Re: [Snort-sigs] FP on "NETBIOS SMB spoolss AddPrinterEx WriteAndX unicode overflow attempt"

As a followup to my previous posting. I have had different "spoolss"
rule after rule fire here on people sending jobs to a single print server.

I have had to disable all "*spoolss AddPrinterEx*" rules until I can do
something better with it.

Either we've got an unknown trojan on the loose that only wants to
attack one particular print server of ours - or there's a serious FP
issue with the MS05-043 rules


Jason


Jason Haar wrote:

> We just had snort go off when a user printed to one of our print servers:
>
> alert tcp any any -> any 139 (msg:"NETBIOS SMB spoolss AddPrinterEx
> WriteAndX unicode overflow attempt"; flow:established,to_server;
> flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1;
> content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative;
> pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little;
> pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative;
> content:"|00|"; within:1; distance:1; content:"|00|F"; within:2;
> distance:19; byte_test:4,>,256,4,relative; reference:cve,2005-1984;
> reference:url,www.microsoft.com/technet/security/bulletin/MS05-043.mspx;
> classtype:attempted-admin; sid:4484; rev:1;)
>
> I can't see anything obvious, it triggered 4 times in 8 seconds from
> their IP to the print servers IP and then went quiet again. As it was a
> remote print server, 8 sec to send a document to a printer sounds likely.
>
> It was a WinXP SP2 client to a Win2K server. No evidence of a virus/etc.
>
> Here's the packet data content
>
> length = 1460
>
> 000 : 00 00 10 F8 FF 53 4D 42 2F 00 00 00 00 18 07 C8   .....SMB/.......
> 010 : 00 00 00 00 00 00 00 00 00 00 00 00 01 08 FF FE   ................
> 020 : 01 08 04 82 0E FF 00 DE DE 09 80 00 00 00 00 FF   ................
> 030 : FF FF FF 08 00 B8 10 00 00 B8 10 40 00 00 00 00   ...........@....
> 040 : 00 B9 10 EE 05 00 00 00 10 00 00 00 B8 10 00 00   ................
> 050 : 0B 02 00 00 5C 9C 00 00 00 00 13 00 05 6D 00 00   ....\........m..
> 060 : 06 57 00 00 03 E2 00 00 06 67 00 00 05 BE 00 00   .W.......g......
> 070 : 06 66 00 00 01 D4 FF 9C 04 CC FF F6 04 B7 00 97   .f..............
> 080 : 04 F4 FF F6 04 7D 00 97 04 79 00 3C 05 67 00 97   .....}...y.<.g..
> 090 : 02 FC 00 5D 04 B4 00 97 04 C6 FF F6 06 2A 00 97   ...].........*..
> 0a0 : 05 57 00 97 04 88 00 43 05 A9 00 42 05 67 00 97   .W.....C...B.g..
> 0b0 : 04 69 00 97 04 73 00 41 04 AC FF FF 04 9C FF F5   .i...s.A........
> 0c0 : 04 A5 00 08 06 59 00 82 05 9E 00 2B 02 FC 00 4C   .....Y.....+...L
> 0d0 : 04 9C FF F5 04 70 00 3B 03 A4 00 3C 04 76 00 88   .....p.;...<.v..
> 0e0 : 01 D4 00 71 04 74 00 80 04 71 00 88 03 FC 00 06   ...q.t...q......
> 0f0 : 03 21 00 3B 04 76 00 88 04 70 00 58 01 D4 00 8C   .!.;.v...p.X....
> 100 : 03 FC 00 88 03 FC 00 05 04 8B 00 88 03 FC 00 06   ................
> 110 : 03 77 00 37 04 58 00 39 04 6A 00 7E 03 71 00 3A   .w.7.X.9.j.~.q.:
> 120 : 04 74 00 80 03 FA FF FB 05 B7 00 7F 05 CC 00 40   .t............@
> 130 : 01 D4 FF DA 04 74 00 80 04 58 00 39 04 74 00 80   .....t...X.9.t..
> 140 : 05 CC 00 40 04 7D 00 97 05 BF FF FF 04 0F 00 97   ...@.}..........
> 150 : 04 CC 00 42 04 75 00 4D 02 FC 00 5D 02 FC 00 4C   ...B.u.M...]...L
> 160 : 03 55 00 09 08 03 00 0F 07 DF 00 97 05 BE FF FF   .U..............
> 170 : 04 D2 00 97 04 9A FF FF 05 67 00 97 04 CC FF F6   .........g......
> 180 : 04 B7 00 97 04 B7 00 97 04 0F 00 97 05 78 00 12   .............x..
> 190 : 04 7D 00 97 07 27 FF F2 04 43 00 1F 05 5C 00 97   .}...'...C...\..
> 1a0 : 05 5C 00 97 04 D2 00 97 05 6C 00 0F 06 2A 00 97   .\.......l...*..
> 1b0 : 05 67 00 97 05 A9 00 42 05 67 00 97 04 69 00 97   .g.....B.g...i..
> 1c0 : 04 CE 00 42 04 AC FF FF 04 9A FF FF 05 FD 00 42   ...B...........B
> 1d0 : 04 A5 00 08 05 7B 00 97 05 16 00 5D 07 8C 00 97   .....{.....]....
> 1e0 : 07 AA 00 97 05 84 FF FF 06 4F 00 97 04 A9 00 97   .........O......
> 1f0 : 04 CC 00 2B 07 9C 00 97 04 E4 FF FB 04 33 00 3A   ...+.........3.:
> 200 : 04 66 00 43 04 32 00 88 03 52 00 88 04 77 00 08   .f.C.2...R...w..
> 210 : 04 36 00 3B 05 D8 00 08 03 A9 00 20 04 82 00 88   .6.;....... ....
> 220 : 04 82 00 88 03 FC 00 88 04 71 00 0F 05 1C 00 88   .........q......
> 230 : 04 81 00 88 04 58 00 39 04 82 00 88 04 6C 00 88   .....X.9.....l..
> 240 : 03 B1 00 3B 03 BC 00 04 03 FC 00 06 06 14 00 3E   ...;...........>
> 250 : 03 F6 00 0A 04 93 00 88 04 58 00 60 06 3A 00 88   .........X.`.:..
> 260 : 06 52 00 88 04 8C 00 04 05 8B 00 88 04 01 00 88   .R..............
> 270 : 03 C5 00 2A 06 18 00 88 04 39 00 15 04 36 00 3B   ...*.....9...6.;
> 280 : 04 A0 00 0C 03 52 00 88 03 C5 00 3D 03 92 00 43   .....R.....=...C
> 290 : 01 D4 00 7F 01 D4 FF DA 02 41 FF A6 06 9C 00 0F   ........A......
> 2a0 : 06 97 00 88 04 A0 00 0C 03 FC 00 88 03 FC 00 06   ................
> 2b0 : 04 82 00 88 04 10 00 97 03 52 00 88 07 46 00 6E   .........R...F.n
> 2c0 : 09 20 00 97 04 82 00 88 04 5E 00 41 08 00 00 00   . .......^.A....
> 2d0 : 08 00 01 00 08 00 01 00 08 00 01 00 08 00 01 00   ................
> 2e0 : 08 00 01 00 08 00 01 00 08 00 01 00 08 00 01 00   ................
> 2f0 : 08 00 01 00 06 03 00 42 04 80 00 39 05 C1 00 85   .......B...9....
> 300 : 04 DA 00 80 00 00 01 AD 00 00 01 C4 00 00 FC FE   ................
> 310 : 00 00 FD 7F 04 5E 00 DA 04 5E FF A7 04 5E 00 DA   ....^...^...^..
> 320 : 04 5E 00 C9 04 5E 00 E6 04 5E 00 E6 04 5E 00 E6   .^...^...^...^..
> 330 : 04 5E 00 C9 04 5E 01 AD 04 5E 00 DA 04 5E 00 E6   .^...^...^...^..
> 340 : 04 5E 00 E6 04 5E 00 E6 04 5E 00 E6 04 5E 00 DA   .^...^...^...^..
> 350 : 04 CC FF F6 04 33 00 3A 04 CC FF F6 04 33 00 3A   .....3.:.....3.:
> 360 : 04 CC FF F6 04 33 00 3A 04 CC FF CE 04 33 FF 8E   .....3.:.....3..
> 370 : 04 CC FF F6 04 33 00 3A 04 CC FF F6 04 33 00 3A   .....3.:.....3.:
> 380 : 04 CC FF F6 04 33 00 3A 04 CC FF F6 04 33 00 3A   .....3.:.....3.:
> 390 : 04 CC FF F6 04 33 00 3A 04 CC FF F6 04 33 00 3A   .....3.:.....3.:
> 3a0 : 04 CC FF F6 04 33 00 3A 04 CC FF F6 04 33 00 3A   .....3.:.....3.:
> 3b0 : 04 7D 00 97 04 36 00 3B 04 7D 00 97 04 36 00 3B   .}...6.;.}...6.;
> 3c0 : 04 7D 00 97 04 36 00 3B 04 7D 00 97 04 36 00 3B   .}...6.;.}...6.;
> 3d0 : 04 7D FF E3 04 36 FF B5 04 7D 00 97 04 36 00 3B   .}...6...}...6.;
> 3e0 : 04 7D 00 97 04 36 00 3B 04 7D 00 97 04 36 00 3B   .}...6.;.}...6.;
> 3f0 : 02 FC 00 5D 01 D4 00 68 02 FC 00 5D 01 D4 00 7F   ...]...h...]...
> 400 : 00 00 FD 29 00 00 FD 76 08 00 01 00 08 00 01 00   ...)...v........
> 410 : 04 2C 01 D3 04 2C 01 1D 04 2C 01 2D 04 2C 01 2D   .,...,...,.-.,.-
> 420 : 04 2C 01 D3 04 2C 01 6E 04 2C 01 78 04 2C 01 90   .,...,.n.,.x.,..
> 430 : 04 2C 01 75 04 2C 01 D3 04 2C 01 1D 04 2C 01 D3   .,.u.,...,...,..
> 440 : 04 2C 01 E8 03 10 00 7D 04 2C 01 90 01 CF 00 91   .,.....}.,......
> 450 : 04 2C 01 D3 04 2C FF 8E 02 D4 00 F3 05 62 00 88   .,...,.......b..
> 460 : 05 1E 00 3C 03 C4 00 1C 04 CE 00 14 05 7A 00 97   ...<.........z..
> 470 : 02 31 00 14 02 7E 00 3B 05 7A 00 97 05 98 00 95   .1...~.;.z......
> 480 : 02 31 00 14 04 F8 00 15 04 F8 00 3D 04 F8 00 48   .1.........=...H
> 490 : 05 7A 00 97 05 7A 00 56 02 E5 00 1E 03 35 00 32   .z...z.V.....5.2
> 4a0 : 05 D8 00 14 05 30 00 32 05 4C 00 69 05 37 00 69   .....0.2.L.i.7.i
> 4b0 : 03 CF 00 28 04 BB 00 46 05 6B 00 97 04 8E 00 1E   ...(...F.k......
> 4c0 : 06 86 00 97 05 AC 00 1E 04 62 00 14 04 62 00 14   .........b...b..
> 4d0 : 04 62 00 14 01 B0 00 61 03 36 00 6B 06 AE 00 97   .b.....a.6.k....
> 4e0 : 02 31 FF 8E 04 F8 00 15 04 F8 00 15 04 F8 FF 8E   .1..............
> 4f0 : 04 F8 FF 8E 05 30 00 32 06 86 00 97 06 86 00 97   .....0.2........
> 500 : 06 86 00 97 06 86 00 97 05 62 00 88 05 62 00 88   .........b...b..
> 510 : 05 62 00 88 05 1E 00 3C 03 C4 00 1C 04 CE 00 14   .b.....<........
> 520 : 05 7A 00 97 02 31 FF FE 02 CC FF FE 05 98 00 95   .z...1..........
> 530 : 02 31 FF FE 04 F8 00 15 04 F8 00 3D 04 F8 00 48   .1.........=...H
> 540 : 05 7A 00 56 03 35 00 32 05 D8 00 14 05 4C 00 69   .z.V.5.2.....L.i
> 550 : 05 37 00 69 04 BB 00 46 05 6B 00 97 04 8E 00 1E   .7.i...F.k......
> 560 : 06 86 00 97 05 AC 00 1E 02 31 00 14 05 1E 00 3C   .........1.....<
> 570 : 04 F8 00 3D 05 37 00 69 05 76 00 29 00 00 FF DC   ...=.7.i.v.)....
> 580 : 00 00 FF 25 00 00 FF DC 00 00 FE 51 02 D5 00 F6   ...%.......Q....
> 590 : 02 D5 00 F4 03 CB 00 54 03 0E 00 6A 02 0C FF BA   .......T...j....
> 5a0 : 02 3D 00 00 02 62 00 00 02 3D 00 00 02 3D 00 00   .=...b...=...=..
> 5b0 : 01 F0 00 00                                       ....
>
>
>  


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs