From: Victor Julien <victor@inliniac.net>
Date: Thu, 29 Mar 2018 13:13:35 +0000 (+0200)
Subject: doc: add smb section to yaml
X-Git-Tag: suricata-4.1.0-rc1~162
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c259f223938a3f1cf37be1f9dc64495d826b99f;p=thirdparty%2Fsuricata.git

doc: add smb section to yaml
---

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index 4043deb6be..91a8b0f136 100644
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -1447,6 +1447,29 @@ use of libhtp.
        # Accepted values - bestfit, status_400 and status_404.
        #set-path-unicode-mapping: bestfit
 
+Configure SMB (Rust)
+~~~~~~~~~~~~~~~~~~~~
+
+.. note:: for full SMB support compile Suricata with Rust support
+
+The SMB parser will parse version 1, 2 and 3 of the SMB protocol over TCP.
+
+To enable the parser add the following to the ``app-layer`` section of the YAML.
+
+::
+
+    smb:
+      enabled: yes
+      detection-ports:
+        dp: 139, 445
+
+The parser uses pattern based protocol detection and will fallback to ``probing parsers``
+if the pattern based detection fails. As usual, the pattern based detection is port
+independent. The ``probing parsers`` will only run on the ``detection-ports``.
+
+SMB is commonly used to transfer the DCERPC protocol. This traffic is also handled by
+this parser.
+
 Engine output
 -------------