New IPS/IDS signatures for WannaCry

  • 1
  • Idea
  • Updated 1 year ago

The following NIDS signature updates are available via liveupdate for Dragon versions 7.x/8.x:

 

MS:SMBV1-REQUEST-REMOTE

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024217

 

 

MS:SMBV1-REQUEST-REMOTE2

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. There are other signatures that depend on this signature being enabled.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024220

 

 

MS:SMBV1-RESPONSE-REMOTE

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. This signature tests for the "smbv1.remote" FlowTag being set before generating an event on network traffic. This FlowTag is defined by the MS:SMBV1-REQUEST-REMOTE signature, which is required for this signature to generate an event.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024218

 

 

TRJN:WANNACRY-DNS-LOOKUP

UPDATE-TYPE: New Signature

CLASSIFICATION: TROJAN

DESCRIPTION: This signature looks for DNS traffic associated with the WannaCry ransomware. The source of this event should be investigated.

REFERENCE: URLREF

http://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024291

 

 

TRJN:WANNACRY-DNS-LOOKUP2

UPDATE-TYPE: New Signature

CLASSIFICATION: TROJAN

DESCRIPTION: This signature looks for DNS traffic associated with the WannaCry ransomware. The source of this event should be investigated.

REFERENCE: URLREF

http://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024293

 

 

TRJN:WANNACRY-DNS-LOOKUP3

UPDATE-TYPE: New Signature

CLASSIFICATION: TROJAN

DESCRIPTION: This signature looks for DNS traffic associated with the WannaCry ransomware. The source of this event should be investigated.

REFERENCE: URLREF

http://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024294

Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 934 Points 500 badge 2x thumb

Posted 1 year ago

  • 1

Be the first to post a reply!