Content:!"" appear to not be working inside of rule "ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement""

1

afternoon everyone,

I’m trying to learn more about suricata by editing rules and reducing false positives. I have a repeat offender that finds DLLs from print servers that i have been trying to adjust. I disabled rule 1:2025709 -ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement" and copied to my local.rule file to manipulate it.

At the end of the normal rule lookup of the content portions, i have placed both version of this post script DLL i wish to ignore. content:!“|00|P|00|S|00|5|00|U|00|I|00||00||00|D|00|L|00|L|00|”; & content:!“PS5UI.DLL”; but i still keep getting detection this.

any advise?

2

Do you happen to have a pcap file you can share? and could you share the exact contents of your rules with modifications?

3

I do not have a pcap of this traffic unfortunately. I’m looking at the payload that suricata is decoding from the alert.

I’ve modified the rule from ET policy in my own local.rules file with content:! at the end of the statement. I can not find a specific example at the moment from what i referenced in the intial discussion but here is a dll i’ve found in the payload to be true that i wish to ignore. K.O.B.D.r.v.A.P.I.I.F.3.2…d.l.l. which should be ```
content:!“|00|K|00|O|00|B|00|D|00|r|00|v|00|A|00|P|00|I|00|I|00|F|00|3|00|2|00||00||00|d|00|l|00|l|00|”;

alert tcp any any → $HOME_NET 445 (msg:“ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement”; flow:established,to_server; content:“SMB”; depth:8; content:“|05 00|”; distance:8; within:2; content:“|00 2E 00|d|00|l|00|l|00|”; nocase; distance:0; content:!“|00|P|00|S|00|5|00|U|00|I|00||00||00|D|00|L|00|L|00|”; content:!“PS5UI.DLL”; content:!“|00|K|00|O|00|B|00|D|00|r|00|v|00|A|00|P|00|I|00|I|00|F|00|3|00|2|00||00||00|d|00|l|00|l|00|”; classtype:bad-unknown; sid:1000006; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, signature_severity Minor, updated_at 2024_09_16, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1570, mitre_technique_name Lateral_Tool_Transfer;)

4

Sorry for the delayed response. Without having the pcap, I am not sure what the exact negation would be. In general I would look into the following:

  • add a nocase; for your negates to cover any casing differences
  • change the |00||00||00| patterns to |00 00 00|
  • with regard to the |00 00 00| contents, I would double check that the data is actually all |00| sometimes that isn’t the case

If you are able to share a pcap down the road feel free to post it. Hope that helps.

JT

5

I will give this a shot and follow back up.

I know that suricata can read PCAPs and alert on detections but Is there a way to capture Pcaps or generate pcaps with suricata?

If not, I’ll try to run a tcpdump and create a pcap to audit

  • with regard to the |00 00 00| contents, I would double check that the data is actually all |00| sometimes that isn’t the case

^ this was the issue. I used tcpdump to collect a pcap and found that spaces had a period nested in there. changing it to |00|.|00| is filtering out the DLLs accordingly

Thank you for your assistance

6

Suricata can write pcaps a couple different ways. You can write all packets:
https://docs.suricata.io/en/latest/configuration/suricata-yaml.html#packet-log-pcap-log

or write conditionally/only when alerts fire:
https://docs.suricata.io/en/latest/rules/tag.html#conditional-pcap-logging

JT