https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029138#M42734 <BLOCKQUOTE> <P><SPAN>Signature Update S842.0&nbsp;</SPAN></P> </BLOCKQUOTE> <P>That's a pretty old signature file. &nbsp;The latest one is S987 (Release Date 22 June 2017).</P> <P>Signature file <A href="https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170515">S982 </A>has been released to address WannaCry/WannaCrypt so I'd say signature file S842 is not covered. &nbsp;</P> Thu, 29 Jun 2017 00:37:27 GMT Leo Laohoo 2017-06-29T00:37:27Z https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029135#M42731 <P><SPAN style="font-size: 10pt; font-family: 'courier new', courier, monospace; color: #000000;">Hello Team,</SPAN></P> <P></P> <P><SPAN style="font-size: 10pt; font-family: 'courier new', courier, monospace; color: #000000;">We would like to know what signature we need to update on our IPS for us to mitigate the petya ransomware?</SPAN></P> <P></P> <P></P> Sun, 10 Mar 2019 13:52:18 GMT https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029135#M42731 John 2019-03-10T13:52:18Z https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029136#M42732 <H3 itemprop="name"><A href="http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" rel="nofollow">New Ransomware Variant "Nyetya" Compromises Systems Worldwide</A></H3> Wed, 28 Jun 2017 21:02:31 GMT https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029136#M42732 Leo Laohoo 2017-06-28T21:02:31Z https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029137#M42733 <P><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;">Hello Leo,</SPAN></P> <P></P> <P><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;">How about in IPS we're using Cisco Intrusion Prevention System, Version 7.1(8p1)E4</SPAN></P> <P><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;">Host:</SPAN><BR /><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;"> Realm Keys key1.0</SPAN><BR /><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;">Signature Definition:</SPAN><BR /><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;"> Signature Update S842.0&nbsp;</SPAN><BR /><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;">OS Version: 2.6.29.1</SPAN><BR /><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;">Platform: ASA5525-IPS</SPAN></P> <P></P> <P><SPAN style="color: #000000; font-size: 10pt; font-family: 'courier new', courier, monospace;">what version of signature that we need to upgrade for us to mitigate na ransomware?</SPAN></P> Wed, 28 Jun 2017 23:22:13 GMT https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029137#M42733 John 2017-06-28T23:22:13Z https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029138#M42734 <BLOCKQUOTE> <P><SPAN>Signature Update S842.0&nbsp;</SPAN></P> </BLOCKQUOTE> <P>That's a pretty old signature file. &nbsp;The latest one is S987 (Release Date 22 June 2017).</P> <P>Signature file <A href="https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170515">S982 </A>has been released to address WannaCry/WannaCrypt so I'd say signature file S842 is not covered. &nbsp;</P> Thu, 29 Jun 2017 00:37:27 GMT https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029138#M42734 Leo Laohoo 2017-06-29T00:37:27Z https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029139#M42735 <P>Hi John&nbsp;</P> <P>please see below link and snort rules you can enable, depending on your base policy the rules may or may not be enabled.</P> <P>On Firesight Manager you can enable these rules to drop / alert or just alert (via policies &gt; intrusion)</P> <P></P> <P>http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html &nbsp; </P> <P></P> <P>42944 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt<BR />42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt<BR />41984 - OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt<BR />&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp; &nbsp;<BR />5718 - OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt<BR />1917 - INDICATOR-SCAN UPnP service discover attempt<BR />5730 - OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt<BR />26385 - FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt<BR />43370 - NETBIOS DCERPC possible wmi remote process launch</P> Mon, 03 Jul 2017 09:05:08 GMT https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029139#M42735 #TCN 2017-07-03T09:05:08Z https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029140#M42736 <P><SPAN><A href="https://supportforums.cisco.com/users/boydjames">boydjames</A></SPAN>&nbsp;&nbsp;</P> <P>Snort rules are for FirePOWER appliances or modules in the Cisco world.</P> <P>The OP indicated he is running the classic Cisco IPS (with a VERY old signature file).</P> <P>Thus Leo's advice was correct.</P> Mon, 03 Jul 2017 13:41:01 GMT https://community.cisco.com/t5/network-security/ips-petya-ransomware/m-p/3029140#M42736 Marvin Rhoads 2017-07-03T13:41:01Z