alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Metasploit MS17-010 ETERNALROMANCE exploitation (CVE-2017-0143)"; flow:established, to_server; content:"|FF|SMB|A1|"; content:"|FF|SMB|A0|"; distance:0; content:"|05 00|"; distance:64; within:2; content:"|FF|SMB|25|"; distance:13; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; content:"|FF|SMB|25|"; distance:67; within:5; threshold:type both, track by_src, count 1, seconds 60; reference:cve, 2017-0143; reference:url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference:url, www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10001723; rev:1;)