NF - POLICY - Outbound SMB - Connection attempt

NF – POLICY – Outbound SMB – Connection attempt

This alert is triggered when an outbound connection attempt is made from an internal network device to an external server over SMB (ports 139 or 445). Outbound SMB traffic may expose internal resources to external threats or be exploited for data exfiltration.

Categories:

Radiflow

ID Number

5002022

Signature

alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NF - POLICY - Outbound SMB - Connection attempt"; flags:S; reference:url,networkforensic.dk; metadata:26102018; classtype:policy-violation; sid:5002022; rev:1;)

Severity

High

Recommendations/Investigative actions

Identify the device attempting the SMB connection to assess if it’s authorized or unexpected. Consider blocking outbound SMB connections. Check the device for signs of malware or misconfiguration that could be prompting the unauthorized SMB connection.