[Bro-Dev] Bro SMB1 Issue in smb_cmd.log
Fernandez, Mark I
mfernandez at mitre.org
Fri Feb 23 07:09:47 PST 2018
Bro-Dev Group,
ISSUE: I encountered an issue where Bro is not logging some rather
significant SMB1 commands in the smb_cmd.log file. I understand that some
SMB commands are deliberately omitted from the log (such as Negotiate
Protocol, Session Setup, and Tree Connect); however, I observe that an
instance of NT Create and Delete are not being recorded. I also understand
that some SMB messages are deliberately omitted based on the status code;
but the status codes ire STATUS_SUCCESS, so it should be logged. In this
particular traffic sample, there are more than 100+ SMB messages going back
and forth in the TCP stream, but only first several are recorded in
smb_cmd.log, then it stops. Please help.
Bro Version:
I am using the Bro v2.5.1 docker image I pulled from the following URL:
https://hub.docker.com/r/rsmmr/hilti/
PCAP File:
I downloaded the "smbtorture" pcap file from the Wireshark public
repository, at the URL:
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=sm
btorture.cap.gz
The issue I observe corresponds to stream #1 extracted from the file above,
via filter: 'tcp.stream eq 1'. I attached a PCAP file containing stream #1
only.
PCAP Analysis of SMB Messages:
>From the PCAP file, using Wireshark, the following sequence of SMB Messages
are observed (summarized below as Request & Response pairs):
(01) Negotiate Protocol Req & Resp
(02) Session Setup AndX Req & Resp [x2]
(03) Tree Connect AndX Req & Resp
(04) Delete Req & Resp [file \torture_qfileinfo.txt]
(05) NT Create AndX Req & Resp [fid 4000, file
\torture_qfileinfo.txt]
(06) Write AndX Req & Resp
(07) Trans2 Req & Resp
(08) Set Information2 Req & Resp
(09) Query Information2 Req & Resp
(10) Query Information Req & Resp
(11) Query Information2 Req & Resp
(12) Trans2 Req & Resp [x57]
(13) Close Req & Resp [fid 4000]
(14) NT Create AndX Req & Resp [fid 4001, file TORTUR~1.TXT]
(15) Close Req & Resp [fid 4001]
(16) Delete Req & Resp [file \torture_qfileinfo.txt ->
formerly fid 4000]
(17) Tree Disconnect
Bro Analysis of smb_cmd.log:
The Bro smb_cmd.log records events (04) - (10). I understand that events
(01) - (03) are deliberately omitted from the log, but I am concerned that
nothing is logged after event (10), Query Information Req & Resp.
I think this is an important issue because the smb_cmd.log fails to record
two significant events in this TCP stream:
(i) A second file is created in step (14)
(ii) The first file (create in step [05]) is deleted in step
(16)
The SMB messages look well-formed in Wireshark. Nothing seems to be wrong.
The SMB status code is STATUS_SUCCESS for the requests and the responses, so
it should be logged.
Artifacts:
Attached are the following artifacts to help you reproduce the issue:
(a) ws_smbtorture_stream001.pcap (pcap of stream #1 only)
(b) test.bro script
(c) smb_cmd.log
(d) smb_files.log
(e) files.log
(f) conn.log
(g) packet_filter.log
Not sure what is going wrong. Please help.
Cheers,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ws_smbtorture_stream001.pcap
Type: application/octet-stream
Size: 27117 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0007.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.bro
Type: application/octet-stream
Size: 105 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0008.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb_cmd.log
Type: application/octet-stream
Size: 2829 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0009.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb_files.log
Type: application/octet-stream
Size: 582 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0010.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: files.log
Type: application/octet-stream
Size: 726 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0011.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: conn.log
Type: application/octet-stream
Size: 646 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0012.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: packet_filter.log
Type: application/octet-stream
Size: 253 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0013.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6341 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/b8b29f80/attachment-0001.bin
More information about the bro-dev
mailing list