This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I'm trying to develop a snort rule that identifies exact filenames in a SMB2 Create Request. This can be anything from "1" to something like "thisfile.exe". Although it's easy to place a pointer at the beginning of the filename buffer, so you can start searching a regex from that point forward, it's a problem to find a boundary at the the end of the filename. I'm trying to match the beginning of the ExtraInfo buffer, but I've found a case where there seems to be a couple of bytes (|65 00| between after the filename and before the ExtraInfo, which wireshark doesn't recognize as part of the packet. I've searched the protocol definition and can't find anything about what these bytes can be. So, a couple of questions: 1) any idea what these bytes can be? 2) any tip on how to achieve a rule like this, that is able to match exactly a boundary after the filename, to use in a pcre expression?

Thanks!

asked 22 Jul '16, 05:36

BadlyDrawnBoy's gravatar image

BadlyDrawnBoy
6112
accept rate: 0%


This would be better posted to the snort community.

permanent link

answered 22 Jul '16, 05:59

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×27

question asked: 22 Jul '16, 05:36

question was seen: 953 times

last updated: 22 Jul '16, 05:59

p​o​w​e​r​e​d by O​S​Q​A