[Bro] nfs analysis
muscletot at gmail.com
Mon Sep 24 10:39:20 PDT 2007
On 9/22/07, Christian Kreibich <christian at whoop.org> wrote:
> On Fri, 2007-09-21 at 17:25 -0700, Mike Wood wrote:
> > "Deficiency: Bro's notion of NFS is currently confined to just
> > knowledge of the existence of these services. It does not analyze the
> > particulars of different NFS operations."
> > I am trying to extract some NFS file access events from a trace and
> > cannot seem to get the nfs_request_* nfs_attempt_* event handlers to
> > trigger. Should I be able to?
> Hey Mike! I believe the documentation is once again misleading. :( Do
> you get nothing at all when you load nfs.bro?
Sadly, yes I do not get any output from nfs.bro.
The tcpdump output for my trace looks like:
16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
132 getattr [|nfs]
16:01:13.467879 IP server.host.name.nfs > client.host.name.4160508447:
reply ok 96 getattr DIR 40755 ids 10013/6007 sz 1024
16:01:13.467940 IP client.host.name.4177285663 > server.host.name.nfs:
148 lookup [|nfs]
16:01:13.468130 IP server.host.name.nfs > client.host.name.4177285663:
reply ok 128 lookup [|nfs]
So I would assume I have some valid NFS traffic there... but when I run
bro -r mytrace.pcap nfs.bro
I just get plenty of weird messages:
1190415715.190522 weird: bad_RPC
1190415715.190781 weird: unpaired_RPC_response
So, perhaps this is all the NFS traffic not getting recognized. Have
you seen this before?
I am running Bro 1.2.9... if that helps at all.
More information about the Bro