OT: Can SMB filenames be well defined for IDS systems?
Jason Haar
Jason.Haar at trimble.co.nz
Thu May 29 00:52:11 GMT 2003
On Thu, May 29, 2003 at 09:22:15AM +1000, Tim Potter wrote:
> Break out ethereal (www.ethereal.com) and try to match against some
> specific SMBs. I would expect the virus to do a NTCreate&X to open a
> file on the remote machine. You might like to test various infected
> clients as the parameters to NTCreate&X or even the exact SMB packet
> used might be different.
OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
and cut-n-paste from explorer. What I've found that they both contain:
"ff 53 4d 42 a2" [SMB, NTCreate&X]
Would all attempts at creating a file contain that?
if so, then a better snort rule might be:
alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L"; within:200;
nocase; flow:to_server,established;
classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
sid:1293; rev:8;)
i.e. look for "ff 53 4d 42 a2", then look for ".eml" within the next 200
bytes.
That should basically eliminate FPs based on file content instead of
filenames shouldn't it?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba-technical
mailing list