Bro-Dev Group,
ISSUE: I encountered an issue where Bro is not logging some rather
significant SMB1 commands in the smb_cmd.log file.  I understand that some
SMB commands are deliberately omitted from the log (such as Negotiate
Protocol, Session Setup, and Tree Connect); however, I observe that an
instance of NT Create and Delete are not being recorded.  I also understand
that some SMB messages are deliberately omitted based on the status code;
but the status codes ire STATUS_SUCCESS, so it should be logged.  In this
particular traffic sample, there are more than 100+ SMB messages going back
and forth in the TCP stream, but only first several are recorded in
smb_cmd.log, then it stops.  Please help.
Bro Version:
I am using the Bro v2.5.1 docker image I pulled from the following URL:
PCAP File:
I downloaded the "smbtorture" pcap file from the Wireshark public
repository, at the URL:
The issue I observe corresponds to stream #1 extracted from the file above,
via filter: ' eq 1'.  I attached a PCAP file containing stream #1
PCAP Analysis of SMB Messages:
>From the PCAP file, using Wireshark, the following sequence of SMB Messages
are observed (summarized below as Request & Response pairs):
                (01) Negotiate Protocol Req & Resp
                (02) Session Setup AndX Req & Resp [x2]
                (03) Tree Connect AndX Req & Resp
                (04) Delete Req & Resp [file \torture_qfileinfo.txt]
                (05) NT Create AndX Req & Resp [fid 4000, file
                (06) Write AndX Req & Resp
                (07) Trans2 Req & Resp
                (08) Set Information2 Req & Resp
                (09) Query Information2 Req & Resp
                (10) Query Information Req & Resp
                (11) Query Information2 Req & Resp
                (12) Trans2 Req & Resp [x57]
                (13) Close Req & Resp [fid 4000]
                (14) NT Create AndX Req & Resp [fid 4001, file TORTUR~1.TXT]
                (15) Close Req & Resp [fid 4001]
                (16) Delete Req & Resp [file \torture_qfileinfo.txt ->
formerly fid 4000]
                (17) Tree Disconnect
Bro Analysis of smb_cmd.log:
The Bro smb_cmd.log records events (04) - (10).  I understand that events
(01) - (03) are deliberately omitted from the log, but I am concerned that
nothing is logged after event (10), Query Information Req & Resp.
I think this is an important issue because the smb_cmd.log fails to record
two significant events in this TCP stream:
                (i) A second file is created in step (14)
                (ii) The first file (create in step [05]) is deleted in step
The SMB messages look well-formed in Wireshark.  Nothing seems to be wrong.
The SMB status code is STATUS_SUCCESS for the requests and the responses, so
it should be logged.
Attached are the following artifacts to help you reproduce the issue:
                (a) ws_smbtorture_stream001.pcap (pcap of stream #1 only)
                (b) test.bro script
                (c) smb_cmd.log
                (d) smb_files.log
                (e) files.log
                (f) conn.log
                (g) packet_filter.log
Not sure what is going wrong.  Please help.

Attachment: ws_smbtorture_stream001.pcap
Description: Binary data

Attachment: test.bro
Description: Binary data

Attachment: smb_cmd.log
Description: Binary data

Attachment: smb_files.log
Description: Binary data

Attachment: files.log
Description: Binary data

Attachment: conn.log
Description: Binary data

Attachment: packet_filter.log
Description: Binary data

Attachment: smime.p7s
Description: S/MIME cryptographic signature

bro-dev mailing list

Reply via email to