[Snort-users] Snort rule to detect Windows SMB file copy
Shah, Neeraj A. (IntlCtr)
neeraj.shah at nist.gov
Mon Mar 26 11:17:01 EDT 2018
Looking for help with regards to creating a rule for monitoring Windows SMB commands.
Eoes anybody have a SNORT rule to detect a simple file copy activity happening in Windows ? For example: If i copy a file from my Windows laptop to a remote Windows server via Windows Explorer or mapped drive, how to detect this activity via SNORT rule ?
I did capture a pcap file when simulating the file transfer process in my environment however the conversation is encrypted. All i could see is that SMB uses port 445 in the conversation which is obvious:)
Thanks in advance
More information about the Snort-users