[Snort-openappid] wannacrypt rules

Geoffrey Serrao gserrao at ...4...
Sun May 14 21:38:31 EDT 2017


The rules: sid 42329-42332 related to DoublePulsar will also be very
valuable when Wcry probes for the DoublePulsar backdoor.

Those rules are not yet in the community ruleset so I can't post them here.

On Sun, May 14, 2017 at 9:30 PM, Geoffrey Serrao <gserrao at ...4...>
wrote:

> Hey Blason,
>
> WCry uses the EternalBlue exploit for p2p spreading.
>
> EternalBlue was covered as part of our MS17-010 coverage, all of which are
> in community so here they are!
>
> Here's the big one, for the EternalBlue exploit which wcry uses for
> spreading:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft
> Windows SMB remote code execution attempt"; flow:to_server,established;
> content:"|FF|SMB3|00 00 00 00|"; depth:9; offset:4; byte_extract:2,26,
> TotalDataCount,relative,little; byte_test:2,>,TotalDataCount,20,relative,little;
> metadata:policy balanced-ips drop, policy connectivity-ips drop, policy
> security-ips drop, ruleset community, service netbios-ssn;
> reference:cve,2017-0144; reference:cve,2017-0146; reference:url,
> isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+
> Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/
> bulletin/MS17-010; classtype:attempted-admin; sid:41978; rev:3;)
>
>
> The rest are all related to MS17-010, and so are good to have in place.
>
> alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
> SMBv1 identical MID and FID type confusion attempt";
> flow:to_server,established; content:"|FF|SMB|2F 00 00 00 00|"; depth:9;
> offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative; content:"|00 00
> 00 00 00 00 00 00 00 00|"; within:10; distance:5;
> byte_extract:2,6,mid,relative,little; content:"|FF 00|"; within:2;
> distance:1; byte_test:2,=,mid,2,relative,little; content:"|04 00|";
> within:2; distance:12; byte_test:2,>,65000,0,relative,little;
> byte_test:2,>,500,4,relative,little; metadata:policy balanced-ips drop,
> policy security-ips drop, service netbios-ssn; reference:cve,2017-0143;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
> classtype:attempted-admin; sid:41984; rev:4;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
> SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds
> write attempt"; flow:to_server,established; content:"|FF|SMB|26 00 00 00
> 00|"; depth:9; offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative;
> content:"|00 00 00 00 00 00 00 00 00 00|"; within:10; distance:5;
> content:"|08|"; within:1; distance:8; byte_test:2,<,500,10,relative,little;
> byte_test:2,>,15500,14,relative,little; byte_test:2,<,16000,14,relative,little;
> metadata:policy security-ips drop, service netbios-ssn;
> reference:cve,2017-0145; reference:url,technet.
> microsoft.com/en-us/security/bulletin/MS17-010;
> classtype:attempted-admin; sid:42294; rev:1;)
>
> This is the memory leak used to get the transaction2 dispatch table struct
> address:
>
> alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB
> large NT RENAME transaction request information leak attempt";
> flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9;
> offset:4; content:"|05 00|"; within:2; distance:60;
> byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop,
> policy security-ips drop, ruleset community, service netbios-ssn;
> reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
> classtype:attempted-recon; sid:42338; rev:1;)
>
> This is the result of that memory leak, very obvious:
>
> alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB
> possible leak of kernel heap memory"; flow:to_client,established;
> content:"Frag"; fast_pattern; content:"Free"; content:"|FA FF FF|";
> content:"|F8 FF FF|"; within:3; distance:5; content:"|F8 FF FF|"; within:3;
> distance:5; metadata:policy balanced-ips alert, policy security-ips drop,
> ruleset community, service netbios-ssn; reference:cve,2017-0147;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
> classtype:attempted-recon; sid:42339; rev:2;)
>
> Nice to have, especially if you don't allow SMBv1 on your network or
> anonymous sessions:
>
> alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB
> anonymous session IPC share access attempt"; flow:to_server,established;
> flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|";
> depth:9; offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|";
> fast_pattern:only; metadata:policy security-ips drop, ruleset community,
> service netbios-ssn; reference:url,msdn.microsoft.
> com/en-us/library/ee441910.aspx; reference:url,technet.
> microsoft.com/en-us/security/bulletin/MS17-010;
> classtype:attempted-recon; sid:42340; rev:2;)
>
> The above rule will indicate Wcry scans for victim machines.
>
> On Sun, May 14, 2017 at 3:09 AM, Blason R <blason16 at ...8...> wrote:
>
>> Hi Guys,
>>
>> what are the rule # comprises of wannacrypt rules? Does anyone have any
>> idea?
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170514/7caafd29/attachment.html>


More information about the Snort-openappid mailing list