<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body>
<div style="font-family:sans-serif"><div style="white-space:normal"><p dir="auto">This is probably a bug.  That smb torture pcap is a notoriously bad example (although it does exhibit some far, far edge case type of behavior).  I deliberately did not use that pcap as an example while I was writing the SMB analyzer because it sent me down a lot of rabbit holes that didn't provide much benefit for the first run at the SMB analyzer.</p>
<p dir="auto">If you identify the bug, please report back.  My experience is that just running down these bugs to the exact failure can take quite a while.</p>
<p dir="auto">  .Seth</p>
<p dir="auto">On 23 Feb 2018, at 10:09, Fernandez, Mark I wrote:</p>
</div>
<blockquote style="border-left:2px solid #777; color:#777; margin:0 0 5px; padding-left:5px"><div id="C77CB878-4C62-453D-94EB-7946FC2B35B7"><div lang="EN-US" link="#0563C1" vlink="#954F72" style="tab-interval:.5in"><div style="page:WordSection1"><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Bro-Dev Group,</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><b style="mso-bidi-font-weight:normal"><u><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">ISSUE</span></u></b><b style="mso-bidi-font-weight:normal"><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">:</span></b><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> I encountered an issue where Bro is not logging some rather significant SMB1 commands in the smb_cmd.log file.<span style="mso-spacerun:yes">  </span>I understand that some SMB commands are deliberately omitted from the log (such as Negotiate Protocol, Session Setup, and Tree Connect); however, I observe that an instance of NT Create and Delete are not being recorded.<span style="mso-spacerun:yes">  </span>I also understand that some SMB messages are deliberately omitted based on the status code; but the status codes ire STATUS_SUCCESS, so it should be logged.<span style="mso-spacerun:yes">  </span>In this particular traffic sample, there are more than 100+ SMB messages going back and forth in the TCP stream, but only first several are recorded in smb_cmd.log, then it stops.<span style="mso-spacerun:yes">  </span>Please help.</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><b style="mso-bidi-font-weight:normal"><u><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Bro Version</span></u></b><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">I am using the Bro v2.5.1 docker image I pulled from the following URL:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no; text-indent:0.5in'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">https://hub.docker.com/r/rsmmr/hilti/</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><b style="mso-bidi-font-weight:normal"><u><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">PCAP File</span></u></b><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">I downloaded the "<span style='mso-spl-e:yes; mso-style-name:""'>smbtorture</span>" <span style='mso-spl-e:yes; mso-style-name:""'>pcap</span> file from the Wireshark public repository, at the URL:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no; text-indent:0.5in'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">https://wiki.wireshark.org/SampleCaptures?action=AttachFile&amp;do=get&amp;target=smbtorture.cap.gz</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">The issue I observe corresponds to stream #1 extracted from the file above, via filter: '<span style='mso-spl-e:yes; mso-style-name:""'>tcp.stream</span> <span style='mso-spl-e:yes; mso-style-name:""'>eq</span> 1'.<span style="mso-spacerun:yes">  </span>I attached a PCAP file containing stream #1 only.</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><b style="mso-bidi-font-weight:normal"><u><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">PCAP Analysis of SMB Messages</span></u></b><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">From the PCAP file, using Wireshark, the following sequence of SMB Messages are observed (summarized below as Request &amp; Response pairs):</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(01) Negotiate Protocol Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(02) Session Setup <span style='mso-spl-e:yes; mso-style-name:""'>AndX</span> Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [x2]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(03) Tree Connect <span style='mso-spl-e:yes; mso-style-name:""'>AndX</span> Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(04) Delete Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [file \torture_qfileinfo.txt]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(05) NT Create <span style='mso-spl-e:yes; mso-style-name:""'>AndX</span> Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [fid 4000, file \torture_qfileinfo.txt]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(06) Write <span style='mso-spl-e:yes; mso-style-name:""'>AndX</span> Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(07) Trans2 Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(08) Set Information2 Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(09) Query Information2 Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(10) Query Information Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(11) Query Information2 Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span></span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(12) Trans2 Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [x57]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(13) Close Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [fid 4000]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(14) NT Create <span style='mso-spl-e:yes; mso-style-name:""'>AndX</span> Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [fid 4001, file TORTUR~1.TXT]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(15) Close Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [fid 4001]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(16) Delete Req &amp; <span style='mso-spl-e:yes; mso-style-name:""'>Resp</span> [file \torture_qfileinfo.txt -&gt; formerly fid 4000]</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(17) Tree Disconnect</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><b style="mso-bidi-font-weight:normal"><u><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Bro Analysis of smb_cmd.log</span></u></b><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">The Bro smb_cmd.log records events (04) - (10).<span style="mso-spacerun:yes">  </span>I understand that events (01) - (03) are deliberately omitted from the log, but I am concerned that nothing is logged after event (10), Query Information Req &amp; Resp.</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">I think this is an important issue because the smb_cmd.log fails to record two significant events in this TCP stream:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(i) A second file is created in step (14)</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(ii) The first file (create in step [05]) is deleted in step (16)</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">The SMB messages look well-formed in Wireshark.<span style="mso-spacerun:yes">  </span>Nothing seems to be wrong.<span style="mso-spacerun:yes">  </span>The SMB status code is STATUS_SUCCESS for the requests and the responses, so it should be logged.</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><b style="mso-bidi-font-weight:normal"><u><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Artifacts</span></u></b><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Attached are the following artifacts to help you reproduce the issue:</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(a) ws_smbtorture_stream001.pcap (<span style='mso-spl-e:yes; mso-style-name:""'>pcap</span> of stream #1 only)</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(b) <span style='mso-spl-e:yes; mso-style-name:""'>test.bro</span> script</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(c) smb_cmd.log</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(d) smb_files.log</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(e) files.log</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(f) conn.log</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><span style="mso-tab-count:1">                </span>(g) packet_filter.log</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Not sure what is going wrong.<span style="mso-spacerun:yes">  </span>Please help.</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"> </span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Cheers,</span></p><p style='font-family:"Calibri", sans-serif; font-size:11pt; margin:0; margin-bottom:0.0001pt; mso-ascii-font-family:Calibri; mso-bidi-font-family:"Times New Roman"; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri; mso-pagination:widow-orphan; mso-style-parent:""; mso-style-qformat:yes; mso-style-unhide:no'><span style="mso-bidi-font-size:12.0pt;mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri">Mark</span></p></div></div></div></blockquote>
<div style="white-space:normal"><blockquote style="border-left:2px solid #777; color:#777; margin:0 0 5px; padding-left:5px">
</blockquote><blockquote style="border-left:2px solid #777; color:#777; margin:0 0 5px; padding-left:5px"><p dir="auto">_______________________________________________<br>
bro-dev mailing list<br>
bro-dev@bro.org<br>
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev" style="color:#777">http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev</a></p>
</blockquote><p dir="auto">--<br>
Seth Hall * Corelight, Inc * www.corelight.com</p>
</div>
</div>
</body>
</html>