Category Archives: General

Snort rules for Petya ransomware

By Nicolas | Published: 2017/06/28

alert tcp any any -> $HOME_NET 445 (msg: “[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool”; flow: to_server, established; content: “|FF|SMB2|00 00 00 00|”; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: “/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/”; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;) alert tcp any […]

Also posted in applications, audit, security | Comments closed

Search
Recent Posts
Tags

Authentication bed exploit fuzzing GPF Linux Logs peach spike Sulley
Contact

rniko@cryptolab.net
License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Pages

Category Archives: General

Snort rules for Petya ransomware

Search

Recent Posts

Tags

Contact

License

Pages