8 lines
845 B
Plaintext
8 lines
845 B
Plaintext
#Microsoft Netlogon Remote Protocol vulnerable to elevation of privilege CVE-2020-1472
|
|
#For wireshark geeks (netlogon.clientcred == 00:00:00:00:00:00:00:00 && netlogon.neg_flags == 0x212fffff)
|
|
#Note ntlmssp.neg_flags.na400000 == 0 is not enabled in the suricata rule which is a reliable
|
|
#Only captures bytes sequence, this IDS signature subject to some false/negative and
|
|
#possible false/positives
|
|
alert tcp any [1024: 65535] -> $HOME_NET [135:139, 445, 1024: 65535] (msg:"VU#490028: Microsoft Netlogon Remote Protocol vulnerable to elevation of privilege CVE-2020-1472"; flow: established,to_server; content: "|00 00 00 00 00 00 00 00 00|"; content: "|ff ff 2f 21|"; within: 12; sid:1367490028; classtype:attempted-admin; threshold: type limit, track by_src, seconds 180, count 1; reference: url,https://kb.cert.org/vuls/id/490028; rev:4;)
|
|
|