<div dir="ltr">Hi everyone,<div><br></div><div>I am trying to use rules from PTsecurity to detect a POC from <a href="https://github.com/Ekultek/BlueKeep">https://github.com/Ekultek/BlueKeep</a>.</div><div><br></div><div>The BlueKeep code can make my Windows 7 crash and restart.</div><div><br></div><div>However, Suricata doesn't detect and alert anything, although it can detect few simple rules like ICMP, Telnet and SSH.</div><div><br></div><div>Here is one of the rule from PTsecurity I used to detect BlueKeep:</div><div><br></div><div>alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 01 80|"; distance: 32; within: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, <a href="http://github.com/Ekultek/BlueKeep">github.com/Ekultek/BlueKeep</a>; reference: url, <a href="http://github.com/ptresearch/AttackDetection">github.com/ptresearch/AttackDetection</a>; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004865; rev: 7;)<br><br></div><div><br></div><div>Thank you for your help.</div><div><br></div><div>Sincerely,</div><div>Ngoc Tran</div></div>