The Alert Logic research team has revised the initial set of rules for
the MS05-039 vulnerability in PnP. While the initial rules focused on
the known exploits used in the Zotob worm, the new rules detect the
actual vulnerability described in MS05-039.
The most recent set of rules provide wider coverage for possible exploit
and worm variations that may appear in the future. These rules cover
most common avenues of attack, excluding big-endian and unicode vectors.
The latest MS05-039 rules have been tested in Alert Logic labs and we
are satisfied with their performance. Your mileage may vary. Please let
us know if there are any false-positives. PCAPs are greatly appreciated.
:: Rules ::
Update your stream4_reassemble args to include ports 139 and 445.
ex. preprocessor stream4_reassemble: clientonly, ports 21 23 25 53 80
110 111 139 143 445 513 1433
alert tcp any any -> any 445 (msg:"NETBIOS SMB-DS DCERPC PnP HOD bind attempt";
flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase;
content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C
00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4;
content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69
08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert;
classtype:protocol-command-decode; sid:1000135; rev:2;)
alert tcp any any -> any 445 (msg:"NETBIOS SMB-DS DCERPC PnP bind attempt";
flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase;
content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C
00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2;
content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69
08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert;
classtype:protocol-command-decode; sid:1000139; rev:1;)
alert tcp any any -> any 445 (msg:"NETBIOS SMB-DS DCERPC PnP QueryResConfList
exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5;
offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C
00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36
00|"; within:2; distance:26;
pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs";
flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx;
classtype:attempted-admin; sid:1000136; rev:2;)
alert tcp any any -> any 139 (msg:"NETBIOS SMB DCERPC PnP bind attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%";
depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|";
within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10;
distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F
69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt;
flowbits:noalert; classtype:protocol-command-decode; sid:1000137; rev:1;)
alert tcp any any -> any 139 (msg:"NETBIOS SMB DCERPC PnP QueryResConfList
exploit attempt"; flow:to_server,established; content:"|00|"; depth:1;
content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative;
content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|";
within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19;
pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs";
flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx;
classtype:attempted-admin; sid:1000138; rev:1;)
:: end ::
Thank you,
AlertLogic
pgpEBPMwreIFl.pgp
Description: PGP signature
