Suricata is making it difficult to access USER mode in Samba. I am adding the IP of the devices. Is it correct to add the IPs or do I need to do something.
GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
Priority: 3 Type: Generic Protocol Command Decode
IP info: 10.0.30.12:33338 -> 10.0.30.1:445
Solved. I disabled the sub rules emerging-netbios.rules rule and sub rules ET POLICY SMB. Better than adding the device’s IP to the allowlist.
Hi,
glad you managed to solve this. Some IDS/IPS rules trigger on certain traffic which may or may not be unusual/unwanted in certain environments, such as RDP or Telnet.
SMB/NetBIOS seems to be among this as well (usually does not appear in *nix-based networks)…
Thanks, and best regards,
Peter Müller
I tried not to disable rules, but sub rules, observing the IPS logs. It is a procedure that I do also in OpenBSD.