Bernd Lentes
2023-Sep-19 20:28 UTC
[Samba] SMB2: several "Create Request File" for files like .trash or .hidden
Hi, I'm completely new to Samba, so sorry for some stupid questions. I did some network sniffing and ran the pcap files against Suricata (an IDS). It created some alerts "ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement". I tried to examine these packets with wireshark. Not all of them have to do with a .dll. But I find something strange. In other packets I found some "Create Request File" for files like .hidden or .trash. The request was made with the following disposition: Disposition: Open (if file exists open it, else fail) (1). So it was looking for files named .hidden or .trash. I was connected to the Samba Server with SLES 15 SP5 and the respective smb client. Is the behaviour "searching for files named .hidden or .trash" normal for a smb client or is there something/someone examing our SMB server very profoundly ? Thanks. Bernd -- Bernd Lentes SystemAdministrator Institute of Metabolism and Cell Death Helmholtz Zentrum M?nchen Building 25 office 122 Bernd.lentes at helmholtz-munich.de +49 89 3187 1241 Helmholtz Zentrum M?nchen ? Deutsches Forschungszentrum f?r Gesundheit und Umwelt (GmbH) Ingolst?dter Landstra?e 1, D-85764 Neuherberg, https://www.helmholtz-munich.de Gesch?ftsf?hrung: Prof. Dr. med. Dr. h.c. Matthias Tsch?p | Aufsichtsratsvorsitzende: MinDir?in Prof. Dr. Veronika von Messling Registergericht: Amtsgericht M?nchen HRB 6466 | USt-IdNr. DE 129521671