Snort Rule for the Bluekeep Module in Metasploit

RDP Communication

RDP Connection Sequence

Client X.224 Connection Request PDU

rdp_fingerprint()
rdp_check_protocol(RDPConstants::PROTOCOL_SSL | RDPConstants::PROTOCOL_HYBRID | RDPConstants::PROTOCOL_HYBRID_EX)
 PROTOCOL_RDP = 0
PROTOCOL_SSL = 1
PROTOCOL_HYBRID = 2
PROTOCOL_RDSTLS = 4
PROTOCOL_HYBRID_EX = 8
RDPConstants::PROTOCOL_SSL | RDPConstants::PROTOCOL_HYBRID | RDPConstants::PROTOCOL_HYBRID_EX1 OR 2 OR 80001 OR 0010 OR 1000 = 1011 = \x0B
#content:”|03 00|” -->TPKT Header version 03, reserved 00
#content:”|43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68 3d|” --> ‘Cookie: mstshash=’
#content:”|0b 00 00 00|” -->requested_protocols
####################################################################
alert tcp any any -> any 3389 (msg:”Metasploit Bluekeep”; flow:to_server,established; content:”|03 00|”; offset:0; depth:2; content:”|43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68 3d|”; distance:9; within:17; content:”|0b 00 00 00|”; distance: 13; reference:url,github.com/alexandrevvo/snort_rules/blob/master/metasploit_bluekeep; sid:100000012;)

--

--

--

https://twitter.com/alexandrevvo

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Pink Elephants Hack Free Resources Generator

Roadmap

Smartlink pre-ICO will close on May 3rd at 5:00 PM GMT-0

How Secure is Two-Factor Authentication (2FA)?

Quantum Cryptography

ZECREY PROJECT

{UPDATE} にゃんぷれ100【脳トレナンプレ問題集1】 Hack Free Resources Generator

{UPDATE} Cloud Farm Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alexandre Vieira

Alexandre Vieira

https://twitter.com/alexandrevvo

More from Medium

How to Protect your Network from BGP Attacks with BGPAlerter

Where to place Wi-Fi router for best internet speed?

NTP on Oracle Linux 8

Intel Chips