Rule History

alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] ETERNALROMANCE exploitation attempt (MS17-010 / CVE-2017-0143)"; flow:established, to_server; content:"|FF|SMB|A1|"; content:"|FF|SMB|A0|"; distance:0; content:"|05 00|"; distance:64; within:2; content:"|FF|SMB|25|"; distance:13; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; threshold:type both, track by_src, count 1, seconds 60; reference:cve, 2017-0143; reference:url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference:url, www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10001723; rev:2;)