IPS signatures for Wannacry

Hi,

from what I  found sofar in an uptodate UTM is that 42340 and 41978 are present

yes but not the others (the first examples). 

yes but not the others (the first examples). 

JoergRiether you do know that link when clicked on it goes to your mailbox ? :)

thanks, this link here should do: 

lists.astaro.com/ASGV9-IPS-rules.html

Thanks guys,

   Yes, found the signatures there, https://lists.astaro.com/  last update is Mon May 8 14:29:57 2017 . 

  A little puzzled though that there seems to be no reference of the last update of the signatures in this Astaro file to the pattern version installed Sophos UTM displays.  We have  set up2date every 12 hrs, so, we should have it. 

Sophos needs to make it way more clear. Ideally, one should be able to look for them in reference to the last pattern update.

Thanks again,

hi,

currently 42329-42332 are still missing.

Hi Bruno,

  I found those signatures on the Astaro file. You mean, they are missing from the actual Sophos release?

as far as i can see they are there BUT only on warning NOT on block. Which would be very strange. SOPHOS can you please jump in and comment?

As long as sophos doesn't say anything here i suggest we create advanced modified rules for 42329-42332 and set it hard to DROP. Or am I thinking something wrong here? Guys, please jump in. This is important.

If you have a look at some of the Sophos stuff in the forum header you will find Sophos has had fixes for a while so some could be in but using different signatures?

take a look at the list (link) which shows the snort pattern per today. some patterns which indeed are important for doublepulsar detection are only located in the warning section of malware and NOT in the blocking section of malware.

rfcat_vk Actually i did also look at that but... it doesnt mention UTM, it does mention patch windows and if you use SOPHOS intercept or SOPHOS EXP then you are safe. The article is focused on endpoints.

The 2 important snort rules are in it, i cant say what the other missing snort rules do (any one has a listing what exactly the missing rules do ? 

JoergRiether snort 42340 is set to DROP , snort rule 41978 is set to DROP according to the snort rules on the utm.