WannaCryThe basic operation of WannaCry is:
Detecting the propagationThe following shows the distribution of WannaCry over TCP Port 445: The following is a link which runs some Snort rules: [here]
The Wireshark filter is: smb contains "\x4a\x6c\x4a\x6d\x49\x68\x43\x6c\x42\x73\x72\x00" Detecting connection to Tor networkThe following shows how we can use Snort to detect the connection to the Snort network: The following is a link which runs some Snort rules: [here] PresentationThe following is an outline of ransomware: |