Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for smb/smb2 network traffic extension #5

Open
samcornwell opened this issue Feb 15, 2018 · 1 comment
Open

add support for smb/smb2 network traffic extension #5

samcornwell opened this issue Feb 15, 2018 · 1 comment
Labels
feature request

Comments

@samcornwell
Copy link
Collaborator

There are several CAR analytics which use SMB information parsed from network traffic. This is an example of an analytic which looks for writes to named pipes:

flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write_pipe")
smb_write.pipe_name = smb_write.proto_info.pipe_name
output smb_write

STIX cannot currently represent this analytic because there is no existing extension to in STIX. This proposal is to add a standard extension to be able to capture this analytic. The resulting analytic may look like the following:

[ network-traffic:dst_port = 445 AND network-traffic:protocols[*] = 'microsoft-ds' 
AND 
network-traffic:extensions.smb2-ext.command = 'write' 
AND
network-traffic:extensions.smb2-ext.file_name MATCHES '^\\\\\.\\pipe\\' ]
@samcornwell
Copy link
Collaborator Author

wiki proposal: SMB Extension Proposal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@samcornwell