SMB rule, but exclusion needed

Hi,

We’re using SecurityOnion 2.3.260 (but this isn’t version-specific) which runs Suricata 6.

I’m experiencing issues with some particular rules that we’re trying to modify. The rule is as follows:

alert smb any any → $HOME_NET 445 (msg:“ET HUNTING Possible Powershell .ps1 Script Use Over SMB”; flow:established,to_server; content:“SMB”; content:!“D.R.M.M.A.g.e.n.t.D.e.p.l.o.y.\.p.s.1.”; content:!“.W.e.b.e.x.\.p.s.1”; content:!“.m.a.i.n._.m.e.n.u.\.p.s.1.”; content:“|00|.|00|p|00|s|00|1|00|”; nocase; distance:0; bypass; classtype:bad-unknown; sid:90000009; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)

The rule seems to trigger every few minutes leading to thousands and thousands of alerts per day. I’ve tried without ‘bypass’, I’ve tried with and without content:! lines, seemingly everything… but the rule keeps firing away.

The network data shows:

…X.SMB@…8…b…C…Qx…7/…].S.<…<…SMB@…c…zj".i6C.%…$9…x…MxAc…SMB@…d…aCo+9I2…^0…e.v)…"8…h…h.SMB@…e…C.{.)…“8…h…^.S.<…3…<…X.SMB@…8…f…sm…&…lt\o…F…^.S.<…3…<… .SMB@…g…E.E…ub…-1”.M.9…x.&…s.e.r v.e.r.n.a.m.e.-.r.e.d.a.c.t.e.d…l.o.c.a.l…MxAc…SMB@…h…X.5,fgC.s…)…"8…h…X.SMB@…8…i…^Y…3…B…_.S.<…<…0.SMB@…j…^…\L-9…x.8…s.e.r v.e.r.n.a.m.e.-.r.e.d.a.c.t.e.d…l.o.c.a.l..P.o.l.i.c.i.e.s…MxAc…SMB@…k…&.Sqq…v.^)…"8…h…X.SMB@…8…l…:…rA…%…x….S.<...y.0.<......0.SMB@...................m........................"Q(..k......fYx9...........................................x.8.........s.e.r v.e.r.n.a.m.e.-.r.e.d.a.c.t.e.d...l.o.c.a.l.\.P.o.l.i.c.i.e.s.................MxAc.....SMB@...................n.......................c.......v.......).."8...h..................................X.SMB@...........8.......o........................4.\....qb....bW........a.S.<...9.0.<......0.SMB@...........8.......p.......................{.....*..S...MG.9......................................... .x.......0...s.e.r v.e.r.n.a.m.e.-.r.e.d.a.c.t.e.d...l.o.c.a.l.\.P.o.l.i.c.i.e.s.\.D.R.M.M.A.g.e.n.t.D.e.p.l.o.y.\.D.R.M.M.A.g.e.n.t.D.e.p.l.o.y...p.s.1.................MxAc....................QFid.......h.SMB@...........8.......q.......................=...XJ.Wp..3tG..).."8...h...............b.S.<.......<......<.SMB@...........8.......r...........................e..@..3..x.l9.......................................!@..x.…d…s.e.r v.e.r.n.a.m.e.-.r.e.d.a.c.t.e.d…l.o.c.a.l..P.o.l.i.c.i.e.s..D.R.M.M.A.g.e.n.t.D.e.p.l.o.y…MxAc…4…RqLs…{…X…H…a.S+.u…;…SMB@…8…s…].d…z…$…y…9…!@…x.8…d…s.e.r.v.e.r.n.a.m.e.-.r.e.d.a.c.t.e.d…l.o.c.a.l..P.o.l.i.c.i.e.s…MxAc…4…RqLs…a.S+.u…;…H.0…F…%5z.c2y…

I’m still assuming it has something to do with the ‘.’ in between everywhere, but tinkering with that particular option doesn’t help much either.

All in all, all I want to do is trigger the SMB PS1-traffic rule except when it encounters a few known PS1 scripts like the DRMMAgentDeploy.ps1, webex.ps1 and main_menu.ps1.

Hello There!

I think you’ve got it correct here. But the . are not literal . (\x2e) they are likely null bytes. Try replacing all those . with a |00| and see what that gets ya.

If you’ve got the pcap (or base64 encoded packet payload) be sure to view the traffic in “hex dump” mode, which allows you to see what the non-ascii printable bytes’ values!

Something like this should do the trick.

alert smb any any → $HOME_NET 445 (msg:“ET HUNTING Possible Powershell .ps1 Script Use Over SMB”; flow:established,to_server; content:“SMB”; content:!“D|00|R|00|M|00|M|00|A|00|g|00|e|00|n|00|t|00|D|00|e|00|p|00|l|00|o|00|y|00|.|00|p|00|s|00|1|00|”; ontent:!“|00|W|00|e|00|b|00|e|00|x|00|.|00|p|00|s|00|1”; content:!“|00|m|00|a|00|i|00|n|00|_|00|m|00|e|00|n|00|u|00|.|00|p|00|s|00|1|00|”; content:“|00|.|00|p|00|s|00|1|00|”; nocase; distance:0; bypass; classtype:bad-unknown; sid:90000009; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)

As a side note, great job tuning this rule to your local environment! It’s nice to see it not just getting disabled.

It would be really cool to use a flowvar to capture the filename and include it in the logs of the alerts, then maybe you could build a list and alert on new files “downstream” of suricata. Heck, there might even be a way do that with datasets? I’m not sure.

The details of the flowvar thing can be found here, Stamus speaks about it in capturing the log4j payload domains. It looks like the docs are missing for this option.

this is the “magic” part that produces the flowvar.

pcre:"/([^:/$]+)/R,flow:rce_server"; 

Thanks a ton! It seems to work fine that way! I never noticed the ‘dots’ may not be actual punctuation…

Though I have no clue what flowvars are and how SecurityOnion will use those (technically I have an idea what it is but haven’t read up about it) it’s worth looking into as well.

Thanks again!