OT: Can SMB filenames be well defined for IDS systems?

[Jason Haar]

Hi there

We're using Snort (an network Intrusion Detection System) with great success
here - even to the extent of monitoring our WAN links for nasty M$ trojans.

Snort can recognise such viruses by looking for evidence of files typically
used by trojans - which are typically tranmitted within a LAN via SMB (yup -
the tie-in with Samba begins ;-)

Anyway, false positives (FPs) are a real issue, and I was wondering if any
of the Samba network gurus could maybe tell me if there's a better way of
matching filenames with Snort than it currently does.

e.g

To catch the upload of *.eml files (as used by Nimda), it's rules look like:

alert tcp any any -> any 139 (msg:"Samba/NETBIOS nimda .eml";
content:".eml"; flow:to_server,established; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:6;)
alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
sid:1293; rev:8;)

[Two rules, as Samba/NT4 are pre-UNICODE]

Anyway, as you can imagine, the string ".eml" may show up in SMB data just
by chance - hence the FPs.

So my question is, is there a "standard" data sequence that occurs *before*
the characters in a filename are transmitted via SMB, so that such rules
could be changed to "content: <special sequence>, AND THEN content:'.eml'"

Obviously a full SMB parser would be the complete way of doing this, but
such preprocessors are quite a bit of work - so I'm hoping there some other
way of "knowing" when a filename is coming up within a TCP stream (which
snort can already hook into).

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1