cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3212
Views
0
Helpful
5
Replies

IPS | Petya Ransomware

John
Level 1
Level 1

Hello Team,

We would like to know what signature we need to update on our IPS for us to mitigate the petya ransomware?

1 Accepted Solution

Accepted Solutions

Signature Update S842.0 

That's a pretty old signature file.  The latest one is S987 (Release Date 22 June 2017).

Signature file S982 has been released to address WannaCry/WannaCrypt so I'd say signature file S842 is not covered.  

View solution in original post

5 Replies 5

Hello Leo,

How about in IPS we're using Cisco Intrusion Prevention System, Version 7.1(8p1)E4

Host:
Realm Keys key1.0
Signature Definition:
Signature Update S842.0 
OS Version: 2.6.29.1
Platform: ASA5525-IPS

what version of signature that we need to upgrade for us to mitigate na ransomware?

Signature Update S842.0 

That's a pretty old signature file.  The latest one is S987 (Release Date 22 June 2017).

Signature file S982 has been released to address WannaCry/WannaCrypt so I'd say signature file S842 is not covered.  

#TCN
Level 1
Level 1

Hi John 

please see below link and snort rules you can enable, depending on your base policy the rules may or may not be enabled.

On Firesight Manager you can enable these rules to drop / alert or just alert (via policies > intrusion)

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html  

42944 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt
42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt
41984 - OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt
    
    
5718 - OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt
1917 - INDICATOR-SCAN UPnP service discover attempt
5730 - OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt
26385 - FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt
43370 - NETBIOS DCERPC possible wmi remote process launch

boydjames  

Snort rules are for FirePOWER appliances or modules in the Cisco world.

The OP indicated he is running the classic Cisco IPS (with a VERY old signature file).

Thus Leo's advice was correct.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: