alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow:to_server, established, no_stream; content:"|fe 53 4d 42|"; offset:4; depth:4; content:"|05 00|"; offset:16; depth:2; fast_pattern; byte_extract:2, 114, name_length, little; byte_jump:2, 112, little, from_beginning, post_offset 4; content:"|2f|"; distance:0; within:name_length; content:!"|04|"; distance:0; within:1; reference:cve, 2017-7494; reference:url, www.samba.org/samba/security/CVE-2017-7494.html; reference:url, thehackernews.com/2017/05/samba-rce-exploit.html; classtype:attempted-user; reference:url, github.com/ptresearch/AttackDetection; sid:10001357; rev:5;)