 445 (msg:"dce_opnum over smb with depth"; content:"SMB"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; isdataat:31,relative; ;classtype:bad-unknown; sid:113; rev:1;)

alert tcp any any -> any 445 (msg:"dce_opnum over smb with depth"; dce_stub_data; pcre:"/^\x6f\x3a\x63\xb0\x07\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x72\x00\x77\x00\x61\x00\x4f\x00\x45\x00\x66\x00\x00\x00\x00\x00/smR"; classtype:bad-unknown; sid:123; rev:1;)

alert tcp any any -> any 445 (msg:"dce_stub_data + byte_test + relative"; dce_stub_data; byte_test:2,=,28474,0,relative; classtype:bad-unknown; sid:131; rev:1;)

alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_test + relative"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; byte_jump:1,4,relative; content:"|07 00 00 00|"; within:4; sid:139; rev:1;)

Suricata output....
[10869] 21/6/2010 -- 14:14:03 - (detect-within.c:220) <Error> (DetectWithinSetup) -- [ERRCODE: SC_ERR_WITHIN_MISSING_CONTENT(103)] - within needs two preceeding content or uricontent options
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|6f 3a 63 b0 07 00 00 00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; within:32; classtype:bad-unknown; sid:56; rev:1;)" from file blah.rules at line 1
[10869] 21/6/2010 -
14:14:03 - (detect-distance.c:189) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(102)] - distance needs two preceeding content or uricontent options
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; distance:7; within:25; classtype:bad-unknown; sid:44; rev:1;)" from file blah.rules at line 3
[10869] 21/6/2010 -
14:14:03 - (detect-isdataat.c:263) <Error> (DetectIsdataatSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No previous content, the flag 'relative' cant be used without content
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_opnum over smb with depth"; content:"SMB"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; isdataat:31,relative; ;classtype:bad-unknown; sid:113; rev:1;)" from file blah.rules at line 5
[10869] 21/6/2010 -
14:14:03 - (detect-bytetest.c:608) <Error> (DetectBytetestSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - relative bytetest match needs a previous content option
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_stub_data + byte_test + relative"; dce_stub_data; byte_test:2,=,28474,0,relative; classtype:bad-unknown; sid:131; rev:1;)" from file blah.rules at line 9
[10869] 21/6/2010 -
14:14:03 - (detect-bytejump.c:590) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - relative bytejump match needs a previous content option
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_iface over smb with byte_test + relative"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; byte_jump:1,4,relative; content:"|07 00 00 00|"; within:4; sid:139; rev:1;)" from file blah.rules at line 11
[10869] 21/6/2010 -
14:14:03 - (detect.c:386) <Info> (SigLoadSignatures) -- 71 rule files processed. 1 rules succesfully loaded, 5 rules failed

Actions #13

Updated by Will Metcalf almost 14 years ago

pcap used for testing

Actions #14

Updated by Victor Julien almost 14 years ago

  • Due date changed from 06/23/2010 to 06/25/2010
  • Target version changed from 0.9.2 to 1.0.0
  • % Done changed from 100 to 70
Actions #15

Updated by Victor Julien over 13 years ago

  • Due date changed from 06/25/2010 to 07/06/2010
  • Target version changed from 1.0.0 to 1.0.1

Retargeting to 1.0.1 as the changes needed are bigger than expected and we ran into DCERPC parsing issues as well.

Actions #16

Updated by Victor Julien over 13 years ago

  • Due date changed from 07/06/2010 to 07/23/2010
  • Status changed from Assigned to Closed
  • % Done changed from 70 to 100
  • Estimated time changed from 0.00 h to 8.00 h

Fixed in current master, thanks Anoop.

Actions

Also available in: Atom PDF