Rule Category

--

Alert Message

Rule Explanation

SMB protocol allows multiple smb commands to be grouped in a single packet. Next command specified in SMB2 header is greater than the payload boundary.

What To Look For

This preprocessor rule will alert when it sees an offset to the next command in a chain of SMB2 commands that is larger than the size of the whole message

Known Usage

Attacks/Scans seen in the wild

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Execution

Technique: User Execution

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information