Rule History

alert smb any any -> any any (msg: "ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|ff 53 4d 42 a2|"; offset: 4; depth: 5; byte_extract: 2, 85, name_length, little; content: "|2f|"; within: name_length; pcre: "/(?:\.\x00s\x00o\x00|\.so\x00)(?:$|[^b])/Ri"; threshold: type limit, track by_src, count 1, seconds 30; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001356; rev: 8;)