OT: Can SMB filenames be well defined for IDS systems?

Jason Haar Jason.Haar at trimble.co.nz
Thu May 29 00:52:11 GMT 2003

On Thu, May 29, 2003 at 09:22:15AM +1000, Tim Potter wrote:
> Break out ethereal (www.ethereal.com) and try to match against some
> specific SMBs.  I would expect the virus to do a NTCreate&X to open a
> file on the remote machine.  You might like to test various infected
> clients as the parameters to NTCreate&X or even the exact SMB packet
> used might be different.

OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
and cut-n-paste from explorer. What I've found that they both contain:

"ff 53 4d 42 a2" [SMB, NTCreate&X]

Would all attempts at creating a file contain that? 

if so, then a better snort rule might be:

alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
 content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L"; within:200; 
 nocase; flow:to_server,established;
 classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
 sid:1293; rev:8;)

i.e. look for "ff 53 4d 42 a2", then look for ".eml" within the next 200

That should basically eliminate FPs based on file content instead of
filenames shouldn't it?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba-technical mailing list