Thank you for reading this. SMB2 does not appear to use an opcode for file delete like SMB1 did. If this is true, is there a Suricata rule that can be used to detect a file delete from another host via SMB2?
Sounds like SMB2/SMB2_FILE_DISPOSITION_INFO - The Wireshark Wiki might be a step in the right direction. I don’t really know SMB or windows though.
1 Like