OT: Can SMB filenames be well defined for IDS systems?

Esh, Andrew Andrew_Esh at adaptec.com
Thu May 29 13:42:04 GMT 2003

Your method of packet sniffing for virus activity is a good idea. Please
share your results with us. Perhaps someone would be interested in
developing a VFS module that does the same thing.

For another source of information about decoding an SMB packet to the point
of detecting a file creation and extracting the file name, look at the
source code for Ethereal, which can be obtained through:


The file you are interested in is "packet-smb.c", in the function
"dissect_create_file_request". By studying that code, you will learn how to
focus your search on the name of the file being created. Here's a preview:

static int
dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree, int offset, proto_tree *smb_tree _U_)
	smb_info_t *si = pinfo->private_data;
	int fn_len;
	const char *fn;
	guint8 wc;
	guint16 bc;


	/* file attributes */
	offset = dissect_file_attributes(tvb, tree, offset, 2);

	/* creation time */
	offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);


	/* buffer format */
	proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1,

	/* File Name */
	fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len,
		FALSE, FALSE, &bc);
	if (fn == NULL)
		goto endofcommand;
	proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,

	if (check_col(pinfo->cinfo, COL_INFO)) {
		col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s", fn);


	return offset;

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at trimble.co.nz]
Sent: Wednesday, May 28, 2003 7:52 PM
To: samba-technical at samba.org
Subject: Re: OT: Can SMB filenames be well defined for IDS systems?

On Thu, May 29, 2003 at 09:22:15AM +1000, Tim Potter wrote:
> Break out ethereal (www.ethereal.com) and try to match against some
> specific SMBs.  I would expect the virus to do a NTCreate&X to open a
> file on the remote machine.  You might like to test various infected
> clients as the parameters to NTCreate&X or even the exact SMB packet
> used might be different.

OK. Well I've looked at a Win2K to Win2K SMB copy using xcopy from cmd.exe
and cut-n-paste from explorer. What I've found that they both contain:

"ff 53 4d 42 a2" [SMB, NTCreate&X]

Would all attempts at creating a file contain that? 

if so, then a better snort rule might be:

alert tcp any any -> any 445 (msg:"NETBIOS nimda .eml";
 content:"|ff 53 4d 42 a2|"; content:"|00|.|00|E|00|M|00|L"; within:200; 
 nocase; flow:to_server,established;
 classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
 sid:1293; rev:8;)

i.e. look for "ff 53 4d 42 a2", then look for ".eml" within the next 200

That should basically eliminate FPs based on file content instead of
filenames shouldn't it?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba-technical mailing list