OT: Can SMB filenames be well defined for IDS systems?

[Tim Potter]

On Thu, May 29, 2003 at 11:10:58AM +1200, Jason Haar wrote:

> Snort can recognise such viruses by looking for evidence of files typically
> used by trojans - which are typically tranmitted within a LAN via SMB (yup -
> the tie-in with Samba begins ;-)

Neat!

> Anyway, false positives (FPs) are a real issue, and I was wondering if any
> of the Samba network gurus could maybe tell me if there's a better way of
> matching filenames with Snort than it currently does.

I thought it stood for First Post.  (-:

> To catch the upload of *.eml files (as used by Nimda), it's rules look like:
> 
> alert tcp any any -> any 139 (msg:"Samba/NETBIOS nimda .eml";
> content:".eml"; flow:to_server,established; classtype:bad-unknown;
> reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:6;)
> alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
> content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
> classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
> sid:1293; rev:8;)
> 
> [Two rules, as Samba/NT4 are pre-UNICODE]

I'm not sure what you mean by this.  NT4 supports Unicode when talking to 
other NT4 or higher clients.  You only have to worry about ascii clients
when Win9x machines or Samba 2.0 is involved.

> Anyway, as you can imagine, the string ".eml" may show up in SMB data just
> by chance - hence the FPs.

Heh.  It could quite easily turn up in file data being transferred.

> So my question is, is there a "standard" data sequence that occurs *before*
> the characters in a filename are transmitted via SMB, so that such rules
> could be changed to "content: <special sequence>, AND THEN content:'.eml'"

Break out ethereal (www.ethereal.com) and try to match against some
specific SMBs.  I would expect the virus to do a NTCreate&X to open a
file on the remote machine.  You might like to test various infected
clients as the parameters to NTCreate&X or even the exact SMB packet
used might be different.


Tim.