SMBv3 Negotiate Protocol Request with Compression Capabilities Context
This Snort rule is specifically crafted to detect SMBv3 negotiation packets with particular content patterns. If a packet matches these patterns, the rule triggers an alert.
ID Number
1000021
Signature
alert tcp any any -> any 445 (msg:"SMBv3 Negotiate Protocol Request with Compression Capabilities Context"; content:"|fe 53 4d 42|"; offset: 4; depth: 10; content:"|00 00 00 00|"; distance: 6; content:"|11 03|"; distance: 86; within: 20; content:"|03 00|"; distance: 2; content:"|00 00 00 00 00 |"; distance: 1; within: 5; content:"|00 00 00 00 00 |"; distance: 1; within: 5; sid:1000021; rev:1;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to check if SMBv3 Data compression is permitted in the network. If the organization's policy permits such traffic, you can either disable the rule or establish a baseline.