OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Noctur on June 29, 2017, 05:18:22 pm

Title: Do we need a new fw rule for Petya (and variants)?
Post by: Noctur on June 29, 2017, 05:18:22 pm
With Petya raging, do we need to add in new FW rules to block it or does the current abuse.ch and emerging threats rulesets include it? Reviewing the abuse.ch ransomware rules site does not comment on Petya.

For example, there is a suggestion on the Microsoft Security Blog that blocking ports 139 and 445, as well as disabling SMBv1 and/or installing security update MS17-010 on individual windows machines will prevent an infection. https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

But I wanted to see if either current rulesets or a custom rule would block it further upstream. I've located a SNORT ruleset that addresses Petya specifically from PTSecurity.com (https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759) reproduced below. But going through the motions is moot if current rules suffice.

Choices are 1) new FW rule blocking SMB ports and 2) custom Suricata rules based on the SNORT rules below.. 3) do nothing because its already managed.

Anyone have a better handle on this? TIA

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: phoenix on June 29, 2017, 05:23:32 pm
Doesn't disabling SMB share on a Windows machine achieve the same thing? Does anyone actually need access to an SMB share over the internet and if they do, wouldn't they be better using a secure VPN connection for such traffic?
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: Noctur on June 29, 2017, 05:33:29 pm
Thank you for the reply...

Yes, provided you have access to the machine or the user has applied the patch or the user can follow instructions to disable SMBv1.

I should have also stated before I posted I looked into simiply disabling SMB on the WAN in a FW rule, but SMB isn't listed as a protocol option in the new rule dropdown. Any suggestions on this? TIA
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: phoenix on June 29, 2017, 05:39:47 pm
If users aren't able or willing to change the setting to disable SMB v1 then I'd just go with blocking the ports initially. I believe this piece of malware is usually spread initially via a software updater (I must admit I haven't read much about it so far), but the users should have anti-virus/malware installed - are there any that warn of this problem?
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: bartjsmit on June 29, 2017, 06:18:19 pm
Both this worm and WCRY before it exploit CVE-2017-0144 which was patched back in May. As Bill mentioned, anybody who allows SMB (any version) over the public internet needs to seriously reconsider their security policy.

You should not rely on Suricata alone for malware protection. Patch your internet connected systems.

Bart...
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: Noctur on June 30, 2017, 01:41:57 am
"You should not rely on Suricata alone for malware protection. Patch your internet connected systems." - Amen!

Done with those I have access to, but the BYOD crowd....
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: hutiucip on June 30, 2017, 10:06:28 am
I guess that BYOD crowd will be the only affected if you already patched non-BYODs  ;)
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: mw01 on June 30, 2017, 08:09:40 pm
That's a real problem.  Once a box is pwnd, BYOD or otherwise, trust relationships will be exploited, new found credentials will be utilized ... got to patch.
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: hutiucip on June 30, 2017, 10:27:55 pm
Use NAP then, enforce a policy both by HR and technical means
Title: Re: Do we need a new fw rule for Petya (and variants)?
Post by: bartjsmit on July 01, 2017, 10:04:37 pm
Microsoft killed NAP; it didn't make it into Windows 10. I would quarantine BYOD devices on a separate VLAN with strict firewall rules to your core network.

Bart...