OT: Can SMB filenames be well defined for IDS systems?

[Esh, Andrew]

Your method of packet sniffing for virus activity is a good idea. Please
share your results with us. Perhaps someone would be interested in
developing a VFS module that does the same thing.

For another source of information about decoding an SMB packet to the point
of detecting a file creation and extracting the file name, look at the
source code for Ethereal, which can be obtained through:

	http://www.ethereal.com

The file you are interested in is "packet-smb.c", in the function
"dissect_create_file_request". By studying that code, you will learn how to
focus your search on the name of the file being created. Here's a preview:

static int
dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree, int offset, proto_tree *smb_tree _U_)
{
	smb_info_t *si = pinfo->private_data;
	int fn_len;
	const char *fn;
	guint8 wc;
	guint16 bc;

	WORD_COUNT;

	/* file attributes */
	offset = dissect_file_attributes(tvb, tree, offset, 2);

	/* creation time */
	offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);

	BYTE_COUNT;

	/* buffer format */
	CHECK_BYTE_COUNT(1);
	proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1,
TRUE);
	COUNT_BYTES(1);

	/* File Name */
	fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
		FALSE, FALSE, &bc);
	if (fn == NULL)
		goto endofcommand;
	proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
		fn);
	COUNT_BYTES(fn_len);

	if (check_col(pinfo->cinfo, COL_INFO)) {
		col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);
	}

	END_OF_SMB

	return offset;
}

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at trimble.co.nz]
Sent: Wednesday, May 28, 2003 7:52 PM
To: samba-technical at samba.org
Subject: Re: OT: Can SMB filenames be well defined for IDS systems?


On Thu, May 29, 2003 at 09:22:15AM +1000, Tim Potter wrote:
> Break out ethereal (www.ethereal.com) and try to match against some
> specific SMBs.  I would expect the virus to do a NTCreate&X to open a
> file on the remote machine.  You might like to test various infected
> clients as the parameters to NTCreate&X or even the exact SMB packet
> used might be different.

OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
and cut-n-paste from explorer. What I've found that they both contain:

"ff 53 4d 42 a2" [SMB, NTCreate&X]

Would all attempts at creating a file contain that? 

if so, then a better snort rule might be:

alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
 content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L"; within:200; 
 nocase; flow:to_server,established;
 classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
 sid:1293; rev:8;)

i.e. look for "ff 53 4d 42 a2", then look for ".eml" within the next 200
bytes.

That should basically eliminate FPs based on file content instead of
filenames shouldn't it?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1