Bug #1853
Updated by Victor Julien over 7 years ago
Suricata is matching everything on dce_stub_data buffer. I have the pcap if anyone wants to test. Not sre if it is possible to upload a pcap here. So these sigs sets a flowbits to the last sig that i was building to detect an exploit attempt when i found out that everything matches on dce_stub_data buffer. <pre> alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; sid:650002952;) alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS SMB NT Create AndX Request \\lsarpc"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2|"; byte_test:1,&,128,6,relative; content:"|00|L|00|S|00|A|00|R|00|P|00|C|00|"; fast_pattern; nocase; flowbits:set,smb.tree.create.lsarpc; flowbits:noalert; reference:cve,2006-4688; classtype:protocol-command-decode; sid:116518; rev:5;) #sig that matches on everything even two bytes on the same offset alert tcp any any -> any [139,445] (msg:"ETPRO NETBIOS Samba NDR Parsing MS-RPC Request Handling Buffer Overflow (CVE-2007-2446) Two contents same offset cafe"; flow:established,to_server; flowbits:isset,smb.tree.create.lsarpc; dce_iface:12345778-1234-abcd-ef00-0123456789ab,any_frag; dce_opnum:15,19; dce_stub_data; content:"|ca|"; offset:0; depth:1; content:"|fe|"; offset:0; depth:1; reference:cve,2007-2446; classtype:attempted-admin; sid:123033; rev:1;) </pre>