This is probably a bug. That smb torture pcap is a notoriously bad
example (although it does exhibit some far, far edge case type of
behavior). I deliberately did not use that pcap as an example while I
was writing the SMB analyzer because it sent me down a lot of rabbit
holes that didn't provide much benefit for the first run at the SMB
analyzer.
If you identify the bug, please report back. My experience is that just
running down these bugs to the exact failure can take quite a while.
.Seth
On 23 Feb 2018, at 10:09, Fernandez, Mark I wrote:
Bro-Dev Group,
ISSUE: I encountered an issue where Bro is not logging some rather
significant SMB1 commands in the smb_cmd.log file. I understand that
some
SMB commands are deliberately omitted from the log (such as Negotiate
Protocol, Session Setup, and Tree Connect); however, I observe that an
instance of NT Create and Delete are not being recorded. I also
understand
that some SMB messages are deliberately omitted based on the status
code;
but the status codes ire STATUS_SUCCESS, so it should be logged. In
this
particular traffic sample, there are more than 100+ SMB messages going
back
and forth in the TCP stream, but only first several are recorded in
smb_cmd.log, then it stops. Please help.
Bro Version:
I am using the Bro v2.5.1 docker image I pulled from the following
URL:
https://hub.docker.com/r/rsmmr/hilti/
PCAP File:
I downloaded the "smbtorture" pcap file from the Wireshark public
repository, at the URL:
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=sm
btorture.cap.gz
The issue I observe corresponds to stream #1 extracted from the file
above,
via filter: 'tcp.stream eq 1'. I attached a PCAP file containing
stream #1
only.
PCAP Analysis of SMB Messages:
From the PCAP file, using Wireshark, the following sequence of SMB
Messages
are observed (summarized below as Request & Response pairs):
(01) Negotiate Protocol Req & Resp
(02) Session Setup AndX Req & Resp [x2]
(03) Tree Connect AndX Req & Resp
(04) Delete Req & Resp [file \torture_qfileinfo.txt]
(05) NT Create AndX Req & Resp [fid 4000, file
\torture_qfileinfo.txt]
(06) Write AndX Req & Resp
(07) Trans2 Req & Resp
(08) Set Information2 Req & Resp
(09) Query Information2 Req & Resp
(10) Query Information Req & Resp
(11) Query Information2 Req & Resp
(12) Trans2 Req & Resp [x57]
(13) Close Req & Resp [fid 4000]
(14) NT Create AndX Req & Resp [fid 4001, file
TORTUR~1.TXT]
(15) Close Req & Resp [fid 4001]
(16) Delete Req & Resp [file \torture_qfileinfo.txt ->
formerly fid 4000]
(17) Tree Disconnect
Bro Analysis of smb_cmd.log:
The Bro smb_cmd.log records events (04) - (10). I understand that
events
(01) - (03) are deliberately omitted from the log, but I am concerned
that
nothing is logged after event (10), Query Information Req & Resp.
I think this is an important issue because the smb_cmd.log fails to
record
two significant events in this TCP stream:
(i) A second file is created in step (14)
(ii) The first file (create in step [05]) is deleted
in step
(16)
The SMB messages look well-formed in Wireshark. Nothing seems to be
wrong.
The SMB status code is STATUS_SUCCESS for the requests and the
responses, so
it should be logged.
Artifacts:
Attached are the following artifacts to help you reproduce the issue:
(a) ws_smbtorture_stream001.pcap (pcap of stream #1
only)
(b) test.bro script
(c) smb_cmd.log
(d) smb_files.log
(e) files.log
(f) conn.log
(g) packet_filter.log
Not sure what is going wrong. Please help.
Cheers,
Mark
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
--
Seth Hall * Corelight, Inc * www.corelight.com
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
