Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Snort Sig for MS06-040

Published: 2006-08-11
Last Updated: 2006-08-11 15:43:22 UTC
by Marcus Sachs (Version: 3)
0 comment(s)
The US-CERT shared the following Snort signature with us on Thursday.  This is for the MS06-040 vulnerability and may not match some of the public exploits discussed in an earlier diary.  If this signature alerts, please let us know via the contact form.

alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  classtype:malicious-activity; sid:1000003; rev:1;)

Note that the RPC_PORTS is a placeholder for 135, 139, 445.

UPDATE #1

Russ wrote us with some additional ideas:

In order to make the US-CERT rule work I had to do as follows:

Add to snort.conf under network variable:

# Placeholder for 135, 139, 445
var RPC_PORTS 135
var RPC_PORTS 139
var RPC_PORTS 445

Add to classification.config under NEW CLASSIFICATIONS:

config classification: malicious-activity,Malicious Activity,2

Then I dropped that actual rule in rpc.rules.

Thanks, Russ!!

UPDATE #2

Handler Judy Novak suggested that this will work better:

alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; flow:to_server,established; content:"| 90 90 EB 04 2B 38 03 78 |";  classtype:malicious-activity; sid:1000003; rev:1;)

We received a few other notes suggesting that Russ' ideas above would not work properly and that as written only the last variable would trigger (445).  We are working to get an updated rule that should work on all three ports.  Also, as a reminder - this rule only detects one of several exploits.  If you have other rules you can share, please send them in and we'll keep updating the entry. 

UPDATE #3

Joel over at Sourcefire sent us some pointers:

Step one, you can't just place three vars with one rule.  You either have to do something like

var RPC_PORTS 135
alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  rev:1;)
var RPC_PORTS 139
alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  rev:1;)
var RPC_PORTS 445
alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  rev:1;)

Effectively reloading the rule three times. 

Or you have to do something like this:

alert tcp any any -> any 135:445 (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  rev:1;)

Which will run the rule on all ports 135 THROUGH 445.

I would also improve the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135:445 (msg:"US-CERT MS06-040 Indicator"; flow:to_server,established; content:"|90 90 EB 04 2B 38 03 78|"; rev:2;)

However, I make absolutely no guarantees that the payload will be caught using that content match.  As you said it only detects one exploit.  Writing the rule in this fashion will only make you wind up with 20 rules for 20 different exploits.  The trick is to write the rule to look for the vulnerability, so no matter what the exploit method, it's detected everytime.

Many subscription services have other rules available (like snort.org) but due to licensing restrictions we cannot post them here at the Internet Storm Center until the owners have given us permission to do so.  So if you have any WORKING rules that you can share, please send them along via our contact page.  Also, see Adrien's note about today's Tip of the Day for writing good Snort rules.

Marcus H. Sachs
SRI International
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives