Project

General

Profile

Actions

Feature #7100

open

smb: additional keywords

Added by Peter Manev 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

We have the regular event_type SMB logs.
Some alert detection additions of SMB keywords could be very useful.

Example: many status codes "Access denied" or "Log on failure" from the same origin can easily reveal brute forcing or miss configuration.
This data can be extracted and seen in the default generated Suricata SMB logs, however it is very helpful to be able to alert on that and other cases.
Suggestions for keywords that we already have logged in SMB as logs , but would be useful if available as keywords:
  • smb status code
  • smb command

Related issues 3 (3 open0 closed)

Related to Suricata - Feature #5069: smb: keyword for matching smb commandNewActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Related to Suricata - Story #6597: rules: improve rules keyword/output parityNewVictor JulienActions
Actions #2

Updated by Philippe Antoine 5 months ago

  • Related to Feature #5069: smb: keyword for matching smb command added
Actions #3

Updated by Victor Julien 5 months ago

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Actions #4

Updated by Lukas Sismis 5 months ago

Actions #5

Updated by Lukas Sismis 5 months ago

Actions #6

Updated by Lukas Sismis 5 months ago

  • Related to Story #6597: rules: improve rules keyword/output parity added
Actions #7

Updated by Victor Julien 5 months ago

  • Subject changed from Additional SMB keywords support to smb: additional keywords
Actions

Also available in: Atom PDF