""ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray""
SID: 2024217
Revision: 4
Class Type: trojan-activity
Metadata: attack_target SMB_Server, created_at 2017_04_17, deployment Internal, signature_severity Critical, updated_at 2018_07_11
Reference:
Protocol: tcp
Source Network: any
Source Port: any
Destination Network: $HOME_NET
Destination Port: 445
Flow: to_server,established
Contents:
-
Value: "|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|" Depth: 30 Offset: 4
-
Value: "|00 09 00 00 00 10|"
-
Value: "|00 00 00 00 00 00 00 10|"
-
Value: "|00 00 00 10|"
Within: 4
PCRE: "/^[a-zA-Z0-9+/]{1000,}/R"
Special Options: