The following NIDS signature updates are available via liveupdate for Dragon versions 7.x/8.x:
MS:SMBV1-REQUEST-REMOTE
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/
REFERENCE: URLREF
http://docs.emergingthreats.net/2024217
MS:SMBV1-REQUEST-REMOTE2
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. There are other signatures that depend on this signature being enabled.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/
REFERENCE: URLREF
http://docs.emergingthreats.net/2024220
MS:SMBV1-RESPONSE-REMOTE
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. This signature tests for the "smbv1.remote" FlowTag being set before generating an event on network traffic. This FlowTag is defined by the MS:SMBV1-REQUEST-REMOTE signature, which is required for this signature to generate an event.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/
REFERENCE: URLREF
http://docs.emergingthreats.net/2024218
TRJN:WANNACRY-DNS-LOOKUP
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for DNS traffic associated with the WannaCry ransomware. The source of this event should be investigated.
REFERENCE: URLREF
http://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid...
REFERENCE: URLREF
http://docs.emergingthreats.net/2024291
TRJN:WANNACRY-DNS-LOOKUP2
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for DNS traffic associated with the WannaCry ransomware. The source of this event should be investigated.
REFERENCE: URLREF
http://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid...
REFERENCE: URLREF
http://docs.emergingthreats.net/2024293
TRJN:WANNACRY-DNS-LOOKUP3
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for DNS traffic associated with the WannaCry ransomware. The source of this event should be investigated.
REFERENCE: URLREF
http://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid...
REFERENCE: URLREF
http://docs.emergingthreats.net/2024294