OT: Can SMB filenames be well defined for IDS systems?

jra at dp.samba.org jra at dp.samba.org
Thu May 29 00:57:19 GMT 2003

On Thu, May 29, 2003 at 12:52:11PM +1200, Jason Haar wrote:
> On Thu, May 29, 2003 at 09:22:15AM +1000, Tim Potter wrote:
> > Break out ethereal (www.ethereal.com) and try to match against some
> > specific SMBs.  I would expect the virus to do a NTCreate&X to open a
> > file on the remote machine.  You might like to test various infected
> > clients as the parameters to NTCreate&X or even the exact SMB packet
> > used might be different.
> OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
> and cut-n-paste from explorer. What I've found that they both contain:
> "ff 53 4d 42 a2" [SMB, NTCreate&X]
> Would all attempts at creating a file contain that? 

Not all, as files can be opened using NTtrans, trans2, open, open&X
of course (this is SMB after all - why have only one way to open a file :-).

But that would catch most WNT and above clients.


More information about the samba-technical mailing list