OT: Can SMB filenames be well defined for IDS systems?

Tim Potter tpot at samba.org
Thu May 29 01:17:00 GMT 2003

On Thu, May 29, 2003 at 12:52:11PM +1200, Jason Haar wrote:

> OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
> and cut-n-paste from explorer. What I've found that they both contain:
> "ff 53 4d 42 a2" [SMB, NTCreate&X]
> Would all attempts at creating a file contain that? 

Probably not, as Jeremy says, but it would catch most of them.

> i.e. look for "ff 53 4d 42 a2", then look for ".eml" within the next 200
> bytes.
> That should basically eliminate FPs based on file content instead of
> filenames shouldn't it?

It would certainly cut them down.

What if I were copying a packet capture of someone copying a .eml file?

I'm not sure you will catch all filenames at an offset of 200 bytes.
A packet capture of a NTCreate&X over port 139 looks like:

  14 bytes ethernet header
  20 bytes IP header
  32 bytes TCP header
   4 bytes NetBIOS header

followed by the start of the SMB packet.  For port 445 you can get rid
of the NetBIOS header.  The filename starts 160 bytes into the SMB
packet so if I had a 100 character unicode filename the .eml extension 
would occur approximately 430 bytes (14+20+32+4+160+(100*2)) from the 
start of the packet.

Anyway, it sounds like you are on the right track.  Ethereal rocks.  (-:


More information about the samba-technical mailing list