Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This is a rule to attempt to detect the SMBGhost packet (derived from https://github.com/ollypwn/SMBGhost/blob/master/scanner.py)
rule SMBv3_Scanner {
meta:
date = "2020-03-11"
author = "@LloydLabs"
author_url = "https://blog.syscall.party"
strings:
$pkt = {00 00 00 c0 fe 53 4d 42 40 00 00 00 00 00 00 00
00 00 1f 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 24 00 08 00 01 00 00 00 7f 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
78 00 00 00 02 00 00 00 02 02 10 02 22 02 24 02
00 03 02 03 10 03 11 03 00 00 00 00 01 00 26 00
00 00 00 00 01 00 20 00 01 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 03 00 0a 00
00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00
00 00 00 00}
condition:
$pkt
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.