Snort mailing list archives
Regarding GID 1, SID 33429 - Microsoft Windows SMB potential group policy fallback exploit attempt
From: Sandeep Singh <ctrlaltdelngone () gmail com>
Date: Sat, 14 Feb 2015 12:51:38 +0530
Hi all, I am seeing a lot of noise for the recently pushed rule with GID 1, SID 33429 which works for detection of attempts towards vulnerability mentioned in MS15-014 (https://technet.microsoft.com/library/security/ms15-014. Rule --> alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB potential group policy fallback exploit attempt"; flow:to_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"|5C 00|g|00|p|00|t|00|T|00|m|00|p|00|l|00|.|00|i|00|n|00|f|00 00|"; fast_pattern:only; detection_filter:track by_src,count 5,seconds 2; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service netbios-ssn; reference:cve,2015-0009; reference:url, technet.microsoft.com/en-us/security/bulletin/ms15-014; classtype:attempted-user; sid:33429; rev:1; )
From what I can understand from the rule and the alerts is that it
triggers every time a computer tries to query a shared folder (which contains the group policies) for settings that applies to the current computer or user it fires an alarm which is of course causing huge number of false positives. We are already in process of deploying an enterprise wide patch for MS15-014 but in the meantime is there anything that can be done to tune this detection rule. If required I can provide a packet capture Any suggestions? Thanks
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Regarding GID 1, SID 33429 - Microsoft Windows SMB potential group policy fallback exploit attempt Sandeep Singh (Feb 13)
- Re: Regarding GID 1, SID 33429 - Microsoft Windows SMB potential group policy fallback exploit attempt Al Lewis (allewi) (Feb 14)