IPS signatures for Wannacry

Hi,

from what I  found sofar in an uptodate UTM is that 42340 and 41978 are present

yes but not the others (the first examples). 

thanks, this link here should do: 

lists.astaro.com/ASGV9-IPS-rules.html

Thanks guys,

   Yes, found the signatures there, https://lists.astaro.com/  last update is Mon May 8 14:29:57 2017 . 

  A little puzzled though that there seems to be no reference of the last update of the signatures in this Astaro file to the pattern version installed Sophos UTM displays.  We have  set up2date every 12 hrs, so, we should have it. 

Sophos needs to make it way more clear. Ideally, one should be able to look for them in reference to the last pattern update.

Thanks again,

hi,

currently 42329-42332 are still missing.

Hi Bruno,

  I found those signatures on the Astaro file. You mean, they are missing from the actual Sophos release?

as far as i can see they are there BUT only on warning NOT on block. Which would be very strange. SOPHOS can you please jump in and comment?

As long as sophos doesn't say anything here i suggest we create advanced modified rules for 42329-42332 and set it hard to DROP. Or am I thinking something wrong here? Guys, please jump in. This is important.

If you have a look at some of the Sophos stuff in the forum header you will find Sophos has had fixes for a while so some could be in but using different signatures?

take a look at the list (link) which shows the snort pattern per today. some patterns which indeed are important for doublepulsar detection are only located in the warning section of malware and NOT in the blocking section of malware.

rfcat_vk Actually i did also look at that but... it doesnt mention UTM, it does mention patch windows and if you use SOPHOS intercept or SOPHOS EXP then you are safe. The article is focused on endpoints.

The 2 important snort rules are in it, i cant say what the other missing snort rules do (any one has a listing what exactly the missing rules do ? 

JoergRiether snort 42340 is set to DROP , snort rule 41978 is set to DROP according to the snort rules on the utm.

Yes 42340, 41978 are present and set to block. BUT to be more in detail, these are four doublepulsar detection rules (42329-42332). Problem I see (correct me if I am wrong) is that Sophos is not blocking the doublepulsar detections because these rules are only in the warning section. Would be interesting to know if it works if you manually add these rules at advanced and set them all to hard drop. But I fear this may not work. I guess Sophos has to move these four rules to the blocking list instead of the warning list.

BTW setting "add extra warnings" will NOT work. Quote from manual: "Add extra warnings: When this option is selected, each group will include additional rules increasing the IPS detection rate. Note that these rules are more general and vague than the explicit attack patterns and will therefore likely produce more alerts. For that reason, the default action for these rules is Alert, which cannot be configured."

Yes 42340, 41978 are present and set to block. BUT to be more in detail, these are four doublepulsar detection rules (42329-42332). Problem I see (correct me if I am wrong) is that Sophos is not blocking the doublepulsar detections because these rules are only in the warning section. Would be interesting to know if it works if you manually add these rules at advanced and set them all to hard drop. But I fear this may not work. I guess Sophos has to move these four rules to the blocking list instead of the warning list.

BTW setting "add extra warnings" will NOT work. Quote from manual: "Add extra warnings: When this option is selected, each group will include additional rules increasing the IPS detection rate. Note that these rules are more general and vague than the explicit attack patterns and will therefore likely produce more alerts. For that reason, the default action for these rules is Alert, which cannot be configured."