Rule Category


Alert Message

Rule Explanation

SMB protocol allows multiple smb commands to be grouped in a single packet. Next command specified in SMB2 header is greater than the payload boundary.

What To Look For

This preprocessor rule will alert when it sees an offset to the next command in a chain of SMB2 commands that is larger than the size of the whole message

Known Usage

Attacks/Scans seen in the wild

False Positives

No known false positives


Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Execution

Technique: User Execution

For reference, see the MITRE ATT&CK vulnerability types here:

Additional Links

Rule Vulnerability


Not Applicable

CVE Additional Information