15.05.2017
Сигнатуры Snort на WannaCry
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"AM Exploit SMB MS-17-010 metasploit scan request"; flow:from_client,established; content:"|ff|SMB"; content:"|75|"; distance:0; content:"IPC$"; nocase; pcre:"/\\\\\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\\IPC\$/si"; flowbits:set,smb_17_010con; flowbits:noalert; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; reference:url,www.exploit-db.com/exploits/41891/; classtype:inappropriate-content; sid:3006209; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"AM Exploit SMB MS-17-010 metasploit scan FID trans"; flow:from_client,established; content:"|ff|SMB"; content:"|25|"; distance:0; content:"|23 00 00 00|"; flowbits:isset,smb_17_010con; flowbits:set,smb_17_010trans; flowbits:noalert; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; reference:url,www.exploit-db.com/exploits/41891/; classtype:inappropriate-content; sid:3006210; rev:2;)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"AM Exploit SMB MS-17-010 Success STATUS_INSUFF_SERVER_RESOURCES response"; flow:from_server,established; content:"|ff|SMB"; content:"|25|"; distance:0; content:"|05 02 00 c0|"; distance:0; within:4; flowbits:isset,smb_17_010trans; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; reference:url,www.exploit-db.com/exploits/41891/; classtype:web-application-attack; sid: 3006211; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"AM Exploit EternalBlue check version SMB"; flow:to_server, established; content:"|FF|SMB|32|"; depth:5; offset:4; flowbits:set,checkversion; flowbits:noalert; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006267; rev:1)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"AM Exploit EternalBlue overflow SMB"; dsize:>1000; flow:to_server, established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9; offset:4; flowbits:set,checkowerflow; flowbits:isset,checkversion; threshold:type both, track by_src, count 1, seconds 5; pcre:"/smb.*?([a-zA-Z0-9\x00-\xff])\1{200}/si"; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006268; rev:2)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"AM Exploit EternalBlue answer SMB x64"; flow:to_client, established; content:"|FF|SMB|32|"; depth:10; offset:4; content:"|52 00|"; offset:30; depth:30; flowbits:isset,checkversion; flowbits:isset,checkowerflow; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006269; rev:1)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"AM Exploit EternalBlue answer SMB x86"; flow:to_client, established; content:"|FF|SMB|32|"; depth:10; offset:4; content:"|51 00|"; offset:30; depth:30; flowbits:isset,checkversion; flowbits:isset,checkowerflow; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006270; rev:1)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"AM Exploit SMB MS-17-010 metasploit scan FID trans"; flow:from_client,established; content:"|ff|SMB"; content:"|25|"; distance:0; content:"|23 00 00 00|"; flowbits:isset,smb_17_010con; flowbits:set,smb_17_010trans; flowbits:noalert; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; reference:url,www.exploit-db.com/exploits/41891/; classtype:inappropriate-content; sid:3006210; rev:2;)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"AM Exploit SMB MS-17-010 Success STATUS_INSUFF_SERVER_RESOURCES response"; flow:from_server,established; content:"|ff|SMB"; content:"|25|"; distance:0; content:"|05 02 00 c0|"; distance:0; within:4; flowbits:isset,smb_17_010trans; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; reference:url,www.exploit-db.com/exploits/41891/; classtype:web-application-attack; sid: 3006211; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"AM Exploit EternalBlue check version SMB"; flow:to_server, established; content:"|FF|SMB|32|"; depth:5; offset:4; flowbits:set,checkversion; flowbits:noalert; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006267; rev:1)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"AM Exploit EternalBlue overflow SMB"; dsize:>1000; flow:to_server, established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9; offset:4; flowbits:set,checkowerflow; flowbits:isset,checkversion; threshold:type both, track by_src, count 1, seconds 5; pcre:"/smb.*?([a-zA-Z0-9\x00-\xff])\1{200}/si"; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006268; rev:2)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"AM Exploit EternalBlue answer SMB x64"; flow:to_client, established; content:"|FF|SMB|32|"; depth:10; offset:4; content:"|52 00|"; offset:30; depth:30; flowbits:isset,checkversion; flowbits:isset,checkowerflow; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006269; rev:1)
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"AM Exploit EternalBlue answer SMB x86"; flow:to_client, established; content:"|FF|SMB|32|"; depth:10; offset:4; content:"|51 00|"; offset:30; depth:30; flowbits:isset,checkversion; flowbits:isset,checkowerflow; reference:url,technet.microsoft.com/en-us/library/security/ms17-010.aspx; classtype:client-side-exploit; sid:3006270; rev:1)
