suricata/doc/userguide/rules/smb-keywords.rst

SMB Keywords
==============

.. role:: example-rule-options

SMB keywords used in both SMB1 and SMB2 protocols.

smb.named_pipe
--------------

Match on SMB named pipe in tree connect.

Examples::

  smb.named_pipe; content:"IPC"; endswith;
  smb.named_pipe; content:"strange"; nocase; pcre:"/really$/";

``smb.named_pipe`` is a 'sticky buffer'.

``smb.named_pipe`` can be used as ``fast_pattern``.

smb.share
---------

Match on SMB share name in tree connect.

Examples::

  smb.share; content:"shared"; endswith;
  smb.share; content:"strange"; nocase; pcre:"/really$/";

``smb.share`` is a 'sticky buffer'.

``smb.share`` can be used as ``fast_pattern``.

smb.ntlmssp_user
----------------

Match on SMB ntlmssp user in session setup.

Examples::

  smb.ntlmssp_user; content:"doe"; endswith;
  smb.ntlmssp_user; content:"doe"; nocase; pcre:"/j(ohn|ane).*doe$/";

``smb.ntlmssp_user`` is a 'sticky buffer'.

``smb.ntlmssp_user`` can be used as ``fast_pattern``.

smb.ntlmssp_domain
------------------

Match on SMB ntlmssp domain in session setup.

Examples::

  smb.ntlmssp_domain; content:"home"; endswith;
  smb.ntlmssp_domain; content:"home"; nocase; pcre:"/home(sweet)*$/";

``smb.ntlmssp_domain`` is a 'sticky buffer'.

``smb.ntlmssp_domain`` can be used as ``fast_pattern``.

file.name
---------

The ``file.name`` keyword can be used at the SMB application level. 

Signature Example:

.. container:: example-rule

  alert smb any any -> any any (msg:"SMB file.name usage"; \
  :example-rule-options:`file.name; content:"file.txt";` \
  classtype:bad-unknown; sid:1; rev:1;)

For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
rust/smb: import NT status code for Microsoft doc This patch updates the NT status code definition to use the status definition used on Microsoft documentation website. A first python script is building JSON object with code definition. ``` import json from bs4 import BeautifulSoup import requests ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55') ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser') ntstatus_parsed = ntstatus_parsed.find('tbody') ntstatus_dict = {} for item in ntstatus_parsed.find_all('tr'): cell = item.find_all('td') if len(cell) == 0: continue code = cell[0].find_all('p') description_ps = cell[1].find_all('p') description_list = [] if len(description_ps): for desc in description_ps: if not desc.string is None: description_list.append(desc.string.replace('\n ', '')) else: description_list = ['Description not available'] if not code[0].string.lower() in ntstatus_dict: ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)} print(json.dumps(ntstatus_dict)) ``` The second one is generating the code that is ready to be inserted into the source file: ``` import json ntstatus_file = open('ntstatus.json', 'r') ntstatus = json.loads(ntstatus_file.read()) declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n' resolution_format = ' SMB_NT%s%s=> "%s",\n' declaration = "" resolution = "" text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len)) for code in ntstatus.keys(): text = ntstatus[code]['text'] text_spaces = ' ' * (4 + text_max - len(text)) declaration += declaration_format % (text, text_spaces, code) resolution += resolution_format % (text, text_spaces, text) print(declaration) print('\n') print(''' pub fn smb_ntstatus_string(c: u32) -> String { match c { ''') print(resolution) print(''' _ => { return (c).to_string(); }, }.to_string() } ''') ``` Bug #5412. 4 years ago			`SMB Keywords`
			`==============`

doc: add file.name information to smb keyword doc Signed-off-by: jason taylor <jtfas90@gmail.com> 2 years ago			`.. role:: example-rule-options`

rust/smb: import NT status code for Microsoft doc This patch updates the NT status code definition to use the status definition used on Microsoft documentation website. A first python script is building JSON object with code definition. ``` import json from bs4 import BeautifulSoup import requests ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55') ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser') ntstatus_parsed = ntstatus_parsed.find('tbody') ntstatus_dict = {} for item in ntstatus_parsed.find_all('tr'): cell = item.find_all('td') if len(cell) == 0: continue code = cell[0].find_all('p') description_ps = cell[1].find_all('p') description_list = [] if len(description_ps): for desc in description_ps: if not desc.string is None: description_list.append(desc.string.replace('\n ', '')) else: description_list = ['Description not available'] if not code[0].string.lower() in ntstatus_dict: ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)} print(json.dumps(ntstatus_dict)) ``` The second one is generating the code that is ready to be inserted into the source file: ``` import json ntstatus_file = open('ntstatus.json', 'r') ntstatus = json.loads(ntstatus_file.read()) declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n' resolution_format = ' SMB_NT%s%s=> "%s",\n' declaration = "" resolution = "" text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len)) for code in ntstatus.keys(): text = ntstatus[code]['text'] text_spaces = ' ' * (4 + text_max - len(text)) declaration += declaration_format % (text, text_spaces, code) resolution += resolution_format % (text, text_spaces, text) print(declaration) print('\n') print(''' pub fn smb_ntstatus_string(c: u32) -> String { match c { ''') print(resolution) print(''' _ => { return (c).to_string(); }, }.to_string() } ''') ``` Bug #5412. 4 years ago			`SMB keywords used in both SMB1 and SMB2 protocols.`

			`smb.named_pipe`
			`--------------`

			`Match on SMB named pipe in tree connect.`

			`Examples::`

			`smb.named_pipe; content:"IPC"; endswith;`
			`smb.named_pipe; content:"strange"; nocase; pcre:"/really$/";`

			``smb.named_pipe`` is a 'sticky buffer'.

			``smb.named_pipe`` can be used as ``fast_pattern``.

			`smb.share`
			`---------`

			`Match on SMB share name in tree connect.`

			`Examples::`

			`smb.share; content:"shared"; endswith;`
			`smb.share; content:"strange"; nocase; pcre:"/really$/";`

			``smb.share`` is a 'sticky buffer'.

			``smb.share`` can be used as ``fast_pattern``.

			`smb.ntlmssp_user`
			`----------------`

			`Match on SMB ntlmssp user in session setup.`

			`Examples::`

			`smb.ntlmssp_user; content:"doe"; endswith;`
			`smb.ntlmssp_user; content:"doe"; nocase; pcre:"/j(ohn\|ane).*doe$/";`

			``smb.ntlmssp_user`` is a 'sticky buffer'.

			``smb.ntlmssp_user`` can be used as ``fast_pattern``.

			`smb.ntlmssp_domain`
			`------------------`

			`Match on SMB ntlmssp domain in session setup.`

			`Examples::`

			`smb.ntlmssp_domain; content:"home"; endswith;`
			`smb.ntlmssp_domain; content:"home"; nocase; pcre:"/home(sweet)*$/";`

			``smb.ntlmssp_domain`` is a 'sticky buffer'.

			``smb.ntlmssp_domain`` can be used as ``fast_pattern``.
doc: add file.name information to smb keyword doc Signed-off-by: jason taylor <jtfas90@gmail.com> 2 years ago
			`file.name`
			`---------`

			The ``file.name`` keyword can be used at the SMB application level.

			`Signature Example:`

			`.. container:: example-rule`

			`alert smb any any -> any any (msg:"SMB file.name usage"; \`
			:example-rule-options:`file.name; content:"file.txt";` \
			`classtype:bad-unknown; sid:1; rev:1;)`

			For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.