OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Noctur on June 29, 2017, 05:18:22 pm
-
With Petya raging, do we need to add in new FW rules to block it or does the current abuse.ch and emerging threats rulesets include it? Reviewing the abuse.ch ransomware rules site does not comment on Petya.
For example, there is a suggestion on the Microsoft Security Blog that blocking ports 139 and 445, as well as disabling SMBv1 and/or installing security update MS17-010 on individual windows machines will prevent an infection. https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
But I wanted to see if either current rulesets or a custom rule would block it further upstream. I've located a SNORT ruleset that addresses Petya specifically from PTSecurity.com (https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759) reproduced below. But going through the motions is moot if current rules suffice.
Choices are 1) new FW rule blocking SMB ports and 2) custom Suricata rules based on the SNORT rules below.. 3) do nothing because its already managed.
Anyone have a better handle on this? TIA
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)
alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)
-
Doesn't disabling SMB share on a Windows machine achieve the same thing? Does anyone actually need access to an SMB share over the internet and if they do, wouldn't they be better using a secure VPN connection for such traffic?
-
Thank you for the reply...
Yes, provided you have access to the machine or the user has applied the patch or the user can follow instructions to disable SMBv1.
I should have also stated before I posted I looked into simiply disabling SMB on the WAN in a FW rule, but SMB isn't listed as a protocol option in the new rule dropdown. Any suggestions on this? TIA
-
If users aren't able or willing to change the setting to disable SMB v1 then I'd just go with blocking the ports initially. I believe this piece of malware is usually spread initially via a software updater (I must admit I haven't read much about it so far), but the users should have anti-virus/malware installed - are there any that warn of this problem?
-
Both this worm and WCRY before it exploit CVE-2017-0144 which was patched back in May. As Bill mentioned, anybody who allows SMB (any version) over the public internet needs to seriously reconsider their security policy.
You should not rely on Suricata alone for malware protection. Patch your internet connected systems.
Bart...
-
"You should not rely on Suricata alone for malware protection. Patch your internet connected systems." - Amen!
Done with those I have access to, but the BYOD crowd....
-
I guess that BYOD crowd will be the only affected if you already patched non-BYODs ;)
-
That's a real problem. Once a box is pwnd, BYOD or otherwise, trust relationships will be exploited, new found credentials will be utilized ... got to patch.
-
Use NAP then, enforce a policy both by HR and technical means
-
Microsoft killed NAP; it didn't make it into Windows 10. I would quarantine BYOD devices on a separate VLAN with strict firewall rules to your core network.
Bart...