Snort mailing list archives
Re: new rules 55703 and 55704
From: John Levy <johlevy () sourcefire com>
Date: Wed, 16 Sep 2020 11:32:42 -0400
Hi there, The SecuraBV repo was one of the repos we used for testing, and those rules _should_ be alerting on that particular poc. Do you by chance have a pcap of your attack traffic that you could share? If so, I would be happy to take a look at it to see what might be causing the miss. Also, it's quite possible that a miss is the result of a particular Snort configuration. What base policy are you running? For this particular attack, it is important that "autodetect" is enabled in the dcerpc2_server preproc for tcp ports 1024:65535 because of the use of ephemeral ports. Feel free to send me a direct email with the pcap and your base policy if you don't want to share that info with the entire mailer. Thanks so much! Regards, John Levy Cisco Talos On Wed, Sep 16, 2020 at 10:41 AM DECula via Snort-sigs < snort-sigs () lists snort org> wrote:
The new rules added today for CVE-2020-1472 , SIDs 55703 and 55704 are NOT firing when I use the PoC code from https://github.com/SecuraBV/CVE-2020-1472 . I'm concerned that the new rules may not cover all exploit attempts for ZEROLOGON. Could you please take a look? Cisco FMC with todays rules enabled. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- new rules 55703 and 55704 DECula via Snort-sigs (Sep 16)
- Re: new rules 55703 and 55704 Joel Esler (jesler) via Snort-sigs (Sep 16)
- Re: new rules 55703 and 55704 Al Lewis (allewi) via Snort-sigs (Sep 16)
- Re: new rules 55703 and 55704 John Levy (Sep 16)