Bro-Dev Group,
 
ISSUE: I encountered an issue where Bro is not logging some rather
significant SMB1 commands in the smb_cmd.log file.  I understand that some
SMB commands are deliberately omitted from the log (such as Negotiate
Protocol, Session Setup, and Tree Connect); however, I observe that an
instance of NT Create and Delete are not being recorded.  I also understand
that some SMB messages are deliberately omitted based on the status code;
but the status codes ire STATUS_SUCCESS, so it should be logged.  In this
particular traffic sample, there are more than 100+ SMB messages going back
and forth in the TCP stream, but only first several are recorded in
smb_cmd.log, then it stops.  Please help.
 
Bro Version:
I am using the Bro v2.5.1 docker image I pulled from the following URL:
https://hub.docker.com/r/rsmmr/hilti/
 
 
PCAP File:
I downloaded the "smbtorture" pcap file from the Wireshark public
repository, at the URL:
 
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=sm
btorture.cap.gz
 
The issue I observe corresponds to stream #1 extracted from the file above,
via filter: 'tcp.stream eq 1'.  I attached a PCAP file containing stream #1
only.
 
 
PCAP Analysis of SMB Messages:
>From the PCAP file, using Wireshark, the following sequence of SMB Messages
are observed (summarized below as Request & Response pairs):
 
                (01) Negotiate Protocol Req & Resp
                (02) Session Setup AndX Req & Resp [x2]
                (03) Tree Connect AndX Req & Resp
                (04) Delete Req & Resp [file \torture_qfileinfo.txt]
                (05) NT Create AndX Req & Resp [fid 4000, file
\torture_qfileinfo.txt]
                (06) Write AndX Req & Resp
                (07) Trans2 Req & Resp
                (08) Set Information2 Req & Resp
                (09) Query Information2 Req & Resp
                (10) Query Information Req & Resp
                (11) Query Information2 Req & Resp
                (12) Trans2 Req & Resp [x57]
                (13) Close Req & Resp [fid 4000]
                (14) NT Create AndX Req & Resp [fid 4001, file TORTUR~1.TXT]
                (15) Close Req & Resp [fid 4001]
                (16) Delete Req & Resp [file \torture_qfileinfo.txt ->
formerly fid 4000]
                (17) Tree Disconnect
 
 
Bro Analysis of smb_cmd.log:
The Bro smb_cmd.log records events (04) - (10).  I understand that events
(01) - (03) are deliberately omitted from the log, but I am concerned that
nothing is logged after event (10), Query Information Req & Resp.
 
I think this is an important issue because the smb_cmd.log fails to record
two significant events in this TCP stream:
                (i) A second file is created in step (14)
                (ii) The first file (create in step [05]) is deleted in step
(16)
 
The SMB messages look well-formed in Wireshark.  Nothing seems to be wrong.
The SMB status code is STATUS_SUCCESS for the requests and the responses, so
it should be logged.
 
 
Artifacts:
Attached are the following artifacts to help you reproduce the issue:
                (a) ws_smbtorture_stream001.pcap (pcap of stream #1 only)
                (b) test.bro script
                (c) smb_cmd.log
                (d) smb_files.log
                (e) files.log
                (f) conn.log
                (g) packet_filter.log
 
 
Not sure what is going wrong.  Please help.
 
Cheers,
Mark

Attachment: ws_smbtorture_stream001.pcap
Description: Binary data


Attachment: test.bro
Description: Binary data

Attachment: smb_cmd.log
Description: Binary data

Attachment: smb_files.log
Description: Binary data

Attachment: files.log
Description: Binary data

Attachment: conn.log
Description: Binary data

Attachment: packet_filter.log
Description: Binary data

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to