Bug #92
closeddce_stub_data does not respect pcre and content keywords associated with it
Description
In snort dce_iface is a valid previous content match for distance/within/isdataat/pcre with relative modifier etc. but our engine doesn't allow this.
^^ Correcting the initial problem statement
dce_stub_data should be associated with pcre or content keywords that are defined right after it(need to confirm this once again).
Files
Updated by Will Metcalf almost 15 years ago
For examples see sids 12489,12307,11442,3591
Updated by Anoop Saldanha almost 15 years ago
Will Metcalf wrote:
For examples see sids 12489,12307,11442,3591
where are these sigs - 12489, 12307, 11442, 3591?
Updated by Victor Julien almost 15 years ago
- Due date deleted (
02/17/2010) - Target version changed from 0.8.1 to 1.0.0
They are part of the VRT ruleset, we can't post them here.
I'm reassigning this to target version 1.0.
Updated by Anoop Saldanha almost 15 years ago
- Subject changed from dce_iface is not considered a valid previous content match for within/distance/isdataat pcre /R etc to dce_stub_data does not respect pcre and content keywords associated with it
- Assignee changed from OISF Dev to Anoop Saldanha
Updated by Victor Julien over 14 years ago
- Due date set to 06/11/2010
- Assignee changed from Anoop Saldanha to Victor Julien
- Target version changed from 1.0.0 to 0.9.2
- Estimated time changed from 2.50 h to 0.00 h
Will be part of a task.
Updated by Victor Julien over 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Patch is applied, thanks Gerardo.
Updated by Victor Julien over 14 years ago
- Status changed from Closed to Assigned
- % Done changed from 100 to 0
Argh, wrong ticket :) Reopening
Updated by Victor Julien over 14 years ago
- Assignee changed from Victor Julien to Anoop Saldanha
Assigned as part of a task.
Updated by Victor Julien over 14 years ago
- Status changed from Assigned to Closed
Updated by Will Metcalf over 14 years ago
- Due date changed from 06/11/2010 to 06/23/2010
- Status changed from Closed to Assigned
reopening this ticket. The current behavior of suricata when dealing with dce/rpc according to Anoop is the following...
"whether it contains dce_stub_data or not, if the the signature contains any of the dce keywords -> dce_stub_iface, dce_opnum or dce_stub_data, then all the content based matches are on only on the stub data."
This behavior is incorrect. dce_stub_data in snort simply moves the doe_ptr to the start of the stub data. Matches can then be relative to this. Lets take a look at a couple of examples.
In snort this rule fires. Here we are matching on SMB in the first 8 bytes of the packet payload and then we are matching on parsed dce_iface and dce_opnum. We then move doe_ptr to the start of dce_stub_data and make sure that our match "|6f 3a 63 b0 07 00 00 00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|" can be found in the first 32 bytes of the stub_data. If the within modifer is removed from the content match then we should try to match on these bytes anywhere in the stub data or the rest of the payload.
#file rpcoversmbtraffic.pcap
alert tcp any any -> any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|6f 3a 63 b0 07 00 00 00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; within:32; classtype:bad-unknown; sid:56; rev:1;)
More examples... All of these signatures should load and fire interesting that sid:123 loads but does not fire, this should be looked into as well as I would think that it should be rejected with the others.
alert tcp any any -> any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; distance:7; within:25; classtype:bad-unknown; sid:44; rev:1;)
alert tcp any any -> any 445 (msg:"dce_opnum over smb with depth"; content:"SMB"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; isdataat:31,relative; ;classtype:bad-unknown; sid:113; rev:1;)
alert tcp any any -> any 445 (msg:"dce_opnum over smb with depth"; dce_stub_data; pcre:"/^\x6f\x3a\x63\xb0\x07\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x72\x00\x77\x00\x61\x00\x4f\x00\x45\x00\x66\x00\x00\x00\x00\x00/smR"; classtype:bad-unknown; sid:123; rev:1;)
alert tcp any any -> any 445 (msg:"dce_stub_data + byte_test + relative"; dce_stub_data; byte_test:2,=,28474,0,relative; classtype:bad-unknown; sid:131; rev:1;)
alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_test + relative"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; byte_jump:1,4,relative; content:"|07 00 00 00|"; within:4; sid:139; rev:1;)
Suricata output....
[10869] 21/6/2010 -- 14:14:03 - (detect-within.c:220) <Error> (DetectWithinSetup) -- [ERRCODE: SC_ERR_WITHIN_MISSING_CONTENT(103)] - within needs two preceeding content or uricontent options
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|6f 3a 63 b0 07 00 00 00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; within:32; classtype:bad-unknown; sid:56; rev:1;)" from file blah.rules at line 1 14:14:03 - (detect-distance.c:189) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(102)] - distance needs two preceeding content or uricontent options
[10869] 21/6/2010 -
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_stub_data over smb distance"; content:"SMB"; depth:8; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; content:"|00 00 00 00 00 07 00 00 00 72 00 77 00 61 00 4f 00 45 00 66 00 00 00 00 00|"; distance:7; within:25; classtype:bad-unknown; sid:44; rev:1;)" from file blah.rules at line 3 14:14:03 - (detect-isdataat.c:263) <Error> (DetectIsdataatSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No previous content, the flag 'relative' cant be used without content
[10869] 21/6/2010 -
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_opnum over smb with depth"; content:"SMB"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; isdataat:31,relative; ;classtype:bad-unknown; sid:113; rev:1;)" from file blah.rules at line 5 14:14:03 - (detect-bytetest.c:608) <Error> (DetectBytetestSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - relative bytetest match needs a previous content option
[10869] 21/6/2010 -
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_stub_data + byte_test + relative"; dce_stub_data; byte_test:2,=,28474,0,relative; classtype:bad-unknown; sid:131; rev:1;)" from file blah.rules at line 9 14:14:03 - (detect-bytejump.c:590) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - relative bytejump match needs a previous content option
[10869] 21/6/2010 -
[10869] 21/6/2010 -- 14:14:03 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any 445 (msg:"dce_iface over smb with byte_test + relative"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:28; dce_stub_data; byte_jump:1,4,relative; content:"|07 00 00 00|"; within:4; sid:139; rev:1;)" from file blah.rules at line 11 14:14:03 - (detect.c:386) <Info> (SigLoadSignatures) -- 71 rule files processed. 1 rules succesfully loaded, 5 rules failed
[10869] 21/6/2010 -
Updated by Will Metcalf over 14 years ago
- File rpcoversmbtraffic.pcap rpcoversmbtraffic.pcap added
pcap used for testing
Updated by Victor Julien over 14 years ago
- Due date changed from 06/23/2010 to 06/25/2010
- Target version changed from 0.9.2 to 1.0.0
- % Done changed from 100 to 70
Updated by Victor Julien over 14 years ago
- Due date changed from 06/25/2010 to 07/06/2010
- Target version changed from 1.0.0 to 1.0.1
Retargeting to 1.0.1 as the changes needed are bigger than expected and we ran into DCERPC parsing issues as well.
Updated by Victor Julien over 14 years ago
- Due date changed from 07/06/2010 to 07/23/2010
- Status changed from Assigned to Closed
- % Done changed from 70 to 100
- Estimated time changed from 0.00 h to 8.00 h
Fixed in current master, thanks Anoop.