Metasploit Eternalromance exploit getting past IDS/IPS

Started by badkuk, March 16, 2022, 07:47:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 16, 2022, 07:47:23 AM
Hi All,


So I've been testing the IDS/IPS feature by lobbing a few Metasploit exploits. It seems that the Eternal Romance ( exploit/windows/smb/ms17_010_psexec) attack is getting through, and i was able to get a Meterpreter session(screenshot attached).  It's not showing up on the Alerts as well. I'm sure IPS is enabled as it managed to block the other exploits I tried.

Any suggestions on how to tweak the rules/rulesets? tia


March 16, 2022, 10:13:40 AM #1
Which rulesets do you use? ETPRO telemetry? If yes, have a look at the different available categories and choose what fits best to your needs -> https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf
March 21, 2022, 03:19:09 AM #2

Hi, sorry for the late reply...yes I've enable all ETpro telemetry rules.

It managed to block the executable upload, but it seems the initial exploit is still getting through undetected.

All ET Telemetry rulesets have been enabled and downloaded in the Download tab.

As for the policy, all etpro.* rulesets have been selected. I've also selected all rules with Action = Drop, Alert, and Disabled .

Any ideas why the initial exploit is still getting through


Print
Go Up Pages1
User actions