Project

General

Profile

Actions
Copy link

Feature #7100

open

smb: additional keywords

Added by Peter Manev 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

We have the regular event_type SMB logs.
Some alert detection additions of SMB keywords could be very useful.

Example: many status codes "Access denied" or "Log on failure" from the same origin can easily reveal brute forcing or miss configuration.
This data can be extracted and seen in the default generated Suricata SMB logs, however it is very helpful to be able to alert on that and other cases.
Suggestions for keywords that we already have logged in SMB as logs , but would be useful if available as keywords:
  • smb status code
  • smb command

Related issues 3 (3 open0 closed)

Related to Suricata - Feature #5069: smb: keyword for matching smb commandNewActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Related to Suricata - Story #6597: rules: impove rules keyword/output parityNewVictor JulienActions
Actions
Copy link
 #2

Updated by Philippe Antoine 3 months ago

  • Related to Feature #5069: smb: keyword for matching smb command added
Actions
Copy link
 #3

Updated by Victor Julien 3 months ago

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Actions
Copy link
 #4

Updated by Lukas Sismis 3 months ago

Actions
Copy link
 #5

Updated by Lukas Sismis 3 months ago

Actions
Copy link
 #6

Updated by Lukas Sismis 3 months ago

  • Related to Story #6597: rules: impove rules keyword/output parity added
Actions
Copy link
 #7

Updated by Victor Julien 3 months ago

  • Subject changed from Additional SMB keywords support to smb: additional keywords
Actions
Copy link

Also available in: Atom PDF