Snort mailing list archives

Re: new rules 55703 and 55704

From: John Levy <johlevy () sourcefire com>
Date: Wed, 16 Sep 2020 11:32:42 -0400

Hi there,

The SecuraBV repo was one of the repos we used for testing, and those rules
_should_ be alerting on that particular poc. Do you by chance have a pcap
of your attack traffic that you could share? If so, I would be happy to
take a look at it to see what might be causing the miss. Also, it's quite
possible that a miss is the result of a particular Snort configuration.
What base policy are you running? For this particular attack, it is
important that "autodetect" is enabled in the dcerpc2_server preproc for
tcp ports 1024:65535 because of the use of ephemeral ports.

Feel free to send me a direct email with the pcap and your base policy if
you don't want to share that info with the entire mailer.

Thanks so much!

Regards,

John Levy
Cisco Talos

On Wed, Sep 16, 2020 at 10:41 AM DECula via Snort-sigs <
snort-sigs () lists snort org> wrote:


 The new rules added today for CVE-2020-1472 , SIDs 55703 and 55704 are
NOT firing when I use the PoC code from
https://github.com/SecuraBV/CVE-2020-1472  .   I'm concerned that the new
rules may not cover all exploit attempts for ZEROLOGON.   Could you please
take a look?

Cisco FMC with todays rules enabled.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

new rules 55703 and 55704 DECula via Snort-sigs (Sep 16)
- Re: new rules 55703 and 55704 Joel Esler (jesler) via Snort-sigs (Sep 16)
- Re: new rules 55703 and 55704 Al Lewis (allewi) via Snort-sigs (Sep 16)
- Re: new rules 55703 and 55704 John Levy (Sep 16)