Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS Prevent with wrong signature

Hi Guys,


I had a chance to test IPS functional with detecting or preventing in R80.30 version, so my experiment is to use the Metasploit tool in kali with Exploit Eternalblue.


After exploited successfully, found that the security gateway was able to block some malicious code with IPS module but the signature is being shown on the screenshot below is MS10-012 ( Microsoft SMB server race condition denial of service)




Actually it should be prevented with MS17-010 (SMB Remote Code Execution) 



Does anyone here explain to me regarding this behavior?


Thank you in advance.




0 Kudos
3 Replies

Does anyone know?
0 Kudos

First off, the firewall blocked it correctly so it doesn't really matter which IPS signature got matched. 

But to answer your question if I am reading the CVEs correctly, MS10-012 (Microsoft SMB server race condition denial of service- CVE-2010-0021) was the ability to corrupt and crash the system (DoS) through a vulnerability in the SMB v1 server and was revealed in 2010.  MS17-010 (SMB Remote Code Execution - CVE-2017-0143) appears to be very similar in that it is the weaponization of that earlier vulnerability in 2017 that can execute arbitrary code via SMB v1, instead of just cause a DoS.  So to me it looks like the same vulnerability with just different outcomes (DoS in 2010 vs. running arbitrary code in 2017).  In that case it would make sense that the 2010 IPS signature would get triggered, even though your kit was attempting the 2017 code exploit as they are basically the same thing, just different outcomes.  I don't think your exploit got far enough to inject the arbitrary code before the 2010 IPS signature was triggered and stopped it.

Check out this other CheckMates thread which is very similar to your situation:

IPS signature does not match with attack type


"Max Capture: Know Your Packets" Video Series
now available at
0 Kudos

Hi Timthy_Hall

Thank you for sharing.

I appreciate your comment.
0 Kudos