Thursday, March 21, 2013

No WANG in my NOOP

A fresh IDS install is always noisy, especially on a network with lots of Windows hosts.  On of the main alerts I've seen on networks with multiple sites is: GPL SHELLCODE x86 inc ebx NOOP.    Should I be alarmed?  Let's see.

Let's take a look at the rule that tripped this signature:
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)

After a little analysis you notice that the vast majority of the alert traffic is ICMP between domain controllers, but the packets are relatively large at around 2000 bytes.

Ok, so let's dig a little further. if you check out the payload, you'll notice the string that triggered the rule.
But what's up that WANG2.....JFIF at the top. Maybe a dubious JPEG attempting to spread?  Not quite.

Pivoting from Sguil to NetworkMiner, you are able to extract the image and see that it's a simple logo from Microsoft.  Apparently, this type of traffic is used  in Slow Link Detection between clients and domain controllers when applying group policy. 

Ok, so we've established that it's a false positive so let's tweak the rule a little by exempting traffic containing the string WANG2 in the payload like so.  I added the following to my local.rules file and disabled the original rule.

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:!"WANG2"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:90000000; rev:1;)

No comments:

Post a Comment