Feature #8403: smb: add samr_UserInfo details to EVE logs - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8403

open

smb: add samr_UserInfo details to EVE logs

Added by Juliana Fajardini Reichow 1 day ago. Updated about 12 hours ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

9.0.0-beta1

Effort:

Difficulty:

Label:

Description

samr_UserInfo such as Account Name and Full Name is available in the SMB payload, and we can potentially
detect credential theft with them, but they're not exposed as JSON fields in our logs.

These are good candidates to be logged.

I've added a pcap to #5685 that has these fields as example on packet 339.

Related issues 1 (1 open — 0 closed)

History
Property changes

Actions

Copy link

Updated by Victor Julien about 12 hours ago

Description updated (diff)

Actions

Copy link

Updated by Victor Julien about 12 hours ago

Related to Task #5685: tracking: active directory protocols support added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #8403

smb: add samr_UserInfo details to EVE logs

Updated by Victor Julien about 12 hours ago

Updated by Victor Julien about 12 hours ago