Snort mailing list archives
Re: NETBIOS Unicode Access - False Positives
From: Nigel Houghton <nigel () sourcefire com>
Date: Mon, 23 Aug 2004 13:45:08 -0400
Excuse the formatting, this is what happens to HTML email when you get a digest version of the list. On 0, snort-users-request () lists sourceforge net allegedly wrote:
Message: 8 Date: Wed, 18 Aug 2004 22:55:40 -0400 From: "Gross, Mark" <mgross () microstrategy com> To: <snort-users () lists sourceforge net.> Subject: [Snort-users] NETBIOS Unicode Access - False Positives This is a multi-part message in MIME format. ------_=_NextPart_001_01C48598.03157D00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, =20 I checked out the list regarding a lot of the NETBIOS rules and there = seemed to be some others who are having similar (or the same) issues as = I. Alerts are being generated for packets that are part of normal = traffic. I am sure that this has been covered somewhere, so if it's a = duplicate, or you are aware of this, then please disregard it. If there = are updated rules they are not official as the below listed rule was = taken from the daily Aug. 18th, 2004 and I found no updates in the = database (with or without documentation).
This is a known issue, yes. Please make sure your $HOME_NET and $EXTERNAL_NET variables are set correctly in snort.conf. These rules rely on these variables. Essentially, these Netbios shares should not be accessible over the Internet or from a DMZ host. The $EXTERNAL_NET variable should be everything not on your protected network, i.e. !$HOME_NET (simplisticly speaking).
=20 The rules that are causing ALERTS: =20 NETBIOS SMB C$ share unicode access (sid:2470), NETBIOS SMB IPC$ share = unicode access (sid:538), NETBIOS SMB-DS C$ share unicode access = (sid:2472) and NETBIOS SMB-DS IPC$ share unicode access (sid:2466). =20 Apparently this is triggered anytime that anyone accesses a network = share on a 2002 server (maybe others too) with the NETBIOS command "Tree = Connect AndX Request".
Shouldn't happen from a host not on your protected net.
=20 The alerts are generated by accessing ANY/EVERY network share weather a = user has the rights or not.
Right, the rules are looking for administrative share access, something you don't want to see from anything outside your protected network.
=20 I only listed one of the four rules, however the other three are matched = later in the stream. =20 Here is the rule and one packet (Tree Connect AndX Request). =20 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ = share unicode access"; flow:to_server,established; content:"|00|"; = depth:1; content:"|FF|SMB"; depth:4; offset:4; = byte_test:1,>,127,7,relative; content:"I|00|P|00|C|00 24 00 00|"; = distance:33; nocase; classtype:protocol-command-decode; sid:538; = rev:11;) =20 =20 000005D3 00 00 00 5a ff 53 4d 42 75 00 00 00 00 18 07 c8 = ...Z.SMB u......=C8 000005E3 00 00 48 92 dd 80 0b bb 2c bd 00 00 00 00 ff fe = ..H'=DD..=BB ,......=FE 000005F3 03 48 40 2e 04 ff 00 5a 00 08 00 01 00 2f 00 00 = .H@....Z ...../.. 00000603 5c 00 5c 00 ff 00 ff 00 ff 00 ff 00 ff 00 ff 00 = \.\.S.E. R.V.E.R. 00000613 ff 00 ff 00 ff 00 ff 00 ff 00 ff 00 5c 00 49 00 = -.1.-.I. A.S.\.I. 00000623 50 00 43 00 24 00 00 00 3f 3f 3f 3f 3f 00 = P.C.$... ?????. =20 =20 There were a total of 33 packets from the time that the Tree Request was = made to the time that the Tree Disconnect was made. In those 33 packets = all 4 of the above listed rules were true. =20 It would seem that the rule needs to be modified to ALERT if the "NT = Status: STATUS_ACCESS_DENIED (0x0000022)" is returned anywhere in the = stream.
But then you would miss a sucessful attempt to connect.
--__--__--
If these rules continue to generate false positives when the variables are set correctly, please forward packet captures and the relevant variable information from snort.conf. +-------------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team "Dude, dolphins are intelligent and friendly!" - Wendy "Intelligent and friendly on rye bread, with some mayonaise." - Cartman +-------------------------------------------------------------------------+ ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NETBIOS Unicode Access - False Positives Gross, Mark (Aug 23)
- <Possible follow-ups>
- Re: NETBIOS Unicode Access - False Positives Nigel Houghton (Aug 23)