cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3852
Views
4
Helpful
23
Replies

Sig. 35646-0 SMB Transaction Parsing Vulnerability

deeznuts420
Level 1
Level 1

Hello all, I searched on this one and didn't get any hits so here it goes.  I began receiving a flood of warnings from my IPS saying that signature 35646-0 was being triggered.  All of the attackers and victims are internal and they all revolve around our internal websites and developers who work on them.  All the servers and workstations are coming up clean on AV scans and I don't see any other examples of this signature being triggered.  Does anyone have any experience with this particular signature/threat, or any ideas on how I can determine if it's hopefully just a false-positive and not infected machines?  Thanks all.

-Adam

23 Replies 23

Damian Coverly
Level 1
Level 1

Hi Adam,

I have the same issue however, I've narrowed mine down to synchronization software I'm using between a server at my DC and my local network. When I turn the sync app off the alerts stop. I've been running this process for years so this alert came out of the blue and I thought it was an attack at first.

When did yours start? Mine started on Friday afternoon so I'm assuming it is something to do with a signature update pushed out then.

Could anyone else shed any light on this?

Regards, Damian.

If you know what signature pack was applied on that Friday, you can look in the release notes to see if that signature has been added (new signatures are usually the noisiest) or changed. You can also edit the signature to grab a packet capture of the traffic and see if it is doing what the signature is warning you about.

- Bob

Hey Damian, mine began on Thursday, 1/5/12 around 3:00 PM EST.  So far, I've narrowed it down to SMB traffic between our web servers, and the web programmers/designers.  I have also noticed a few DCs of ours as victims as well, I would assume that was due to SYSVOL access for GP updates, etc by the clients.  I do find it interesting that we're showing similar symptoms though.

@rhermes, I actually have our IPS setup to forward me a copy of the offending packet and sure enough I can see the code/text/patterns that are triggering the sig however, it appears to be encrypted and therefore doesn't really shine any light on what could be causing it. 

To me, this is a great example of how Cisco is horrible at releasing up-to-date signatures.  This signature is for a vulnerability that is approaching a year old now (Microsoft released a security bulletin on April 12st 2011 (1)), and was just released by Cisco last week(2).  

If you're like everyone else, your servers should already be patched and this really a non-issue (for impact anyway).  But now I'm getting 200 alerts every 10 minutes because Cisco in their infinite wisdom decided to finally release a sig for this.

Being that Cisco hasn't disclosed, or allowed me to see, the regex setting for this STRING-TCP sig, I have no way of knowing what this signature is even alerting on.  For all I know, they are looking for "[sS][mM][Bb]" in a packet with a dst port of 139 or 445, which would make this sig total crap. Now I have to go through and figure out what is causing this signature to fire, make sure it's not malicious, and then either tune this sig, or more than likely disable it. 

1) https://technet.microsoft.com/en-us/security/bulletin/ms11-020

2) http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=35646&signatureSubId=0&softwareVersion=6.0&releaseVersion=S615

murphy.brandon
Level 1
Level 1

FYI - I've got about 8 packet captures of this, 5 of which have full SMB sessions.  I'll be opening a ticket with Cisco tomorrow to figure out why this signature is firing so often, I'm sure there are some benign triggers.  I'll keep you guys updated.

That's excellent Brandon, thanks for opening the ticket and keeping us in the loop.

We are also being affected by this one (just came on here to see if there were any answers!) so would definitely be interested in any updates you get - thanks.

murphy.brandon
Level 1
Level 1

I'll provide a quick update on my ticket.  Ticket is open and pcaps have been provided.  I specially asked the following questions after getting a disappointing inital response.

-----------------------------------------------------------------------------------

  • •1)      Have you found the specially-crafted SMB requests in any of the packet captures?
  • •2)      If not , can you validate that this signature is firing alerts on benign traffic and are false positives?
  • •3)      If so, can you confirm this traffic is actually malicious in nature and are true positives?

Based on the provided packet captures and the volume of alerts, this signature appears to be susceptible to false positives in windows environments.  This is not depicted on the following link, which clearly states “There are no known benign triggers.” and “There are no suggested filters.”

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=35646&signatureSubId=0&softwareVersion=6.0&releaseVersion=S615

----------------------------------------------------------------------------------------

I"m still waiting for a response on that.  If there are any other questions anyone has, feel free to let me know and i'll add them to the ticket.

Thanks for the update Brandon - I think those 3 questions you asked should give us a good idea on how to proceed, assuming Cisco can answer them with some authority

ruppala
Level 1
Level 1

The Signature team is currently looking into this issue. I will keep the forum updated with the results.

lukeprimm
Level 1
Level 1

Same with us, looks like they started on 01/05/2012 and have been firing ever since on a daily basis.  Anxiously awaiting an answer. Thanks

Dear,

I am also the same problem, has any news on this issues?. Thanks

Unfortunately there hasn't been much progress made on my ticket. I've requested that the ticket be escalated to signature developers. Hopefully some more progress we made on the ticket soon I will keep you all updated.

While I haven't heard anything regarding the ticket, I did just get a notification of S621, which includes the updated sig.

http://tools.cisco.com/security/center/viewBulletin.x?bId=437&year=2012

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: