Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
Metasploit Eternalromance exploit getting past IDS/IPS
« previous
next »
Print
Pages: [
1
]
Author
Topic: Metasploit Eternalromance exploit getting past IDS/IPS (Read 1537 times)
badkuk
Newbie
Posts: 14
Karma: 0
Metasploit Eternalromance exploit getting past IDS/IPS
«
on:
March 16, 2022, 07:47:23 am »
Hi All,
So I've been testing the IDS/IPS feature by lobbing a few Metasploit exploits. It seems that the Eternal Romance ( exploit/windows/smb/ms17_010_psexec) attack is getting through, and i was able to get a Meterpreter session(screenshot attached). It's not showing up on the Alerts as well. I'm sure IPS is enabled as it managed to block the other exploits I tried.
Any suggestions on how to tweak the rules/rulesets? tia
Logged
Raketenmeyer
Jr. Member
Posts: 55
Karma: 7
Re: Metasploit Eternalromance exploit getting past IDS/IPS
«
Reply #1 on:
March 16, 2022, 10:13:40 am »
Which rulesets do you use? ETPRO telemetry? If yes, have a look at the different available categories and choose what fits best to your needs ->
https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf
Logged
badkuk
Newbie
Posts: 14
Karma: 0
Re: Metasploit Eternalromance exploit getting past IDS/IPS
«
Reply #2 on:
March 21, 2022, 03:19:09 am »
Hi, sorry for the late reply...yes I've enable all ETpro telemetry rules.
It managed to block the executable upload, but it seems the initial exploit is still getting through undetected.
All ET Telemetry rulesets have been enabled and downloaded in the Download tab.
As for the policy, all etpro.* rulesets have been selected. I've also selected all rules with Action = Drop, Alert, and Disabled .
Any ideas why the initial exploit is still getting through
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
Metasploit Eternalromance exploit getting past IDS/IPS