[Oisf-users] Suricata doesn't detect BlueKeep - CVE-2019-0708

Thu Sep 26 08:32:21 UTC 2019

Hi, it's a chained set of rules, linked each other with flowbits and
flowints.. Are you loading all the rules of the source rule file? (
https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-0708/cve-2019-0708.rules
)

El jue., 26 sept. 2019 a las 5:54, Tuấn Ngọc Trần Lê (<
tranletuanngoc at gmail.com>) escribió:

> Hi everyone,
>
> I am trying to use rules from PTsecurity to detect a POC from
> https://github.com/Ekultek/BlueKeep.
>
> The BlueKeep code can make my Windows 7 crash and restart.
>
> However, Suricata doesn't detect and alert anything, although it can
> detect few simple rules like ICMP, Telnet and SSH.
>
> Here is one of the rule from PTsecurity I used to detect BlueKeep:
>
> alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep
> RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server;
> app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content:
> "|17 03 01 01 80|"; distance: 32; within: 5; flowint: JoinReq, >=, 7;
> flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve,
> 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url,
> github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com
> ruleset; classtype: attempted-admin; sid: 10004865; rev: 7;)
>
>
> Thank you for your help.
>
> Sincerely,
> Ngoc Tran
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

-- 
Best regards,
--
Pablo Rincón
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190926/6543b153/attachment.html>