OT: Can SMB filenames be well defined for IDS systems?

[jra at dp.samba.org]

On Thu, May 29, 2003 at 11:10:58AM +1200, Jason Haar wrote:
> Hi there
> 
> We're using Snort (an network Intrusion Detection System) with great success
> here - even to the extent of monitoring our WAN links for nasty M$ trojans.
> 
> Snort can recognise such viruses by looking for evidence of files typically
> used by trojans - which are typically tranmitted within a LAN via SMB (yup -
> the tie-in with Samba begins ;-)
> 
> Anyway, false positives (FPs) are a real issue, and I was wondering if any
> of the Samba network gurus could maybe tell me if there's a better way of
> matching filenames with Snort than it currently does.
> 
> e.g
> 
> To catch the upload of *.eml files (as used by Nimda), it's rules look like:
> 
> alert tcp any any -> any 139 (msg:"Samba/NETBIOS nimda .eml";
> content:".eml"; flow:to_server,established; classtype:bad-unknown;
> reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:6;)
> alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
> content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
> classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
> sid:1293; rev:8;)
> 
> [Two rules, as Samba/NT4 are pre-UNICODE]
> 
> Anyway, as you can imagine, the string ".eml" may show up in SMB data just
> by chance - hence the FPs.
> 
> So my question is, is there a "standard" data sequence that occurs *before*
> the characters in a filename are transmitted via SMB, so that such rules
> could be changed to "content: <special sequence>, AND THEN content:'.eml'"
> 
> Obviously a full SMB parser would be the complete way of doing this, but
> such preprocessors are quite a bit of work - so I'm hoping there some other
> way of "knowing" when a filename is coming up within a TCP stream (which
> snort can already hook into).

I guess you want to know just before an open call ? If so you could
catch an incoming NTCreateX call based on the SMB sequence for it.

Jeremy.