Suricata deny access Samba

Suricata is making it difficult to access USER mode in Samba. I am adding the IP of the devices. Is it correct to add the IPs or do I need to do something.

GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
Priority: 3 Type: Generic Protocol Command Decode
IP info: ->

Solved. I disabled the sub rules emerging-netbios.rules rule and sub rules ET POLICY SMB. Better than adding the device’s IP to the allowlist.

1 Like


glad you managed to solve this. Some IDS/IPS rules trigger on certain traffic which may or may not be unusual/unwanted in certain environments, such as RDP or Telnet.

SMB/NetBIOS seems to be among this as well (usually does not appear in *nix-based networks)…

Thanks, and best regards,
Peter Müller

I tried not to disable rules, but sub rules, observing the IPS logs. It is a procedure that I do also in OpenBSD.