From a0aa2307322cd47bbf416810ac0292925e03be87 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:39:49 +0200 Subject: Adding upstream version 1:7.0.3. Signed-off-by: Daniel Baumann --- doc/userguide/rules/smb-keywords.rst | 60 ++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 doc/userguide/rules/smb-keywords.rst (limited to 'doc/userguide/rules/smb-keywords.rst') diff --git a/doc/userguide/rules/smb-keywords.rst b/doc/userguide/rules/smb-keywords.rst new file mode 100644 index 0000000..02cf190 --- /dev/null +++ b/doc/userguide/rules/smb-keywords.rst @@ -0,0 +1,60 @@ +SMB Keywords +============== + +SMB keywords used in both SMB1 and SMB2 protocols. + +smb.named_pipe +-------------- + +Match on SMB named pipe in tree connect. + +Examples:: + + smb.named_pipe; content:"IPC"; endswith; + smb.named_pipe; content:"strange"; nocase; pcre:"/really$/"; + +``smb.named_pipe`` is a 'sticky buffer'. + +``smb.named_pipe`` can be used as ``fast_pattern``. + +smb.share +--------- + +Match on SMB share name in tree connect. + +Examples:: + + smb.share; content:"shared"; endswith; + smb.share; content:"strange"; nocase; pcre:"/really$/"; + +``smb.share`` is a 'sticky buffer'. + +``smb.share`` can be used as ``fast_pattern``. + +smb.ntlmssp_user +---------------- + +Match on SMB ntlmssp user in session setup. + +Examples:: + + smb.ntlmssp_user; content:"doe"; endswith; + smb.ntlmssp_user; content:"doe"; nocase; pcre:"/j(ohn|ane).*doe$/"; + +``smb.ntlmssp_user`` is a 'sticky buffer'. + +``smb.ntlmssp_user`` can be used as ``fast_pattern``. + +smb.ntlmssp_domain +------------------ + +Match on SMB ntlmssp domain in session setup. + +Examples:: + + smb.ntlmssp_domain; content:"home"; endswith; + smb.ntlmssp_domain; content:"home"; nocase; pcre:"/home(sweet)*$/"; + +``smb.ntlmssp_domain`` is a 'sticky buffer'. + +``smb.ntlmssp_domain`` can be used as ``fast_pattern``. -- cgit v1.2.3