OT: Can SMB filenames be well defined for IDS systems?
Esh, Andrew
Andrew_Esh at adaptec.com
Thu May 29 13:42:04 GMT 2003
Your method of packet sniffing for virus activity is a good idea. Please
share your results with us. Perhaps someone would be interested in
developing a VFS module that does the same thing.
For another source of information about decoding an SMB packet to the point
of detecting a file creation and extracting the file name, look at the
source code for Ethereal, which can be obtained through:
http://www.ethereal.com
The file you are interested in is "packet-smb.c", in the function
"dissect_create_file_request". By studying that code, you will learn how to
focus your search on the name of the file being created. Here's a preview:
static int
dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree, int offset, proto_tree *smb_tree _U_)
{
smb_info_t *si = pinfo->private_data;
int fn_len;
const char *fn;
guint8 wc;
guint16 bc;
WORD_COUNT;
/* file attributes */
offset = dissect_file_attributes(tvb, tree, offset, 2);
/* creation time */
offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
BYTE_COUNT;
/* buffer format */
CHECK_BYTE_COUNT(1);
proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1,
TRUE);
COUNT_BYTES(1);
/* File Name */
fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
FALSE, FALSE, &bc);
if (fn == NULL)
goto endofcommand;
proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
fn);
COUNT_BYTES(fn_len);
if (check_col(pinfo->cinfo, COL_INFO)) {
col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
}
END_OF_SMB
return offset;
}
-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at trimble.co.nz]
Sent: Wednesday, May 28, 2003 7:52 PM
To: samba-technical at samba.org
Subject: Re: OT: Can SMB filenames be well defined for IDS systems?
On Thu, May 29, 2003 at 09:22:15AM +1000, Tim Potter wrote:
> Break out ethereal (www.ethereal.com) and try to match against some
> specific SMBs. I would expect the virus to do a NTCreate&X to open a
> file on the remote machine. You might like to test various infected
> clients as the parameters to NTCreate&X or even the exact SMB packet
> used might be different.
OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
and cut-n-paste from explorer. What I've found that they both contain:
"ff 53 4d 42 a2" [SMB, NTCreate&X]
Would all attempts at creating a file contain that?
if so, then a better snort rule might be:
alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L"; within:200;
nocase; flow:to_server,established;
classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
sid:1293; rev:8;)
i.e. look for "ff 53 4d 42 a2", then look for ".eml" within the next 200
bytes.
That should basically eliminate FPs based on file content instead of
filenames shouldn't it?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba-technical
mailing list