OT: Can SMB filenames be well defined for IDS systems?
jra at dp.samba.org
jra at dp.samba.org
Thu May 29 00:57:19 GMT 2003
On Thu, May 29, 2003 at 12:52:11PM +1200, Jason Haar wrote:
> On Thu, May 29, 2003 at 09:22:15AM +1000, Tim Potter wrote:
> > Break out ethereal (www.ethereal.com) and try to match against some
> > specific SMBs. I would expect the virus to do a NTCreate&X to open a
> > file on the remote machine. You might like to test various infected
> > clients as the parameters to NTCreate&X or even the exact SMB packet
> > used might be different.
>
> OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
> and cut-n-paste from explorer. What I've found that they both contain:
>
> "ff 53 4d 42 a2" [SMB, NTCreate&X]
>
> Would all attempts at creating a file contain that?
Not all, as files can be opened using NTtrans, trans2, open, open&X
of course (this is SMB after all - why have only one way to open a file :-).
But that would catch most WNT and above clients.
Jeremy.
More information about the samba-technical
mailing list