Bug #5087
Updated by Eloy PĂ©rez over 2 years ago
The sticky buffer file.name is not working in the smb protocol. The following rule doesn't match the filename (Unicode) in the SMB create request in the provided pcap.
<pre>
alert smb any any -> any any (msg: "SMB file a.txt";file.name; content:"a|00|.|00|t|00|x|00|t|00|";sid:1;)
</pre>