Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

IPS Prevent with wrong signature

Hi Guys,

 

I had a chance to test IPS functional with detecting or preventing in R80.30 version, so my experiment is to use the Metasploit tool in kali with Exploit Eternalblue.

 

After exploited successfully, found that the security gateway was able to block some malicious code with IPS module but the signature is being shown on the screenshot below is MS10-012 ( Microsoft SMB server race condition denial of service)

cp-1.png

 

 

Actually it should be prevented with MS17-010 (SMB Remote Code Execution) 

cp-2.png

 

Does anyone here explain to me regarding this behavior?

 

Thank you in advance.

 

Regards,

Sarm

0 Kudos
3 Replies
Highlighted
Collaborator

Does anyone know?
0 Kudos
Highlighted
Champion
Champion

First off, the firewall blocked it correctly so it doesn't really matter which IPS signature got matched. 

But to answer your question if I am reading the CVEs correctly, MS10-012 (Microsoft SMB server race condition denial of service- CVE-2010-0021) was the ability to corrupt and crash the system (DoS) through a vulnerability in the SMB v1 server and was revealed in 2010.  MS17-010 (SMB Remote Code Execution - CVE-2017-0143) appears to be very similar in that it is the weaponization of that earlier vulnerability in 2017 that can execute arbitrary code via SMB v1, instead of just cause a DoS.  So to me it looks like the same vulnerability with just different outcomes (DoS in 2010 vs. running arbitrary code in 2017).  In that case it would make sense that the 2010 IPS signature would get triggered, even though your kit was attempting the 2017 code exploit as they are basically the same thing, just different outcomes.  I don't think your exploit got far enough to inject the arbitrary code before the 2010 IPS signature was triggered and stopped it.

Check out this other CheckMates thread which is very similar to your situation:

IPS signature does not match with attack type

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Collaborator

Hi Timthy_Hall

Thank you for sharing.

I appreciate your comment.
0 Kudos