Wazuh SMB Enumeration detection rule

248 views
Skip to first unread message

SOC Team

unread,
Oct 22, 2023, 7:01:26 AM10/22/23
to Wazuh | Mailing List

Dear Community,
I have created a FortiGate firewall rule to detect SMB enumeration, which is triggered during a test scan.

r/Wazuh - Wazuh SMB Enumeration detection rule

Figure 1

However, upon examining the event, I noticed that the "previous_output" logs show a different port than "445". The full log indicates that the destination port is indeed "445", but the previous_output logs display other ports. I'm unsure about the issue here.


r/Wazuh - Wazuh SMB Enumeration detection rule

Figure 2


r/Wazuh - Wazuh SMB Enumeration detection rule

Figure 3

Daniel Sappa

unread,
Oct 22, 2023, 6:41:56 PM10/22/23
to Wazuh | Mailing List
Hi Equipo SOC


You can share some log lines, with obfuscated data, if you wish, to allow me to evaluate them.

At the same time, tell me what type and installation you have.

wazuh server version along with any other relevant data.

I remain attentive to your comments

SOC Team

unread,
Oct 23, 2023, 4:53:25 AM10/23/23
to Wazuh | Mailing List
Dear  Daniel ,

Should you require further clarification or have any inquiries regarding this matter, please do not hesitate to reach out to me.
Wazuh App version: 4.3.6 App revision: 4307

full_log

logver=700120523 timestamp=1697979519 devname="HH" devid="FG180FTK20001094" vd="saad" date=2023-10-22 time=15:58:39 eventtime=1697979520171383442 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=65022 srcintf="VLAN 38" srcintfrole="lan" dstip=10.10.6.0 dstport=445 dstintf="Vlan56" dstintfrole="dmz" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="29afee7e-e1a8-51ec-c1ee-7cdf4bdb886a" srccountry="Reserved" dstcountry="Reserved" sessionid=68542510 proto=6 action="accept" policyid=98 policytype="policy" poluuid="ae0c6dda-1e1d-51ed-5cae-f482715833c0" policyname="Client-FileServer" user="USER1" authserver="Local Agent" service="SMB" trandisp="snat" transip=10.10.6.1 transport=65022 duration=22836 sentbyte=132873148 rcvdbyte=249818534 sentpkt=233036 rcvdpkt=257899 appcat="unscanned" sentdelta=6527 rcvddelta=6272 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" mastersrcmac="xx:xx:xx:xx:78:d3" srcmac="xx:xx:xx:20:78:d3" srcserver=0 dsthwvendor="xxxxx" dstdevtype="Server" dstfamily="Machine" dstosname="Windows" dsthwversion="Virtual Machine" dstswversion="xx / 20xx" dstunauthuser="USER2" dstunauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:3d:e4" dstmac="xx:xx:xx:xx:3d:e4" dstserver=0

previous_output

logver=700120523 timestamp=1697979519 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:39 eventtime=1697979520134003472 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=55236 srcintf="VLAN 38" srcintfrole="lan" dstip=52.97.173.18 dstport=443 dstintf="WAN" dstintfrole="wan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="bda07712-8c44-51eb-ca42-1b6487a57bc1" srccountry="Reserved" dstcountry="France" sessionid=75186261 proto=6 action="accept" policyid=4 policytype="policy" poluuid="e7cb35a4-7ac3-51ec-4b8f-3cf879116a0b" policyname="Client-WAN" user="USER1" authserver="Local Agent" service="HTTPS" trandisp="noop" duration=625 sentbyte=78912 rcvdbyte=29199 sentpkt=123 rcvdpkt=105 appcat="unscanned" sentdelta=280 rcvddelta=581 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0
logver=700120523 timestamp=1697979518 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:38 eventtime=1697979519382676710 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=55354 srcintf="VLAN 38" srcintfrole="lan" dstip=52.98.200.146 dstport=443 dstintf="WAN" dstintfrole="wan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="bda07712-8c44-51eb-ca42-1b6487a57bc1" srccountry="Reserved" dstcountry="France" sessionid=75328253 proto=6 action="close" policyid=4 policytype="policy" poluuid="e7cb35a4-7ac3-51ec-4b8f-3cf879116a0b" policyname="Client-WAN" user="USER1" authserver="Local Agent" service="HTTPS" trandisp="noop" duration=174 sentbyte=8787 rcvdbyte=8800 sentpkt=20 rcvdpkt=18 appcat="unscanned" sentdelta=120 rcvddelta=1883 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0
logver=700120523 timestamp=1697979518 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:38 eventtime=1697979519292676258 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=55353 srcintf="VLAN 38" srcintfrole="lan" dstip=52.98.200.178 dstport=443 dstintf="WAN" dstintfrole="wan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="bda07712-8c44-51eb-ca42-1b6487a57bc1" srccountry="Reserved" dstcountry="France" sessionid=75328162 proto=6 action="close" policyid=4 policytype="policy" poluuid="e7cb35a4-7ac3-51ec-4b8f-3cf879116a0b" policyname="Client-WAN" user="USER1" authserver="Local Agent" service="HTTPS" trandisp="noop" duration=174 sentbyte=1948 rcvdbyte=7077 sentpkt=12 rcvdpkt=11 appcat="unscanned" sentdelta=120 rcvddelta=1044 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0
logver=700120523 timestamp=1697979518 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:38 eventtime=1697979518754481780 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=50764 srcintf="VLAN 38" srcintfrole="lan" dstip=40.101.92.18 dstport=443 dstintf="WAN" dstintfrole="wan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="bda07712-8c44-51eb-ca42-1b6487a57bc1" srccountry="Reserved" dstcountry="France" sessionid=75083907 proto=17 action="accept" policyid=4 policytype="policy" poluuid="e7cb35a4-7ac3-51ec-4b8f-3cf879116a0b" policyname="Client-WAN" user="USER1" authserver="Local Agent" service="udp/443" trandisp="noop" duration=967 sentbyte=91696 rcvdbyte=371359 sentpkt=921 rcvdpkt=990 appcat="unscanned" sentdelta=5771 rcvddelta=5307 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0
logver=700120523 timestamp=1697979516 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:36 eventtime=1697979517083929936 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=55354 srcintf="VLAN 38" srcintfrole="lan" dstip=52.98.200.146 dstport=443 dstintf="WAN" dstintfrole="wan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="bda07712-8c44-51eb-ca42-1b6487a57bc1" srccountry="Reserved" dstcountry="France" sessionid=75328253 proto=6 action="accept" policyid=4 policytype="policy" poluuid="e7cb35a4-7ac3-51ec-4b8f-3cf879116a0b" policyname="Client-WAN" user="USER1" authserver="Local Agent" service="HTTPS" trandisp="noop" duration=171 sentbyte=8667 rcvdbyte=6917 sentpkt=17 rcvdpkt=12 appcat="unscanned" sentdelta=8667 rcvddelta=6917 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0
logver=700120523 timestamp=1697979516 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:36 eventtime=1697979517083875482 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=55353 srcintf="VLAN 38" srcintfrole="lan" dstip=52.98.200.178 dstport=443 dstintf="WAN" dstintfrole="wan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="bda07712-8c44-51eb-ca42-1b6487a57bc1" srccountry="Reserved" dstcountry="France" sessionid=75328162 proto=6 action="accept" policyid=4 policytype="policy" poluuid="e7cb35a4-7ac3-51ec-4b8f-3cf879116a0b" policyname="Client-WAN" user="USER1" authserver="Local Agent" service="HTTPS" trandisp="noop" duration=172 sentbyte=1828 rcvdbyte=6033 sentpkt=9 rcvdpkt=8 appcat="unscanned" sentdelta=1828 rcvddelta=6033 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0
logver=700120523 timestamp=1697979515 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:35 eventtime=1697979515472720785 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=60644 srcintf="VLAN 38" srcintfrole="lan" dstip=10.10.8.3 dstport=53 dstintf="Vlan80" dstintfrole="lan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="fdbf00a4-117f-51ed-62c4-398f2093b487" srccountry="Reserved" dstcountry="Reserved" sessionid=75324037 proto=17 action="accept" policyid=105 policytype="policy" poluuid="ba43faa8-2130-51ed-0d7e-348a1c7aa146" policyname="IT-Client-DC" user="USER1" authserver="Local Agent" service="DNS" trandisp="noop" duration=183 sentbyte=81 rcvdbyte=206 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="10" masterdstmac="xx:xx:xx:xx:86:84" dstmac="xx:xx:xx:xx:86:84" dstserver=0
logver=700120523 timestamp=1697979511 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:31 eventtime=1697979511182689834 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=50689 srcintf="VLAN 38" srcintfrole="lan" dstip=10.10.8.3 dstport=53 dstintf="Vlan80" dstintfrole="lan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="fdbf00a4-117f-51ed-62c4-398f2093b487" srccountry="Reserved" dstcountry="Reserved" sessionid=75322445 proto=17 action="accept" policyid=105 policytype="policy" poluuid="ba43faa8-2130-51ed-0d7e-348a1c7aa146" policyname="IT-Client-DC" user="USER1" authserver="Local Agent" service="DNS" trandisp="noop" duration=184 sentbyte=63 rcvdbyte=86 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="10" masterdstmac="xx:xx:xx:xx:86:84" dstmac="xx:xx:xx:xx:86:84" dstserver=0
logver=700120523 timestamp=1697979511 devname="HH" devid="FG180FTK20001094" vd="XXXX" date=2023-10-22 time=15:58:31 eventtime=1697979511182688850 tz="+0300" logid="0000000011" type="traffic" subtype="forward" level="warning" srcip=10.10.3.3 srcname="machinename" srcport=50689 srcintf="VLAN 38" srcintfrole="lan" dstip=10.10.8.3 dstport=53 dstintf="Vlan80" dstintfrole="lan" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="fdbf00a4-117f-51ed-62c4-398f2093b487" srccountry="Reserved" dstcountry="Reserved" sessionid=75322445 proto=17 action="ip-conn" policyid=105 policytype="policy" poluuid="ba43faa8-2130-51ed-0d7e-348a1c7aa146" policyname="IT-Client-DC" user="USER1" authserver="Local Agent" service="DNS" appcat="unscanned" crscore=5 craction=262144 crlevel="low" srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:78:d3" dstmac="xx:xx:xx:xx:78:d3" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="10" masterdstmac="xx:xx:xx:xx:86:84" dstmac="xx:xx:xx:xx:86:84" dstserver=0

RULE

  <rule id="110056" level="10" frequency="10" timeframe="60">
    <if_matched_sid>81618</if_matched_sid>
    <dstport type="pcre2">^445$</dstport>
    <!--same_dstport /-->
    <same_source_ip />
    <different_dstip />
    <description>File Shares Enumeration - SMB Enumeration</description>
  </rule>




Brennuz Great

unread,
Oct 23, 2023, 9:13:43 AM10/23/23
to Wazuh | Mailing List

Hello, I hope you are well. I recently had the same problem.

The solution was to create a rule that only catches SMB traffic and from there create the frequency rule.

Daniel Sappa

unread,
Oct 23, 2023, 2:24:33 PM10/23/23
to Wazuh | Mailing List
I don't seem to understand what the problem is here.
I'm trying to do a simple test that allows me to verify that the rule is firing correctly.
I slightly modify the rule that you provided.

  <rule id="110056" level="10" frequency="2" timeframe="60">

    <if_matched_sid>81618</if_matched_sid>
    <dstport type="pcre2">^445$</dstport>
    <!--same_dstport /-->
    <same_source_ip />
  <!--
    <different_dstip />
  -->

    <description>File Shares Enumeration - SMB Enumeration</description>
  </rule>

I reduce the frequency and dismiss the control on the destination IP, all this to facilitate the test.
then I run this command so it can be processed by logtest.

root@wazuh:/# cat ~/full_log ~/full_log | /var/ossec/bin/wazuh-logtest

Here you can see that the rule fires correctly:

Starting wazuh-logtest v4.5.2
Type one log per line

**Phase 1: Completed pre-decoding.
        full event: 'logver=700120523 timestamp=1697979519 devname="HH" devid="FG180FTK20001094" vd="saad" date=2023-10-22 time=15:58:39 eventtime=1697979520171383442 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=65022 srcintf="VLAN 38" srcintfrole="lan" dstip=10.10.6.0 dstport=445 dstintf="Vlan56" dstintfrole="dmz" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="29afee7e-e1a8-51ec-c1ee-7cdf4bdb886a" srccountry="Reserved" dstcountry="Reserved" sessionid=68542510 proto=6 action="accept" policyid=98 policytype="policy" poluuid="ae0c6dda-1e1d-51ed-5cae-f482715833c0" policyname="Client-FileServer" user="USER1" authserver="Local Agent" service="SMB" trandisp="snat" transip=10.10.6.1 transport=65022 duration=22836 sentbyte=132873148 rcvdbyte=249818534 sentpkt=233036 rcvdpkt=257899 appcat="unscanned" sentdelta=6527 rcvddelta=6272 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" mastersrcmac="xx:xx:xx:xx:78:d3" srcmac="xx:xx:xx:20:78:d3" srcserver=0 dsthwvendor="xxxxx" dstdevtype="Server" dstfamily="Machine" dstosname="Windows" dsthwversion="Virtual Machine" dstswversion="xx / 20xx" dstunauthuser="USER2" dstunauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:3d:e4" dstmac="xx:xx:xx:xx:3d:e4" dstserver=0'

**Phase 2: Completed decoding.
        name: 'fortigate-firewall-v6'
        action: 'accept'
        . . .
        type: 'traffic'
        vd: 'saad'

**Phase 3: Completed filtering (rules).
        id: '81618'
        level: '1'
        description: 'Fortigate: Traffic to be aware of.'
        groups: '['fortigate', 'syslog']'
        firedtimes: '1'
        gdpr: '['IV_35.7.d']'
        hipaa: '['164.312.b']'
        mail: 'False'
        nist_800_53: '['AU.6']'
        pci_dss: '['10.6.1']'


**Phase 1: Completed pre-decoding.
        full event: 'logver=700120523 timestamp=1697979519 devname="HH" devid="FG180FTK20001094" vd="saad" date=2023-10-22 time=15:58:39 eventtime=1697979520171383442 tz="+0300" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=10.10.3.3 srcname="machinename" srcport=65022 srcintf="VLAN 38" srcintfrole="lan" dstip=10.10.6.0 dstport=445 dstintf="Vlan56" dstintfrole="dmz" srcuuid="7b262bf8-e0e8-51ec-4197-0dc64c381695" dstuuid="29afee7e-e1a8-51ec-c1ee-7cdf4bdb886a" srccountry="Reserved" dstcountry="Reserved" sessionid=68542510 proto=6 action="accept" policyid=98 policytype="policy" poluuid="ae0c6dda-1e1d-51ed-5cae-f482715833c0" policyname="Client-FileServer" user="USER1" authserver="Local Agent" service="SMB" trandisp="snat" transip=10.10.6.1 transport=65022 duration=22836 sentbyte=132873148 rcvdbyte=249818534 sentpkt=233036 rcvdpkt=257899 appcat="unscanned" sentdelta=6527 rcvddelta=6272 srchwvendor="XXXXX" osname="Windows" srcswversion="NT " unauthuser="USER1" unauthusersource="kerberos" mastersrcmac="xx:xx:xx:xx:78:d3" srcmac="xx:xx:xx:20:78:d3" srcserver=0 dsthwvendor="xxxxx" dstdevtype="Server" dstfamily="Machine" dstosname="Windows" dsthwversion="Virtual Machine" dstswversion="xx / 20xx" dstunauthuser="USER2" dstunauthusersource="kerberos" masterdstmac="xx:xx:xx:xx:3d:e4" dstmac="xx:xx:xx:xx:3d:e4" dstserver=0'

**Phase 2: Completed decoding.
        name: 'fortigate-firewall-v6'
        action: 'accept'
        . . .
        type: 'traffic'
        vd: 'saad'

**Phase 3: Completed filtering (rules).
        id: '110056'
        level: '10'
        description: 'File Shares Enumeration - SMB Enumeration'
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        frequency: '2'
        mail: 'False'
**Alert to be generated.

I look forward to your comments to see if this is what I was looking for.

SOC Team

unread,
Oct 23, 2023, 2:46:00 PM10/23/23
to Wazuh | Mailing List
Thanks  Brennuz for the clarification and your help.

SOC Team

unread,
Oct 23, 2023, 2:57:56 PM10/23/23
to Wazuh | Mailing List
Dear Daniel, 
The rule was triggered anyway, but the problem is with the port parameter . It appears in the last log only, but in the other logs that frequency captures, there are different ports not the port 445 that my rule stands on.

Daniel Sappa

unread,
Oct 24, 2023, 7:21:14 AM10/24/23
to Wazuh | Mailing List
I think I understand what the problem is.
and this condition is governed by the last record that has arrived.

This can be seen between these two commands:

root@wazuh:/var/ossec/etc/rules# grep dstport=443 ~/previous_output | head -1 | cat - ~/full_log | /var/ossec/bin/wazuh-logtest
        . . .
        transport: '65022'

        type: 'traffic'
        vd: 'saad'

**Phase 3: Completed filtering (rules).
        id: '110056'
        level: '10'
        description: 'File Shares Enumeration - SMB Enumeration'
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        frequency: '2'
        mail: 'False'
**Alert to be generated.

root@wazuh:/var/ossec/etc/rules# grep dstport=443 ~/previous_output | head -1 | cat ~/full_log - | /var/ossec/bin/wazuh-logtest
        . . .
        time: '15:58:39'
        trandisp: 'noop'
        type: 'traffic'
        vd: 'XXXX'


**Phase 3: Completed filtering (rules).
        id: '81618'
        level: '1'
        description: 'Fortigate: Traffic to be aware of.'
        groups: '['fortigate', 'syslog']'
        firedtimes: '2'

        gdpr: '['IV_35.7.d']'
        hipaa: '['164.312.b']'
        mail: 'False'
        nist_800_53: '['AU.6']'
        pci_dss: '['10.6.1']'


One way to approach this is to rely on a rule that considers the required port value.

  <rule id="81699" level="9">

    <if_matched_sid>81618</if_matched_sid>
    <dstport type="pcre2">^445$</dstport>
    <description>81618 with port 445</description>
  </rule>


  <rule id="110056" level="10" frequency="2" timeframe="60">
    <if_matched_sid>81699</if_matched_sid>

    <!--same_dstport /-->
    <same_source_ip />
  <!--
    <different_dstip />
  -->
    <description>File Shares Enumeration - SMB Enumeration</description>
  </rule>

In this case it is important that the new base rule has a lower priority than the final rule.

root@wazuh:/var/ossec/etc/rules# grep dstport=443 ~/previous_output | head -1 | cat - ~/full_log ~/full_log | /var/ossec/bin/wazuh-logtest
        . . .
        transip: '10.10.6.1'
        transport: '65022'

        type: 'traffic'
        vd: 'saad'

**Phase 3: Completed filtering (rules).
        id: '110056'
        level: '10'
        description: 'File Shares Enumeration - SMB Enumeration'
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        frequency: '2'
        mail: 'False'
**Alert to be generated.
Reply all
Reply to author
Forward
0 new messages