OT: Can SMB filenames be well defined for IDS systems?
Tim Potter
tpot at samba.org
Thu May 29 01:17:00 GMT 2003
On Thu, May 29, 2003 at 12:52:11PM +1200, Jason Haar wrote:
> OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
> and cut-n-paste from explorer. What I've found that they both contain:
>
> "ff 53 4d 42 a2" [SMB, NTCreate&X]
>
> Would all attempts at creating a file contain that?
Probably not, as Jeremy says, but it would catch most of them.
> i.e. look for "ff 53 4d 42 a2", then look for ".eml" within the next 200
> bytes.
>
> That should basically eliminate FPs based on file content instead of
> filenames shouldn't it?
It would certainly cut them down.
What if I were copying a packet capture of someone copying a .eml file?
I'm not sure you will catch all filenames at an offset of 200 bytes.
A packet capture of a NTCreate&X over port 139 looks like:
14 bytes ethernet header
20 bytes IP header
32 bytes TCP header
4 bytes NetBIOS header
followed by the start of the SMB packet. For port 445 you can get rid
of the NetBIOS header. The filename starts 160 bytes into the SMB
packet so if I had a 100 character unicode filename the .eml extension
would occur approximately 430 bytes (14+20+32+4+160+(100*2)) from the
start of the packet.
Anyway, it sounds like you are on the right track. Ethereal rocks. (-:
Tim.
More information about the samba-technical
mailing list