Suricata Rule to Detect SMB File Transfer

Trying to write a rule to simply detect a file transfer via SMB between any hosts. Unsuccessful so far in finding any similar rule. Can anyone help?
Thanks

What does the rule look like ? It could also be something related to the traffic/pcap.

Just need to alert on a file transfer via SMB. That’s it. Should be simple but don’t see any consistant signature in the traffic.

To be clear. I haven’t been able to identify the basis for a rule other than alerting on the use of the SMB protocol. But I want to restrict the alert to just fire on a file transfer.

Something like alert smb any any -> any any (msg:"SMB file"; flow:established; filestore; sid:1) ?

I understand your thinking here. Thank you. Will test

Update: Didn’t work but thanks for the effort. Can alert on file open but not file transfer

@rmcleod13215 Hey do you have a pcap that you can share? If not, I found these Malware-Traffic-Analysis.net - Pcaps for Tutorial on Exporting Objects and example-03 has smb traffic. The traffic will change depending on which version of SMB is being used.

You can look for the NT Create AndX Request/Response which is just the request not the actual transfer but could work. For the transfer you can look at the Write AndX Request. This is where the data starts to get transferred.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/d3f83a7e-493b-4d29-b21c-55768b93e144