Versions (7)
Version DetailsCurrent
Rev: 6 • Jun 24, 2025, 4:00 PMATTACK AD [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool (CVE-2017-0144)
alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool (CVE-2017-0144)"; flow:to_server, established, no_stream; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:2, >, 0x0008, 52, relative, little; pcre:"/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/s"; reference:cve, 2017-0144; reference:url, msdn.microsoft.com/en-us/library/ee441654.aspx; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10001254; rev:6;)
Jun 24, 2025, 4:00 PM
Jun 24, 2025, 4:00 PM
Oct 16, 2025, 10:34 AM
Oct 16, 2025, 10:34 AM
rules/ptopen-windows.rules