©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
No information provided
Per the SMB2 specification, the next command field, also called the "offset" or "chain offset" field allows for compounded requests. This is "a method of combining multiple SMB 2 Protocol requests or responses into a single transmission request for submission to the underlying transport." This rule will evaluate the field and compared it to the size of the payload and should alert when it detects an offset larger than the size of the payload. NOTE: This alert is related to detection of SMBGhost (CVE-2020-0796). That vulnerability can also be detected with sid 54217
This preprocessor rule will alert when it sees an offset to the next command in a chain of SMB2 commands that is larger than the size of the whole message
Attacks/Scans seen in the wild
No known false positives
Cisco Talos Intelligence Group
No rule groups
None
No information provided
None
Tactic: Execution
Technique: User Execution
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.