Hi, I'm trying to develop a snort rule that identifies exact filenames in a SMB2 Create Request. This can be anything from "1" to something like "thisfile.exe". Although it's easy to place a pointer at the beginning of the filename buffer, so you can start searching a regex from that point forward, it's a problem to find a boundary at the the end of the filename. I'm trying to match the beginning of the ExtraInfo buffer, but I've found a case where there seems to be a couple of bytes (|65 00| between after the filename and before the ExtraInfo, which wireshark doesn't recognize as part of the packet. I've searched the protocol definition and can't find anything about what these bytes can be. So, a couple of questions: 1) any idea what these bytes can be? 2) any tip on how to achieve a rule like this, that is able to match exactly a boundary after the filename, to use in a pcre expression? Thanks! asked 22 Jul '16, 05:36  BadlyDrawnBoy |
One Answer:
This would be better posted to the snort community. answered 22 Jul '16, 05:59  Jaap ♦ |
