alert smb any any -> any any (msg:"ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow:to_server, established, no_stream; content:"|ff 53 4d 42 2d|"; offset:4; depth:5; byte_extract:2, 67, name_length, little; content:"|2f|"; distance:2; within:name_length; content:!"|04|"; distance:0; within:1; reference:cve, 2017-7494; reference:url, www.samba.org/samba/security/CVE-2017-7494.html; reference:url, thehackernews.com/2017/05/samba-rce-exploit.html; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10001438; rev:1;)