MS17-010

local-1.rules

# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp any any <> any 445  (msg: "Exploit Detected!"; content: "IPC$"; sid: 100001; rev:1;)

Run snort:

ubuntu@ip-10-10-234-43:~/Desktop/Exercise-Files/TASK-7 (MS17-10)$ sudo snort -c local-1.rules -dev -l . -r ms-17-010.pcap

ubuntu@ip-10-10-234-43:~/Desktop/Exercise-Files/TASK-7 (MS17-10)$ sudo snort -d -r snort.log.1669590408 
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to read-file.
Acquiring network traffic from "snort.log.1669590408".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

Commencing packet processing (pid=3117)
WARNING: No preprocessors configured for policy 0.
05/18-08:12:07.219861 192.168.116.149:49368 -> 192.168.116.138:445
TCP TTL:128 TOS:0x0 ID:575 IpLen:20 DgmLen:117 DF
***AP*** Seq: 0xFF7320A3  Ack: 0x223125FA  Win: 0xFF  TcpLen: 20
00 00 00 49 FF 53 4D 42 75 00 00 00 00 18 01 20  ...I.SMBu...... 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 2F 4B  ............../K
00 08 C5 5E 04 FF 00 00 00 00 00 01 00 1C 00 00  ...^............
5C 5C 31 39 32 2E 31 36 38 2E 31 31 36 2E 31 33  \\192.168.116.13
38 5C 49 50 43 24 00 3F 3F 3F 3F 3F 00           8\IPC$.?????.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+