Think you have a false positive on this rule?

Sid 1-45074


SERVER-SAMBA Samba unsigned connections attempt


This event is generated when an SMB connection is not correctly enforced to be signed, which may lead to connection hijacking.


Attempted User Privilege Gain

Detailed information

There are specific Samba commands that doesn't enforce a signing of the Samba connection when they explicitly require to use it. This lack of enforcement, could lead to a hijacking of the connections since they are not encrypted and the information could be modified intentionally by a man in the middle attack.

Affected systems

  • Samba servers versions 3.0.25 to 4.6.7

Ease of attack


False positives


False negatives


Corrective action

The vendor states that the signing can be enforced by explicitly using '--signing=required' on the commandline or "client signing = required" in smb.conf. Is also suggested to ugprade Samba to version 4.6.8, 4.5.14 or 4.4.16


  • Cisco's Talos Intelligence Group

Additional References