Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 5 subscribers
  • Views 35509 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS signatures for Wannacry

Eric Vargas

I noticed that Snort has the following rules to detect WannaCry ramsonware and/or ms17-10 on its defect?

Snort rules

42329-42332, 42340, 41978

 

Can I assume , Sophos UTM, which seems to be running Snort has indeed rolled these signatures?   I looked everywhere in Sophos for such information with little luck.

 

Could anyone here help corroborate?

 

Thanks,

-Eric



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to JoergRiether

    Thanks guys,

       Yes, found the signatures there, https://lists.astaro.com/  last update is Mon May 8 14:29:57 2017

      A little puzzled though that there seems to be no reference of the last update of the signatures in this Astaro file to the pattern version installed Sophos UTM displays.  We have  set up2date every 12 hrs, so, we should have it. 

    Sophos needs to make it way more clear. Ideally, one should be able to look for them in reference to the last pattern update.

    Thanks again,

       
Children
  • 0 in reply to Eric Vargas

    hi,

     

    currently 42329-42332 are still missing.

  • 0 in reply to brunomc

    Hi Bruno,

     

      I found those signatures on the Astaro file. You mean, they are missing from the actual Sophos release?

  • 0 in reply to Eric Vargas

    as far as i can see they are there BUT only on warning NOT on block. Which would be very strange. SOPHOS can you please jump in and comment?

  • 0 in reply to JoergRiether

    As long as sophos doesn't say anything here i suggest we create advanced modified rules for 42329-42332 and set it hard to DROP. Or am I thinking something wrong here? Guys, please jump in. This is important.

  • 0 in reply to JoergRiether

    If you have a look at some of the Sophos stuff in the forum header you will find Sophos has had fixes for a while so some could be in but using different signatures?

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    take a look at the list (link) which shows the snort pattern per today. some patterns which indeed are important for doublepulsar detection are only located in the warning section of malware and NOT in the blocking section of malware.

  • 0 in reply to rfcat_vk

     Actually i did also look at that but... it doesnt mention UTM, it does mention patch windows and if you use SOPHOS intercept or SOPHOS EXP then you are safe. The article is focused on endpoints.

    The 2 important snort rules are in it, i cant say what the other missing snort rules do (any one has a listing what exactly the missing rules do ? 

     

     snort 42340 is set to DROP , snort rule 41978 is set to DROP according to the snort rules on the utm.

  • 0 in reply to brunomc

    Yes 42340, 41978 are present and set to block. BUT to be more in detail, these are four doublepulsar detection rules (42329-42332). Problem I see (correct me if I am wrong) is that Sophos is not blocking the doublepulsar detections because these rules are only in the warning section. Would be interesting to know if it works if you manually add these rules at advanced and set them all to hard drop. But I fear this may not work. I guess Sophos has to move these four rules to the blocking list instead of the warning list.

     

    BTW setting "add extra warnings" will NOT work. Quote from manual: "Add extra warnings: When this option is selected, each group will include additional rules increasing the IPS detection rate. Note that these rules are more general and vague than the explicit attack patterns and will therefore likely produce more alerts. For that reason, the default action for these rules is Alert, which cannot be configured."

Unfiltered HTML