From c63ad1cdcf98080fd3ce4bfa352b267f621caa4c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 7 Mar 2016 16:03:31 -0500
Subject: [PATCH] Add a signature for SMB

---
 scripts/base/protocols/smb/__load__.bro | 4 +++-
 scripts/base/protocols/smb/dpd.sig      | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 scripts/base/protocols/smb/dpd.sig

diff --git a/scripts/base/protocols/smb/__load__.bro b/scripts/base/protocols/smb/__load__.bro
index bfaf121fe1..0d9de8c984 100644
--- a/scripts/base/protocols/smb/__load__.bro
+++ b/scripts/base/protocols/smb/__load__.bro
@@ -5,4 +5,6 @@
 @load ./pipe
 @load ./smb1-main
 @load ./smb2-main
-@load ./files
\ No newline at end of file
+@load ./files
+
+@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/smb/dpd.sig b/scripts/base/protocols/smb/dpd.sig
new file mode 100644
index 0000000000..c7bd691cb5
--- /dev/null
+++ b/scripts/base/protocols/smb/dpd.sig
@@ -0,0 +1,5 @@
+signature dpd_smb {
+	ip-proto == tcp
+	payload /^....[\xfe\xff]SMB/
+	enable "smb"
+}
\ No newline at end of file