false positive for Windows RPC DCOM Overflow id=3327 version=S188

matt_Travis — Sun, 10 Mar 2019 09:42:52 GMT

Hi,

Could you take a look at the below capture to see if there is false positive at work.

Thanks,

Matt

signature: description=Windows RPC DCOM Overflow id=3327 version=S188

subsigId: 6

sigDetails: \\\x3c400 chars>\

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=INTERNAL <address removed>

port: 1914

target:

addr: locality=INTERNAL <address removed>

port: 445

context:

fromTarget:

000000 63 00 5F 00 66 00 73 00 2E 00 6E 00 6F 00 72 00 c._.f.s...n.o.r.

000010 74 00 68 00 62 00 61 00 79 00 62 00 61 00 6E 00 t.h.b.a.y.b.a.n.

000020 63 00 6F 00 72 00 70 00 2E 00 63 00 6F 00 6D 00 c.o.r.p...c.o.m.

000030 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 ....W.i.n.d.o.w.

000040 73 00 20 00 35 00 2E 00 30 00 00 00 57 00 69 00 s. .5...0...W.i.

000050 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0.

000060 30 00 30 00 20 00 4C 00 41 00 4E 00 20 00 4D 00 0.0. .L.A.N. .M.

000070 61 00 6E 00 61 00 67 00 65 00 72 00 00 00 00 00 a.n.a.g.e.r.....

000080 00 7E FF 53 4D 42 73 00 00 00 00 98 07 C8 00 00 .~.SMBs.........

000090 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 48 ...............H

0000A0 C0 3E 04 FF 00 7E 00 00 00 09 00 53 00 A1 07 30 .>...~.....S...0

0000B0 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 00 6F 00 ......W.i.n.d.o.

0000C0 77 00 73 00 20 00 35 00 2E 00 30 00 00 00 57 00 w.s. .5...0...W.

0000D0 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 i.n.d.o.w.s. .2.

0000E0 30 00 30 00 30 00 20 00 4C 00 41 00 4E 00 20 00 0.0.0. .L.A.N. .

0000F0 4D 00 61 00 6E 00 61 00 67 00 65 00 72 00 00 00 M.a.n.a.g.e.r...

fromAttacker:

000000 00 04 41 32 00 01 00 00 00 00 00 71 00 00 00 00 ..A2.......q....

000010 00 D4 00 00 80 B9 00 A1 6F 30 6D A2 6B 04 69 4E ........o0m.k.iN

000020 54 4C 4D 53 53 50 00 03 00 00 00 01 00 01 00 58 TLMSSP.........X

000030 00 00 00 00 00 00 00 59 00 00 00 00 00 00 00 48 .......Y.......H

000040 00 00 00 00 00 00 00 48 00 00 00 10 00 10 00 48 .......H.......H

000050 00 00 00 10 00 10 00 59 00 00 00 15 8A 88 E2 05 .......Y........

000060 00 93 08 00 00 00 0F 47 00 57 00 2D 00 30 00 30 .......G.W.-.0.0

000070 00 32 00 38 00 37 00 00 46 5A 5E 7D 09 B9 25 FB .2.8.7..FZ^}..%.

000080 EF 1F 07 DE BD 60 85 13 57 00 69 00 6E 00 64 00 .....`..W.i.n.d.

000090 6F 00 77 00 73 00 20 00 32 00 30 00 30 00 30 00 o.w.s. .2.0.0.0.

0000A0 20 00 32 00 31 00 39 00 35 00 00 00 57 00 69 00 .2.1.9.5...W.i.

0000B0 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0.

0000C0 30 00 30 00 20 00 35 00 2E 00 30 00 00 00 00 00 0.0. .5...0.....

0000D0 00 00 00 58 FF 53 4D 42 75 00 00 00 00 18 07 C8 ...X.SMBu.......

0000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................

0000F0 00 48 00 3F 04 FF 00 58 00 08 00 01 00 2D 00 00 .H.?...X.....-..

Re: false positive for Windows RPC DCOM Overflow id=3327 version

craiwill — Wed, 26 Oct 2005 12:43:25 GMT

This is indeed a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.

Tune signature 3327-6 and remove the produce alert action.

Create a custom signature as follows:

Engine Meta

Component list:

3327-6

3328-0

Meta-reset-interval = 2

Severity high

Summarize

Met-key = Axxx – 1 unique victim

Component-list-in order = false

Event action: produce alert

This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.

Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. We will note this in the NSDB.

topic Re: false positive for Windows RPC DCOM Overflow id=3327 version in Network Security

false positive for Windows RPC DCOM Overflow id=3327 version=S188

Re: false positive for Windows RPC DCOM Overflow id=3327 version