<div dir="ltr"><div dir="ltr"><div>Hi, it's a chained set of rules, linked each other 
with flowbits and flowints.. Are you loading all the rules of the source
 rule file? ( <a href="https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-0708/cve-2019-0708.rules" target="_blank">https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-0708/cve-2019-0708.rules</a> )</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El jue., 26 sept. 2019 a las 5:54, Tuấn Ngọc Trần Lê (<<a href="mailto:tranletuanngoc@gmail.com">tranletuanngoc@gmail.com</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi everyone,<div><br></div><div>I am trying to use rules from PTsecurity to detect a POC from <a href="https://github.com/Ekultek/BlueKeep" target="_blank">https://github.com/Ekultek/BlueKeep</a>.</div><div><br></div><div>The BlueKeep code can make my Windows 7 crash and restart.</div><div><br></div><div>However, Suricata doesn't detect and alert anything, although it can detect few simple rules like ICMP, Telnet and SSH.</div><div><br></div><div>Here is one of the rule from PTsecurity I used to detect BlueKeep:</div><div><br></div><div>alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 01 80|"; distance: 32; within: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, <a href="http://github.com/Ekultek/BlueKeep" target="_blank">github.com/Ekultek/BlueKeep</a>; reference: url, <a href="http://github.com/ptresearch/AttackDetection" target="_blank">github.com/ptresearch/AttackDetection</a>; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004865; rev: 7;)<br><br></div><div><br></div><div>Thank you for your help.</div><div><br></div><div>Sincerely,</div><div>Ngoc Tran</div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Best regards,<br>--<br>Pablo Rincón<br><br></div></div></div></div>