Memcap events
| SID | Description |
| 1 | If the memory cap is reached and the preprocessor is configured to alert. |
SMB events
| SID | Description |
| 2 | An invalid NetBIOS Session Service type was specified in the header. Valid types are: Message, Request (only from client), Positive Response (only from server), Negative Response (only from server), Retarget Response (only from server) and Keep Alive. |
| 3 | An SMB message type was specified in the header. Either a request was made by the server or a response was given by the client. |
| 4 | The SMB id does not equal \xffSMB. Note that since the preprocessor does not yet support SMB2, id of \xfeSMB is turned away before an eventable point is reached. |
| 5 | The word count of the command header is invalid. SMB commands have pretty specific word counts and if the preprocessor sees a command with a word count that doesn't jive with that command, the preprocessor will alert. |
| 6 | Some commands require a minimum number of bytes after the command header. If a command requires this and the byte count is less than the minimum required byte count for that command, the preprocessor will alert. |
| 7 | Some commands, especially the commands from the SMB Core implementation require a data format field that specifies the kind of data that will be coming next. Some commands require a specific format for the data. The preprocessor will alert if the format is not that which is expected for that command. |
| 8 | Many SMB commands have a field containing an offset from the beginning of the SMB header to where the data the command is carrying starts. If this offset puts us before data that has already been processed or after the end of payload, the preprocessor will alert. |
| 9 | Some SMB commands, such as Transaction, have a field containing the total amount of data to be transmitted. If this field is zero, the preprocessor will alert. |
| 10 | The preprocessor will alert if the NetBIOS Session Service length field contains a value less than the size of an SMB header. |
| 11 | The preprocessor will alert if the remaining NetBIOS packet length is less than the size of the SMB command header to be decoded. |
| 12 | The preprocessor will alert if the remaining NetBIOS packet length is less than the size of the SMB command byte count specified in the command header. |
| 13 | The preprocessor will alert if the remaining NetBIOS packet length is less than the size of the SMB command data size specified in the command header. |
| 14 | The preprocessor will alert if the total data count specified in the SMB command header is less than the data size specified in the SMB command header. (Total data count must always be greater than or equal to current data size.) |
| 15 | The preprocessor will alert if the total amount of data sent in a transaction is greater than the total data count specified in the SMB command header. |
| 16 | The preprocessor will alert if the byte count specified in the SMB command header is less than the data size specified in the SMB command. (The byte count must always be greater than or equal to the data size.) |
| 17 | Some of the Core Protocol commands (from the initial SMB implementation) require that the byte count be some value greater than the data size exactly. The preprocessor will alert if the byte count minus a predetermined amount based on the SMB command is not equal to the data size. |
| 18 | For the Tree Connect command (and not the Tree Connect AndX command), the preprocessor has to queue the requests up and wait for a server response to determine whether or not an IPC share was successfully connected to (which is what the preprocessor is interested in). Unlike the Tree Connect AndX response, there is no indication in the Tree Connect response as to whether the share is IPC or not. There should be under normal circumstances no more than a few pending tree connects at a time and the preprocessor will alert if this number is excessive. |
| 19 | After a client is done writing data using the Write* commands, it issues a Read* command to the server to tell it to send a response to the data it has written. In this case the preprocessor is concerned with the server response. The Read* request contains the file id associated with a named pipe instance that the preprocessor will ultimately send the data to. The server response, however, does not contain this file id, so it need to be queued with the request and dequeued with the response. If multiple Read* requests are sent to the server, they are responded to in the order they were sent. There should be under normal circumstances no more than a few pending Read* requests at a time and the preprocessor will alert if this number is excessive. |
| 20 | The preprocessor will alert if the number of chained commands in a single request is greater than or equal to the configured amount (default is 3). |
| 21 | With AndX command chaining it is possible to chain multiple Session Setup AndX commands within the same request. There is, however, only one place in the SMB header to return a login handle (or Uid). Windows does not allow this behavior, however Samba does. This is anomalous behavior and the preprocessor will alert if it happens. |
| 22 | With AndX command chaining it is possible to chain multiple Tree Connect AndX commands within the same request. There is, however, only one place in the SMB header to return a tree handle (or Tid). Windows does not allow this behavior, however Samba does. This is anomalous behavior and the preprocessor will alert if it happens. |
| 23 | When a Session Setup AndX request is sent to the server, the server responds (if the client successfully authenticates) which a user id or login handle. This is used by the client in subsequent requests to indicate that it has authenticated. A Logoff AndX request is sent by the client to indicate it wants to end the session and invalidate the login handle. With commands that are chained after a Session Setup AndX request, the login handle returned by the server is used for the subsequent chained commands. The combination of a Session Setup AndX command with a chained Logoff AndX command, essentially logins in and logs off in the same request and is anomalous behavior. The preprocessor will alert if it sees this. |
| 24 | A Tree Connect AndX command is used to connect to a share. The Tree Disconnect command is used to disconnect from that share. The combination of a Tree Connect AndX command with a chained Tree Disconnect command, essentially connects to a share and disconnects from the same share in the same request and is anomalous behavior. The preprocessor will alert if it sees this. |
| 25 | An Open AndX or Nt Create AndX command is used to open/create a file or named pipe. (The preprocessor is only interested in named pipes as this is where DCE/RPC requests are written to.) The Close command is used to close that file or named pipe. The combination of a Open AndX or Nt Create AndX command with a chained Close command, essentially opens and closes the named pipe in the same request and is anomalous behavior. The preprocessor will alert if it sees this. |
| 26 | The preprocessor will alert if it sees any of the invalid SMB shares configured. It looks for a Tree Connect or Tree Connect AndX to the share. |
| 48 | The preprocessor will alert if a data count for a Core dialect write command is zero. |
| 49 | For some of the Core dialect commands such as Write and Read, there are two data count fields, one in the main command header and one in the data format section. If these aren't the same, the preprocessor will alert. |
| 50 | In the initial negotiation phase of an SMB session, the server in a Negotiate response and the client in a SessionSetupAndX request will advertise the maximum number of outstanding requests supported. The preprocessor will alert if the lesser of the two is exceeded. |
| 51 | When a client sends a request it uses a value called the MID (multiplex id) to match a response, which the server is supposed to echo, to a request. If there are multiple outstanding requests with the same MID, the preprocessor will alert. |
| 52 | In the Negotiate request a client gives a list of SMB dialects it supports, normally in order from least desirable to most desirable and the server responds with the index of the dialect to be used on the SMB session. Anything less than "NT LM 0.12" would be very odd these days (even Windows 98 supports it) and the preprocessor will alert if the client doesn't offer it as a supported dialect or the server chooses a lesser dialect. |
| 53 | There are a number of commands that are considered deprecated and/or obsolete by Microsoft (see MS-CIFS and MS-SMB). If the preprocessor detects the use of a deprecated/obsolete command used it will alert. |
| 54 | There are some commands that can be used that can be considered unusual in the context they are used. These include some of the transaction commands such as: SMB_COM_TRANSACTION / TRANS_READ_NMPIPE SMB_COM_TRANSACTION / TRANS_WRITE_NMPIPE SMB_COM_TRANSACTION2 / TRANS2_OPEN2 SMB_COM_NT_TRANSACT / NT_TRANSACT_CREATE The preprocessor will alert if it detects unusual use of a command. |
| 55 | Transaction commands have a setup count field that indicates the number of 16bit words in the transaction setup. The preprocessor will alert if the setup count is invalid for the transaction command / sub command. |
| 56 | There can be only one Negotiate transaction per session and it is the first thing a client and server do to determine the SMB dialect each supports. The preprocessor will alert if the client attempts multiple dialect negotiations. |
Connection-oriented DCE/RPC events
| SID | Description |
| 27 | The preprocessor will alert if the connection-oriented DCE/RPC major version contained in the header is not equal to 5. |
| 28 | The preprocessor will alert if the connection-oriented DCE/RPC minor version contained in the header is not equal to 0. |
| 29 | The preprocessor will alert if the connection-oriented DCE/RPC PDU type contained in the header is not a valid PDU type. |
| 30 | The preprocessor will alert if the fragment length defined in the header is less than the size of the header. |
| 31 | The preprocessor will alert if the remaining fragment length is less than the remaining packet size. |
| 32 | The preprocessor will alert if in a Bind or Alter Context request, there are no context items specified. |
| 33 | The preprocessor will alert if in a Bind or Alter Context request, there are no transfer syntaxes to go with the requested interface. |
| 34 | The preprocessor will alert if a non-last fragment is less than the size of the negotiated maximum fragment length. Most evasion techniques try to fragment the data as much as possible and usually each fragment comes well below the negotiated transmit size. |
| 35 | The preprocessor will alert if a fragment is larger than the maximum negotiated fragment length. |
| 36 | The byte order of the request data is determined by the Bind in connection-oriented DCE/RPC for Windows. It is anomalous behavior to attempt to change the byte order mid-session. |
| 37 | The call id for a set of fragments in a fragmented request should stay the same (it is incremented for each complete request). The preprocessor will alert if it changes in a fragment mid-request. |
| 38 | The operation number specifies which function the request is calling on the bound interface. If a request is fragmented, this number should stay the same for all fragments. The preprocessor will alert if the opnum changes in a fragment mid-request. |
| 39 | The context id is a handle to a interface that was bound to. If a request if fragmented, this number should stay the same for all fragments. The preprocessor will alert if the context id changes in a fragment mid-request. |
Connectionless DCE/RPC events
| SID | Description |
| 40 | The preprocessor will alert if the connectionless DCE/RPC major version is not equal to 4. |
| 41 | The preprocessor will alert if the connectionless DCE/RPC PDU type is not a valid PDU type. |
| 42 | The preprocessor will alert if the packet data length is less than the size of the connectionless header. |
| 43 | The preprocessor will alert if the sequence number uses in a request is the same or less than a previously used sequence number on the session. In testing, wrapping the sequence number space produces strange behavior from the server, so this should be considered anomalous behavior. |