Snort mailing list archives

Re: Hello,

From: Hui cao <huica () cisco com>
Date: Fri, 22 Jul 2016 14:51:44 -0400

Hi Rgds,

SMB header should have name offset, so you can extract the name offset&& length and jump to the name data.


Best,
Hui.

On 07/22/2016 02:44 PM, Joel Esler (jesler) wrote:

Can you attach a pcap?   A copy and paste doesn't work.

--
Joel Esler
iPhone

On Jul 22, 2016, at 1:45 PM, Rodrigo Borges Pereira<rodrigoborgespereira () gmail com<mailto:rodrigoborgespereira () gmail com>> wrote:

Just to add that having the ability to somehow limit the depth of thePCRE, would make this really simple to achieve (at least in the wayI'm trying it, of course :)


Rgds

On Fri, Jul 22, 2016 at 6:43 PM Rodrigo Borges Pereira<rodrigoborgespereira () gmail com<mailto:rodrigoborgespereira () gmail com>> wrote:


    Hi Joel,

    Of course, I can give more details.

    I'm attempting to match exact filename on SMB2 0x05 Create
    Requests. I'm able to use byte-jumps in order to get to the
    beginning of the filename buffer. Then I can search from there.
    However, due to the way SMB2 sometimes are constructed, it's
    getting very  difficult to achieve 100% accuracy, and in some
    cases I'm losing positives.

    Here's the current rule. For example, this one tries to match a
    filename just named "x", either in the root dir or inside a sub-dir.

    content: "|FE|SMB"; offset: 4; content: "|00 05|"; distance: 7;
    within: 2; byte_jump: 2, 8, from_beginning, little, post_offset
    +48; byte_jump: 2, 0, from_beginning, little, post_offset +4;
    content: "|00|"; distance: -1; pcre:
    "/^\x00(\x00x\x00|.*\x5c\x00x\x00)(\x00){0,8}\x28\x00\x00\x00\x10\x00\x04/R";

    This works most of the time, because usually, after the filename
    buffer, you have an 8-byte 00 padding until |28 00 00 00 10 00 04|

    In some cases though, there's some different bytes in that
    padding, and couldn't find any information about that. when that
    happens, the rule does not match. Here's a printout of two
    example packets:

    UNDETECTED POSITIVE

    0000   00 00 00 c0 fe 53 4d 42 40 00 01 00 00 00 00 00
     .....SMB@.......
    0010   05 00 01 00 00 00 00 00 00 00 00 00 3f 07 00 00
     ............?...
    0020   00 00 00 00 ff fe 00 00 d0 0d 81 18 b0 bd ba 2a
     ...............*
    0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ................
    0040   00 00 00 00 39 00 00 00 02 00 00 00 00 00 00 00
     ....9...........
    0050   00 00 00 00 00 00 00 00 00 00 00 00 80 00 01 00
     ................
    0060   00 00 00 00 04 00 00 00 01 00 00 00 40 10 00 00
     ............@...
    0070   78 00 02 00 80 00 00 00 40 00 00 00 78 00 9e 6f
     x.......@...x..o
    0080   23 e4 d1 01 28 00 00 00 10 00 04 00 00 00 18 00
     #...(...........
    0090   10 00 00 00 44 48 6e 51 00 00 00 00 00 00 00 00
     ....DHnQ........
    00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ................
    00b0   10 00 04 00 00 00 18 00 00 00 00 00 4d 78 41 63
     ............MxAc
    00c0   00 00 00 00        ....

    0000   00 00 00 d8 fe 53 4d 42 40 00 01 00 00 00 00 00
     .....SMB@.......
    0010   05 00 01 00 00 00 00 00 00 00 00 00 3f 00 00 00
     ............?...
    0020   00 00 00 00 ff fe 00 00 df 9e 28 43 d8 19 30 16
     ..........(C..0.
    0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ................
    0040   00 00 00 00 39 00 00 09 02 00 00 00 00 00 00 00
     ....9...........
    0050   00 00 00 00 00 00 00 00 00 00 00 00 9f 01 17 00
     ................

0060 20 00 00 00 00 00 00 00 02 00 00 00 44 00 00 00...........D...

    0070   78 00 02 00 80 00 00 00 58 00 00 00 78 00 00 00
     x.......X...x...
    0080   00 00 00 00 28 00 00 00 10 00 04 00 00 00 18 00
     ....(...........
    0090   10 00 00 00 44 48 6e 51 00 00 00 00 00 00 00 00
     ....DHnQ........
    00a0   00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00
     ................
    00b0   10 00 04 00 00 00 18 00 00 00 00 00 4d 78 41 63
     ............MxAc
    00c0   00 00 00 00 00 00 00 00 10 00 04 00 00 00 18 00
     ................
    00d0   00 00 00 00 51 46 69 64 00 00 00 00        ....QFid....

    Thanks!!

    On Fri, Jul 22, 2016 at 6:26 PM Joel Esler (jesler)
    <jesler () cisco com <mailto:jesler () cisco com>> wrote:

You can't use a variable from a byte_extract within a pcre.We can probably help you with what you are trying to do, if

        you have a pcap and describe the problem.

--Joel Esler

        iPhone

        On Jul 22, 2016, at 1:24 PM, Rodrigo Borges Pereira
        <rodrigoborgespereira () gmail com
        <mailto:rodrigoborgespereira () gmail com>> wrote:

        Is there a way to limit the depth of a pcre search? I can
        use byte_extract to get the length of a variable buffer to
        which the pcre expression should apply, but there doesn't
        seem to be an option to do this.

        Appreciate any hints.

        Rgds.
        ------------------------------------------------------------------------------
        What NetFlow Analyzer can do for you? Monitors network
        bandwidth and traffic
        patterns at an interface-level. Reveals which users, apps,
        and protocols are
        consuming the most bandwidth. Provides multi-vendor support
        for NetFlow,
        J-Flow, sFlow and other flows. Make informed decisions using
        capacity planning
        reports.http://sdm.link/zohodev2dev
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        <mailto:Snort-users () lists sourceforge net>
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

        Please visit http://blog.snort.org to stay current on all
        the latest Snort news!



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Hello, Rodrigo Borges Pereira (Jul 22)
- Re: Hello, Joel Esler (jesler) (Jul 22)
  - Re: Hello, Rodrigo Borges Pereira (Jul 22)
    - Re: Hello, Rodrigo Borges Pereira (Jul 22)
    - Re: Hello, Joel Esler (jesler) (Jul 22)
    - Re: Hello, Hui cao (Jul 22)
    - Re: Hello, Rodrigo Borges Pereira (Jul 22)
    - Re: Hello, Rodrigo Borges Pereira (Jul 22)