alert smb any any -> any any (msg:"ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow:to_server, established, no_stream; content:"|fe 53 4d 42|"; offset:4; depth:4; content:"|05 00|"; offset:16; depth:2; fast_pattern; byte_test:8, <, 15, 28, little; byte_test:4, &, 0x00000001, 92, little; byte_test:2, <, 100, 114, little; byte_extract:2, 114, name_length, little; byte_jump:2, 112, little, from_beginning, post_offset 4; content:"|2f|"; within:name_length; pcre:"/(?:\.\x00s\x00o\x00|\.so\x00)(?:$|[^b])/Ri"; threshold:type limit, track by_src, count 1, seconds 30; reference:cve, 2017-7494; reference:url, www.samba.org/samba/security/CVE-2017-7494.html; reference:url, thehackernews.com/2017/05/samba-rce-exploit.html; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10001357; rev:10;)