[Oisf-users] Suricata doesn't detect BlueKeep - CVE-2019-0708

Tuấn Ngọc Trần Lê tranletuanngoc at gmail.com
Thu Sep 26 03:53:54 UTC 2019

Hi everyone,

I am trying to use rules from PTsecurity to detect a POC from

The BlueKeep code can make my Windows 7 crash and restart.

However, Suricata doesn't detect and alert anything, although it can detect
few simple rules like ICMP, Telnet and SSH.

Here is one of the rule from PTsecurity I used to detect BlueKeep:

alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep
RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server;
app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content:
"|17 03 01 01 80|"; distance: 32; within: 5; flowint: JoinReq, >=, 7;
flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve,
2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url,
github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com
ruleset; classtype: attempted-admin; sid: 10004865; rev: 7;)

Thank you for your help.

Ngoc Tran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190925/220aee8e/attachment-0001.html>

More information about the Oisf-users mailing list