[Snort-users] Snort rule to detect Windows SMB file copy

Shah, Neeraj A. (IntlCtr) neeraj.shah at nist.gov
Mon Mar 26 11:17:01 EDT 2018

Hello All,

Looking for help with regards to creating a rule for monitoring Windows SMB commands.

Eoes anybody have a SNORT rule to detect a simple file copy activity happening in Windows ? For example: If i copy a file from my Windows laptop to a remote Windows server via Windows Explorer or mapped drive, how to detect this activity via SNORT rule ?

I did capture a pcap file when simulating the file transfer process in my environment however the conversation is encrypted. All i could see is that SMB uses port 445 in the conversation which is obvious:)

Thanks in advance 

More information about the Snort-users mailing list