Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Do we need a new fw rule for Petya (and variants)?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Do we need a new fw rule for Petya (and variants)? (Read 8073 times)
Noctur
Jr. Member
Posts: 79
Karma: 4
Do we need a new fw rule for Petya (and variants)?
«
on:
June 29, 2017, 05:18:22 pm »
With Petya raging, do we need to add in new FW rules to block it or does the current abuse.ch and emerging threats rulesets include it? Reviewing the abuse.ch ransomware rules site does not comment on Petya.
For example, there is a suggestion on the Microsoft Security Blog that blocking ports 139 and 445, as well as disabling SMBv1 and/or installing security update MS17-010 on individual windows machines will prevent an infection.
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
But I wanted to see if either current rulesets or a custom rule would block it further upstream. I've located a SNORT ruleset that addresses Petya specifically from PTSecurity.com (
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
) reproduced below. But going through the motions is moot if current rules suffice.
Choices are 1) new FW rule blocking SMB ports and 2) custom Suricata rules based on the SNORT rules below.. 3) do nothing because its already managed.
Anyone have a better handle on this? TIA
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)
alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)
alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)
Logged
overkill: Dell SFF i5, 16gb, 120gb SSD, 4x gb NICs
OPNsense 21.1.x
phoenix
Hero Member
Posts: 545
Karma: 58
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #1 on:
June 29, 2017, 05:23:32 pm »
Doesn't disabling SMB share on a Windows machine achieve the same thing? Does anyone actually need access to an SMB share over the internet and if they do, wouldn't they be better using a secure VPN connection for such traffic?
Logged
Regards
Bill
Noctur
Jr. Member
Posts: 79
Karma: 4
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #2 on:
June 29, 2017, 05:33:29 pm »
Thank you for the reply...
Yes, provided you have access to the machine or the user has applied the patch or the user can follow instructions to disable SMBv1.
I should have also stated before I posted I looked into simiply disabling SMB on the WAN in a FW rule, but SMB isn't listed as a protocol option in the new rule dropdown. Any suggestions on this? TIA
Logged
overkill: Dell SFF i5, 16gb, 120gb SSD, 4x gb NICs
OPNsense 21.1.x
phoenix
Hero Member
Posts: 545
Karma: 58
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #3 on:
June 29, 2017, 05:39:47 pm »
If users aren't able or willing to change the setting to disable SMB v1 then I'd just go with blocking the ports initially. I believe this piece of malware is usually spread initially via a software updater (I must admit I haven't read much about it so far), but the users should have anti-virus/malware installed - are there any that warn of this problem?
«
Last Edit: June 30, 2017, 10:28:01 am by phoenix
»
Logged
Regards
Bill
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #4 on:
June 29, 2017, 06:18:19 pm »
Both this worm and WCRY before it exploit CVE-2017-0144 which was patched back in May. As Bill mentioned, anybody who allows SMB (any version) over the public internet needs to seriously reconsider their security policy.
You should not rely on Suricata alone for malware protection. Patch your internet connected systems.
Bart...
Logged
Noctur
Jr. Member
Posts: 79
Karma: 4
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #5 on:
June 30, 2017, 01:41:57 am »
"You should not rely on Suricata alone for malware protection. Patch your internet connected systems." - Amen!
Done with those I have access to, but the BYOD crowd....
Logged
overkill: Dell SFF i5, 16gb, 120gb SSD, 4x gb NICs
OPNsense 21.1.x
Ciprian
Sr. Member
Posts: 284
Karma: 50
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #6 on:
June 30, 2017, 10:06:28 am »
I guess that BYOD crowd will be the only affected if you already patched non-BYODs
Logged
mw01
Newbie
Posts: 31
Karma: 4
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #7 on:
June 30, 2017, 08:09:40 pm »
That's a real problem. Once a box is pwnd, BYOD or otherwise, trust relationships will be exploited, new found credentials will be utilized ... got to patch.
Logged
Ciprian
Sr. Member
Posts: 284
Karma: 50
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #8 on:
June 30, 2017, 10:27:55 pm »
Use NAP then, enforce a policy both by HR and technical means
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Do we need a new fw rule for Petya (and variants)?
«
Reply #9 on:
July 01, 2017, 10:04:37 pm »
Microsoft killed NAP; it didn't make it into Windows 10. I would quarantine BYOD devices on a separate VLAN with strict firewall rules to your core network.
Bart...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Do we need a new fw rule for Petya (and variants)?