06-28-2017 08:09 AM - edited 03-10-2019 06:52 AM
Hello Team,
We would like to know what signature we need to update on our IPS for us to mitigate the petya ransomware?
Solved! Go to Solution.
06-28-2017 05:37 PM
Signature Update S842.0
That's a pretty old signature file. The latest one is S987 (Release Date 22 June 2017).
Signature file S982 has been released to address WannaCry/WannaCrypt so I'd say signature file S842 is not covered.
06-28-2017 02:02 PM
06-28-2017 04:22 PM
Hello Leo,
How about in IPS we're using Cisco Intrusion Prevention System, Version 7.1(8p1)E4
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S842.0
OS Version: 2.6.29.1
Platform: ASA5525-IPS
what version of signature that we need to upgrade for us to mitigate na ransomware?
06-28-2017 05:37 PM
Signature Update S842.0
That's a pretty old signature file. The latest one is S987 (Release Date 22 June 2017).
Signature file S982 has been released to address WannaCry/WannaCrypt so I'd say signature file S842 is not covered.
07-03-2017 02:05 AM
Hi John
please see below link and snort rules you can enable, depending on your base policy the rules may or may not be enabled.
On Firesight Manager you can enable these rules to drop / alert or just alert (via policies > intrusion)
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
42944 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt
42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt
41984 - OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt
5718 - OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt
1917 - INDICATOR-SCAN UPnP service discover attempt
5730 - OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt
26385 - FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt
43370 - NETBIOS DCERPC possible wmi remote process launch
07-03-2017 06:41 AM
Snort rules are for FirePOWER appliances or modules in the Cisco world.
The OP indicated he is running the classic Cisco IPS (with a VERY old signature file).
Thus Leo's advice was correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: