<div dir="ltr"><div>Hey Blason, </div><div><br></div><div>WCry uses the EternalBlue exploit for p2p spreading. </div><div><br></div><div>EternalBlue was covered as part of our MS17-010 coverage, all of which are in community so here they are!</div><div><br></div><div>Here's the big one, for the EternalBlue exploit which wcry uses for spreading: </div><div><br></div><div>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB3|00 00 00 00|"; depth:9; offset:4; byte_extract:2,26,TotalDataCount,relative,little; byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,<a href="http://isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/">isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/</a>; reference:url,<a href="http://technet.microsoft.com/en-us/security/bulletin/MS17-010">technet.microsoft.com/en-us/security/bulletin/MS17-010</a>; classtype:attempted-admin; sid:41978; rev:3;)</div><div><br></div><div><br></div><div>The rest are all related to MS17-010, and so are good to have in place. </div><div><br></div><div>alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt"; flow:to_server,established; content:"|FF|SMB|2F 00 00 00 00|"; depth:9; offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative; content:"|00 00 00 00 00 00 00 00 00 00|"; within:10; distance:5; byte_extract:2,6,mid,relative,little; content:"|FF 00|"; within:2; distance:1; byte_test:2,=,mid,2,relative,little; content:"|04 00|"; within:2; distance:12; byte_test:2,>,65000,0,relative,little; byte_test:2,>,500,4,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2017-0143; reference:url,<a href="http://technet.microsoft.com/en-us/security/bulletin/MS17-010">technet.microsoft.com/en-us/security/bulletin/MS17-010</a>; classtype:attempted-admin; sid:41984; rev:4;)</div><div><br></div><div>alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt"; flow:to_server,established; content:"|FF|SMB|26 00 00 00 00|"; depth:9; offset:4; fast_pattern; byte_test:1,!&,0x80,0,relative; content:"|00 00 00 00 00 00 00 00 00 00|"; within:10; distance:5; content:"|08|"; within:1; distance:8; byte_test:2,<,500,10,relative,little; byte_test:2,>,15500,14,relative,little; byte_test:2,<,16000,14,relative,little; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2017-0145; reference:url,<a href="http://technet.microsoft.com/en-us/security/bulletin/MS17-010">technet.microsoft.com/en-us/security/bulletin/MS17-010</a>; classtype:attempted-admin; sid:42294; rev:1;)</div><div><br></div><div>This is the memory leak used to get the transaction2 dispatch table struct address:</div><div><br></div><div>alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request information leak attempt"; flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9; offset:4; content:"|05 00|"; within:2; distance:60; byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,<a href="http://msdn.microsoft.com/en-us/library/ee441910.aspx">msdn.microsoft.com/en-us/library/ee441910.aspx</a>; reference:url,<a href="http://technet.microsoft.com/en-us/security/bulletin/MS17-010">technet.microsoft.com/en-us/security/bulletin/MS17-010</a>; classtype:attempted-recon; sid:42338; rev:1;)</div><div><br></div><div>This is the result of that memory leak, very obvious: </div><div><br></div><div>alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory"; flow:to_client,established; content:"Frag"; fast_pattern; content:"Free"; content:"|FA FF FF|"; content:"|F8 FF FF|"; within:3; distance:5; content:"|F8 FF FF|"; within:3; distance:5; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0147; reference:url,<a href="http://technet.microsoft.com/en-us/security/bulletin/MS17-010">technet.microsoft.com/en-us/security/bulletin/MS17-010</a>; classtype:attempted-recon; sid:42339; rev:2;)</div><div><br></div><div>Nice to have, especially if you don't allow SMBv1 on your network or anonymous sessions: </div><div><br></div><div>alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service netbios-ssn; reference:url,<a href="http://msdn.microsoft.com/en-us/library/ee441910.aspx">msdn.microsoft.com/en-us/library/ee441910.aspx</a>; reference:url,<a href="http://technet.microsoft.com/en-us/security/bulletin/MS17-010">technet.microsoft.com/en-us/security/bulletin/MS17-010</a>; classtype:attempted-recon; sid:42340; rev:2;)</div><div><br></div><div>The above rule will indicate Wcry scans for victim machines. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, May 14, 2017 at 3:09 AM, Blason R <span dir="ltr"><<a href="mailto:blason16@...8..." target="_blank">blason16@...8...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Guys,<div><br></div><div>what are the rule # comprises of wannacrypt rules? Does anyone have any idea?</div></div>
<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, Slashdot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>______________________________<wbr>_________________<br>
Snort-openappid mailing list<br>
<a href="mailto:Snort-openappid@lists.sourceforge.net">Snort-openappid@...55....76...<wbr>sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-openappid" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-openappid</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br></blockquote></div><br></div>