None of the 4.0 only SMB signatures are necessarily good candidates for string based regexes. Due to the complexity and variability of the SMB protocol, a special protocol engine for SMB was needed. This was done for reasons of speed and reducing false postives. While it is true that you might be able to construct a regex to match the conditions for the signatures you listed, it would would come at a great expense in terms of processor / memory usage due to the complexity of the regexes needed. This is especially true for 3.x systems. Using a more straight forward protocol parser, like 4.0 does, reduces this impact significantly. Also, with a complex regex, the possibility of false positives greatly increases in our experience. This is why in a nutshell that the signatures are 4.0 only.
Re: Are there significant differences between 3.x and 4.x signat
The biggest difference between 3.x and 4.0 is that all of our signatures are now implemented in the newer engine format. This means that all signatures have some degree of configurability, which may have not been available before. All of the signature types you mentioned are in 3.x as well as 4.0. And yes, there are signatures which have been and will be released as 4.0 only signatures.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...