alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow:to_server, established, no_stream; content:"|ff 53 4d 42 a2|"; offset:4; depth:5; byte_extract:2, 85, name_length, little; content:"|2f|"; distance:2; within:name_length; content:!"|04|"; distance:0; within:1; reference:cve, 2017-7494; reference:url, www.samba.org/samba/security/CVE-2017-7494.html; reference:url, thehackernews.com/2017/05/samba-rce-exploit.html; classtype:attempted-user; reference:url, github.com/ptresearch/AttackDetection; sid:10001356; rev:5;)