SMB v1 detection in Security Onion - Bro or Snort?

[Brant Hale]

Has anyone come up with a good way to detect SMB v1 in their environment with Security Onion?

I have been working on a Snort Rule as well as the SMB decoder in BRO, but have quite a bit of false positives based on SMB negotiation.

If someone else has solved this already please point me in the correct direction.

Thanks,

Brant 

[Wes]

Brant,

I've not tried this personally, but have you taken a look at the following?

https://www.sans.org/reading-room/whitepapers/detection/detecting-malicious-smb-activity-bro-37472

Thanks,
Wes