[Samba] SMB2: several "Create Request File" for files like .trash or .hidden
Bernd Lentes
bernd.lentes at helmholtz-muenchen.de
Tue Sep 19 20:28:52 UTC 2023
Hi,
I'm completely new to Samba, so sorry for some stupid questions.
I did some network sniffing and ran the pcap files against Suricata (an IDS).
It created some alerts "ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement".
I tried to examine these packets with wireshark. Not all of them have to do with a .dll.
But I find something strange. In other packets I found some "Create Request File" for files like .hidden or .trash.
The request was made with the following disposition: Disposition: Open (if file exists open it, else fail) (1).
So it was looking for files named .hidden or .trash.
I was connected to the Samba Server with SLES 15 SP5 and the respective smb client.
Is the behaviour "searching for files named .hidden or .trash" normal for a smb client or is there something/someone examing our SMB server very profoundly ?
Thanks.
Bernd
--
Bernd Lentes
SystemAdministrator
Institute of Metabolism and Cell Death
Helmholtz Zentrum München
Building 25 office 122
Bernd.lentes at helmholtz-munich.de
+49 89 3187 1241
Helmholtz Zentrum München – Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH)
Ingolstädter Landstraße 1, D-85764 Neuherberg, https://www.helmholtz-munich.de
Geschäftsführung: Prof. Dr. med. Dr. h.c. Matthias Tschöp | Aufsichtsratsvorsitzende: MinDir’in Prof. Dr. Veronika von Messling
Registergericht: Amtsgericht München HRB 6466 | USt-IdNr. DE 129521671
More information about the samba
mailing list