8.25. SMB Keywords
SMB keywords used in both SMB1 and SMB2 protocols.
8.25.1. smb.named_pipe
Match on SMB named pipe in tree connect.
Examples:
smb.named_pipe; content:"IPC"; endswith;
smb.named_pipe; content:"strange"; nocase; pcre:"/really$/";
smb.named_pipe
is a 'sticky buffer'.
smb.named_pipe
can be used as fast_pattern
.
8.25.3. smb.ntlmssp_user
Match on SMB ntlmssp user in session setup.
Examples:
smb.ntlmssp_user; content:"doe"; endswith;
smb.ntlmssp_user; content:"doe"; nocase; pcre:"/j(ohn|ane).*doe$/";
smb.ntlmssp_user
is a 'sticky buffer'.
smb.ntlmssp_user
can be used as fast_pattern
.
8.25.4. smb.ntlmssp_domain
Match on SMB ntlmssp domain in session setup.
Examples:
smb.ntlmssp_domain; content:"home"; endswith;
smb.ntlmssp_domain; content:"home"; nocase; pcre:"/home(sweet)*$/";
smb.ntlmssp_domain
is a 'sticky buffer'.
smb.ntlmssp_domain
can be used as fast_pattern
.