[Snort-openappid] wannacrypt rules

Geoffrey Serrao gserrao at ...4...
Sun May 14 21:30:57 EDT 2017


Hey Blason,

WCry uses the EternalBlue exploit for p2p spreading.

EternalBlue was covered as part of our MS17-010 coverage, all of which are
in community so here they are!

Here's the big one, for the EternalBlue exploit which wcry uses for
spreading:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft
Windows SMB remote code execution attempt"; flow:to_server,established;
content:"|FF|SMB3|00 00 00 00|"; depth:9; offset:4;
byte_extract:2,26,TotalDataCount,relative,little;
byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy
balanced-ips drop, policy connectivity-ips drop, policy security-ips drop,
ruleset community, service netbios-ssn; reference:cve,2017-0144;
reference:cve,2017-0146; reference:url,
isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-admin; sid:41978; rev:3;)


The rest are all related to MS17-010, and so are good to have in place.

alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv1
identical MID and FID type confusion attempt"; flow:to_server,established;
content:"|FF|SMB|2F 00 00 00 00|"; depth:9; offset:4; fast_pattern;
byte_test:1,!&,0x80,0,relative; content:"|00 00 00 00 00 00 00 00 00 00|";
within:10; distance:5; byte_extract:2,6,mid,relative,little; content:"|FF
00|"; within:2; distance:1; byte_test:2,=,mid,2,relative,little;
content:"|04 00|"; within:2; distance:12;
byte_test:2,>,65000,0,relative,little; byte_test:2,>,500,4,relative,little;
metadata:policy balanced-ips drop, policy security-ips drop, service
netbios-ssn; reference:cve,2017-0143; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-admin; sid:41984; rev:4;)

alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv1
WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write
attempt"; flow:to_server,established; content:"|FF|SMB|26 00 00 00 00|";
depth:9; offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative;
content:"|00 00 00 00 00 00 00 00 00 00|"; within:10; distance:5;
content:"|08|"; within:1; distance:8; byte_test:2,<,500,10,relative,little;
byte_test:2,>,15500,14,relative,little;
byte_test:2,<,16000,14,relative,little; metadata:policy security-ips drop,
service netbios-ssn; reference:cve,2017-0145; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-admin; sid:42294; rev:1;)

This is the memory leak used to get the transaction2 dispatch table struct
address:

alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB
large NT RENAME transaction request information leak attempt";
flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9;
offset:4; content:"|05 00|"; within:2; distance:60;
byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service netbios-ssn;
reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:42338; rev:1;)

This is the result of that memory leak, very obvious:

alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB
possible leak of kernel heap memory"; flow:to_client,established;
content:"Frag"; fast_pattern; content:"Free"; content:"|FA FF FF|";
content:"|F8 FF FF|"; within:3; distance:5; content:"|F8 FF FF|"; within:3;
distance:5; metadata:policy balanced-ips alert, policy security-ips drop,
ruleset community, service netbios-ssn; reference:cve,2017-0147;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:42339; rev:2;)

Nice to have, especially if you don't allow SMBv1 on your network or
anonymous sessions:

alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB
anonymous session IPC share access attempt"; flow:to_server,established;
flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|";
depth:9; offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|";
fast_pattern:only; metadata:policy security-ips drop, ruleset community,
service netbios-ssn; reference:url,
msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:42340; rev:2;)

The above rule will indicate Wcry scans for victim machines.

On Sun, May 14, 2017 at 3:09 AM, Blason R <blason16 at ...8...> wrote:

> Hi Guys,
>
> what are the rule # comprises of wannacrypt rules? Does anyone have any
> idea?
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170514/2bc2faa1/attachment.html>


More information about the Snort-openappid mailing list