--- /dev/null
+PCAP
+====
+
+Pcap found in Zeek/Bro git repo.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 17
+ match:
+ event_type: smb
+ - filter:
+ count: 7
+ match:
+ event_type: smb
+ smb.dialect: "unknown"
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ - filter:
+ count: 7
+ match:
+ event_type: smb
+ smb.dialect: "unknown"
+ smb.command: SMB2_COMMAND_CLOSE
+ smb.status: STATUS_SUCCESS
+ - filter:
+ count: 0
+ match:
+ event_type: smb
+ smb.dialect: "unknown"
+ smb.command: SMB2_COMMAND_GET_INFO
+ smb.status: STATUS_SUCCESS
+ - filter:
+ count: 2
+ match:
+ event_type: smb
+ smb.dialect: "unknown"
+ smb.command: SMB2_COMMAND_FIND
+ smb.status: STATUS_SUCCESS
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "unknown"
+ smb.command: SMB2_COMMAND_READ
+ smb.status: STATUS_SUCCESS
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "unknown"
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.session_id: 4398046511153
+ smb.tree_id: 1
+ smb.disposition: "FILE_OPEN"
+ smb.filename: "Test\\2009-12 Payroll.xlsx"
+ smb.fuid: "00000065-0030-0000-0025-0020ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "unknown"
+ smb.command: SMB2_COMMAND_READ
+ smb.status: STATUS_SUCCESS
+ smb.session_id: 4398046511153
+ smb.tree_id: 1
+ smb.filename: "Test\\2009-12 Payroll.xlsx"
+ smb.fuid: "00000065-0030-0000-0025-0020ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ app_proto: smb
+ fileinfo.filename: "Test\\2009-12 Payroll.xlsx"
+ fileinfo.state: CLOSED
+ fileinfo.gaps: false
+ fileinfo.size: 25940
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.smb: 17
+ stats.app_layer.flow.smb: 1
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: established
+ flow.state: established
+
--- /dev/null
+PCAP
+====
+
+Pcap by Victor Julien.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+
+checks:
+ - filter:
+ count: 3
+ match:
+ event_type: smb
+ smb.id: 1
+ smb.dialect: "NT LM 0.12"
+ smb.command: "SMB1_COMMAND_NEGOTIATE_PROTOCOL"
+ smb.status: "STATUS_SUCCESS"
+ smb.status_code: "0x0"
+# smb.session_id: 0
+# smb.tree_id: 0,
+ smb.client_dialects[0]: "NT LM 0.12"
+ smb.server_guid: "31347374-0032-0000-0000-000000000000"
+ - filter:
+ count: 3
+ match:
+ event_type: smb
+ smb.id: 2
+ smb.dialect: "NT LM 0.12"
+ smb.command: "SMB1_COMMAND_SESSION_SETUP_ANDX"
+ smb.status: "STATUS_MORE_PROCESSING_REQUIRED"
+ smb.status_code: "0xc0000016"
+# smb.session_id: 35909
+ smb.tree_id: 65535
+ smb.request.native_os: "Mac OS X 10.10"
+ smb.request.native_lm: "SMBFS 3.0.0"
+ smb.response.native_os: "QTS"
+ smb.response.native_lm: "Samba 4.4.16"
+ - filter:
+ count: 3
+ match:
+ event_type: smb
+ smb.id: 3
+ smb.dialect: "NT LM 0.12"
+ smb.command: "SMB1_COMMAND_LOGOFF_ANDX"
+ smb.status: "SRV_BADUID"
+ smb.status_code: "0x005b"
+# smb.session_id: 35909
+ smb.tree_id: 65535
+ - filter:
+ count: 3
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: closed
+ flow.state: closed
+
--- /dev/null
+PCAP
+====
+
+Pcap by Victor Julien.
--- /dev/null
+alert tcp-pkt any any -> any 445 (content:"|00 00 00 bc|"; depth:4; flow:to_server; sid:1;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+ min-version: 5.0.0
+
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 3
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 1
+ smb.dialect: "unknown"
+ smb.command: "SMB1_COMMAND_SESSION_SETUP_ANDX"
+ smb.status: "STATUS_MORE_PROCESSING_REQUIRED"
+ smb.status_code: "0xc0000016"
+ smb.tree_id: 65535
+ smb.request.native_os: "Mac OS X 10.10"
+ smb.request.native_lm: "SMBFS 3.0.0"
+ smb.response.native_os: "QTS"
+ smb.response.native_lm: "Samba 4.4.16"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 2
+ smb.dialect: "unknown"
+ smb.command: "SMB1_COMMAND_LOGOFF_ANDX"
+ smb.status: "SRV_BADUID"
+ smb.status_code: "0x005b"
+ smb.tree_id: 65535
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: closed
+ flow.state: closed
+
--- /dev/null
+PCAP
+====
+
+PCAP found on Wireshark Wiki.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- -k none
+
+checks:
+ - filter:
+ count: 51
+ match:
+ event_type: fileinfo
+ fileinfo.state: CLOSED
+ app_proto: smb
+ - filter:
+ count: 17
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_WRITE
+ - filter:
+ count: 153
+ match:
+ event_type: smb
+ smb.status: STATUS_SUCCESS
+ - filter:
+ count: 17
+ match:
+ event_type: smb
+ smb.status: STATUS_ACCESS_DENIED
+ - filter:
+ count: 0
+ match:
+ event_type: smb
+ smb.status: STATUS_END_OF_FILE
+ - filter:
+ count: 2
+ match:
+ event_type: smb
+ smb.status: STATUS_NO_MORE_FILES
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.status: STATUS_MORE_PROCESSING_REQUIRED
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: established
+ flow.state: established
+
--- /dev/null
+PCAP
+====
+
+Pcap found in Zeek/Bro git repo.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+
+checks:
+ - filter:
+ count: 20
+ match:
+ event_type: smb
+ - filter:
+ count: 2
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_WRITE
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 3
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_SESSION_SETUP
+ smb.status: STATUS_SUCCESS
+ smb.ntlmssp.domain: "CONTOSO"
+ smb.ntlmssp.user: "Administrator"
+ smb.ntlmssp.host: "SERVER01"
+ smb.session_id: 4398046511109
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 4
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.session_id: 4398046511109
+ smb.share: "\\\\10.0.0.12\\smb2"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 6
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 5
+ smb.session_id: 4398046511109
+ smb.named_pipe: "\\\\10.0.0.12\\IPC$"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.session_id: 4398046511109
+ smb.filename: "WP_SMBPlugin.pdf"
+ smb.disposition: "FILE_CREATE"
+ smb.fuid: "0000004d-0000-0000-0009-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_WRITE
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.session_id: 4398046511109
+ smb.filename: "WP_SMBPlugin.pdf"
+ smb.fuid: "0000004d-0000-0000-0009-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ app_proto: smb
+ fileinfo.filename: "WP_SMBPlugin.pdf"
+ fileinfo.state: CLOSED
+ fileinfo.gaps: false
+ fileinfo.size: 1508939
+ smb.session_id: 4398046511109
+ smb.filename: "WP_SMBPlugin.pdf"
+ smb.fuid: "0000004d-0000-0000-0009-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: established
+ flow.state: established
+
--- /dev/null
+PCAP
+====
+
+Pcap found in Zeek/Bro git repo.
--- /dev/null
+alert smb any any -> any any (file_data; content:"%PDF-1.5"; startswith; sid:1;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 20
+ match:
+ event_type: smb
+ - filter:
+ count: 2
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_WRITE
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 3
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_SESSION_SETUP
+ smb.status: STATUS_SUCCESS
+ smb.ntlmssp.domain: "CONTOSO"
+ smb.ntlmssp.user: "Administrator"
+ smb.ntlmssp.host: "SERVER01"
+ smb.session_id: 4398046511109
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 4
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.session_id: 4398046511109
+ smb.share: "\\\\10.0.0.12\\smb2"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.id: 6
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 5
+ smb.session_id: 4398046511109
+ smb.named_pipe: "\\\\10.0.0.12\\IPC$"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.session_id: 4398046511109
+ smb.filename: "WP_SMBPlugin.pdf"
+ smb.disposition: "FILE_CREATE"
+ smb.fuid: "0000004d-0000-0000-0009-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "2.02"
+ smb.command: SMB2_COMMAND_WRITE
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.session_id: 4398046511109
+ smb.filename: "WP_SMBPlugin.pdf"
+ smb.fuid: "0000004d-0000-0000-0009-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ app_proto: smb
+ fileinfo.filename: "WP_SMBPlugin.pdf"
+ fileinfo.state: CLOSED
+ fileinfo.gaps: false
+ fileinfo.size: 1508939
+ smb.session_id: 4398046511109
+ smb.filename: "WP_SMBPlugin.pdf"
+ smb.fuid: "0000004d-0000-0000-0009-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: established
+ flow.state: established
+
--- /dev/null
+PCAP
+====
+
+Pcap from the ProtectWise blog.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 6
+ match:
+ event_type: smb
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.filename: "atsvc"
+ smb.disposition: "FILE_OPEN"
+ smb.access: "normal"
+ smb.created: 0
+ smb.accessed: 0
+ smb.modified: 0
+ smb.changed: 0
+ smb.size: 0
+ smb.fuid: "0000004d-0000-0000-0005-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_WRITE
+ smb.status: STATUS_SUCCESS
+ smb.dcerpc.request: "BIND"
+ smb.dcerpc.response: "BINDACK"
+ smb.dcerpc.interfaces[0].uuid: "1ff70682-0a51-30e8-076d-740be8cee98b"
+ smb.dcerpc.interfaces[0].version: "1.0"
+ smb.dcerpc.interfaces[0].ack_result: 2
+ smb.dcerpc.interfaces[0].ack_reason: 0
+ smb.dcerpc.interfaces[1].uuid: "1ff70682-0a51-30e8-076d-740be8cee98b"
+ smb.dcerpc.interfaces[1].version: "1.0"
+ smb.dcerpc.interfaces[1].ack_result: 0
+ smb.dcerpc.interfaces[1].ack_reason: 0
+ smb.dcerpc.interfaces[2].uuid: "1ff70682-0a51-30e8-076d-740be8cee98b"
+ smb.dcerpc.interfaces[2].version: "1.0"
+ smb.dcerpc.interfaces[2].ack_result: 3
+ smb.dcerpc.interfaces[2].ack_reason: 0
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: closed
+ flow.state: closed
+
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 7
+ match:
+ event_type: smb
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.filename: "atsvc"
+ smb.disposition: "FILE_OPEN"
+ smb.access: "normal"
+ smb.created: 0
+ smb.accessed: 0
+ smb.modified: 0
+ smb.changed: 0
+ smb.size: 0
+ smb.fuid: "0000004d-0000-0000-0005-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: closed
+ flow.state: closed
+
--- /dev/null
+PCAP
+====
+
+Pcap from the ProtectWise blog.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 15
+ match:
+ event_type: smb
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.share: "\\\\admin-pc\\c$"
+ smb.tree_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_FIND
+ smb.status: STATUS_NO_MORE_FILES
+ smb.tree_id: 1
+ - filter:
+ count: 3
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.filename: "temp\\mimikatz.exe"
+ smb.disposition: FILE_OPEN
+ smb.access: "normal"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.filename: "temp\\mimikatz.exe"
+ smb.disposition: FILE_OPEN
+ smb.access: "normal"
+ smb.created: 1512585399
+ smb.accessed: 1512585399
+ smb.modified: 1512171135
+ smb.changed: 1512585399
+ smb.size: 804352
+ smb.fuid: "00000049-0000-0000-0001-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.status: STATUS_SUCCESS
+ smb.tree_id: 1
+ smb.filename: "temp\\mimikatz.exe"
+ smb.disposition: FILE_OPEN
+ smb.access: "normal"
+ smb.created: 1512585399
+ smb.accessed: 1512585399
+ smb.modified: 1512171135
+ smb.changed: 1512585399
+ smb.size: 804352
+ smb.fuid: "00000055-0000-0000-000d-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.filename: "temp\\mimikatz.exe"
+ fileinfo.state: CLOSED
+ fileinfo.size: 804352
+ smb.dialect: "2.10"
+ smb.command: "SMB2_COMMAND_READ"
+ smb.status: "STATUS_SUCCESS"
+ smb.status_code: "0x0"
+ smb.session_id: 4398046511121
+ smb.tree_id: 1
+ smb.filename: "temp\\mimikatz.exe"
+ smb.share: "\\\\admin-pc\\c$"
+ smb.fuid: "00000055-0000-0000-000d-0000ffffffff"
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: established
+ flow.state: established
+
--- /dev/null
+PCAP
+====
+
+Pcap from the ProtectWise blog.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 65
+ match:
+ event_type: smb
+ - filter:
+ count: 5
+ match:
+ event_type: smb
+ smb.dcerpc.request: BIND
+ - filter:
+ count: 46
+ match:
+ event_type: smb
+ smb.dcerpc.request: REQUEST
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.dialect: "2.10"
+ smb.command: "SMB2_COMMAND_CREATE"
+ smb.status: "STATUS_SUCCESS"
+ smb.status_code: "0x0"
+ smb.session_id: 35184439197745
+ smb.tree_id: 1
+ smb.filename: "lsarpc"
+ smb.disposition: "FILE_OPEN"
+ smb.access: "normal"
+ smb.created: 0
+ smb.accessed: 0
+ smb.modified: 0
+ smb.changed: 0
+ smb.size: 0
+ smb.fuid: "0000002a-0008-0000-0009-000000000008"
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: established
+ flow.state: established
+
--- /dev/null
+PCAP
+====
+
+Pcap from the ProtectWise blog.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+- -k none
+
+checks:
+ - filter:
+ count: 58
+ match:
+ event_type: smb
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.filename: "PSEXESVC.exe"
+ smb.disposition: "FILE_OVERWRITE_IF"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.filename: "PSEXESVC-VICTIM-PC-2412-stderr"
+ smb.disposition: "FILE_OPEN"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.filename: "PSEXESVC-VICTIM-PC-2412-stdout"
+ smb.disposition: "FILE_OPEN"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_CREATE
+ smb.filename: "PSEXESVC-VICTIM-PC-2412-stdin"
+ smb.disposition: "FILE_OPEN"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.named_pipe: "\\\\dc1\\IPC$"
+ - filter:
+ count: 2
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.share: "\\\\dc1\\ADMIN$"
+ - filter:
+ count: 4
+ match:
+ event_type: flow
+ app_proto: smb
+ tcp.state: closed
+ flow.state: closed
+
--- /dev/null
+PCAP
+====
+
+PCAP found on Wireshark Wiki.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+- -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_NEGOTIATE_PROTOCOL
+ smb.status: STATUS_SUCCESS
+ smb.dialect: "3.00"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.dialect: "3.00"
+ smb.share: "\\\\WS2016\\encrypted"
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.dialect: "3.00"
+ smb.named_pipe: "\\\\10.160.65.202\\IPC$"
+
--- /dev/null
+PCAP
+====
+
+PCAP found on Wireshark Wiki.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+- -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ dest_port: 445
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ dest_port: 445
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.named_pipe: "\\\\10.160.65.202\\IPC$"
--- /dev/null
+PCAP
+====
+
+PCAP found on Wireshark Wiki.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ - RUST
+ files:
+ - rust/src/smb/smb.rs
+ min-version: 5.0.0
+args:
+- --set stream.reassembly.depth=0
+- --set stream.midstream=true
+- -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: smb
+ dest_port: 445
+ - filter:
+ count: 1
+ match:
+ event_type: smb
+ dest_port: 445
+ smb.command: SMB2_COMMAND_TREE_CONNECT
+ smb.status: STATUS_SUCCESS
+ smb.named_pipe: "\\\\10.160.65.202\\IPC$"
projects / thirdparty / suricata-verify.git / commitdiff
