[Bro-Dev] Bro SMB1 Issue in smb_cmd.log

Seth Hall seth at corelight.com
Fri Feb 23 15:06:53 PST 2018


This is probably a bug.  That smb torture pcap is a notoriously bad 
example (although it does exhibit some far, far edge case type of 
behavior).  I deliberately did not use that pcap as an example while I 
was writing the SMB analyzer because it sent me down a lot of rabbit 
holes that didn't provide much benefit for the first run at the SMB 
analyzer.

If you identify the bug, please report back.  My experience is that just 
running down these bugs to the exact failure can take quite a while.

   .Seth

On 23 Feb 2018, at 10:09, Fernandez, Mark I wrote:

> Bro-Dev Group,
>
> ISSUE: I encountered an issue where Bro is not logging some rather
> significant SMB1 commands in the smb_cmd.log file.  I understand that 
> some
> SMB commands are deliberately omitted from the log (such as Negotiate
> Protocol, Session Setup, and Tree Connect); however, I observe that an
> instance of NT Create and Delete are not being recorded.  I also 
> understand
> that some SMB messages are deliberately omitted based on the status 
> code;
> but the status codes ire STATUS_SUCCESS, so it should be logged.  In 
> this
> particular traffic sample, there are more than 100+ SMB messages going 
> back
> and forth in the TCP stream, but only first several are recorded in
> smb_cmd.log, then it stops.  Please help.
>
> Bro Version:
> I am using the Bro v2.5.1 docker image I pulled from the following 
> URL:
> https://hub.docker.com/r/rsmmr/hilti/
>
>
> PCAP File:
> I downloaded the "smbtorture" pcap file from the Wireshark public
> repository, at the URL:
>
> https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=sm
> btorture.cap.gz
>
> The issue I observe corresponds to stream #1 extracted from the file 
> above,
> via filter: 'tcp.stream eq 1'.  I attached a PCAP file containing 
> stream #1
> only.
>
>
> PCAP Analysis of SMB Messages:
>> From the PCAP file, using Wireshark, the following sequence of SMB 
>> Messages
> are observed (summarized below as Request & Response pairs):
>
>                 (01) Negotiate Protocol Req & Resp
>                 (02) Session Setup AndX Req & Resp [x2]
>                 (03) Tree Connect AndX Req & Resp
>                 (04) Delete Req & Resp [file \torture_qfileinfo.txt]
>                 (05) NT Create AndX Req & Resp [fid 4000, file
> \torture_qfileinfo.txt]
>                 (06) Write AndX Req & Resp
>                 (07) Trans2 Req & Resp
>                 (08) Set Information2 Req & Resp
>                 (09) Query Information2 Req & Resp
>                 (10) Query Information Req & Resp
>                 (11) Query Information2 Req & Resp
>                 (12) Trans2 Req & Resp [x57]
>                 (13) Close Req & Resp [fid 4000]
>                 (14) NT Create AndX Req & Resp [fid 4001, file 
> TORTUR~1.TXT]
>                 (15) Close Req & Resp [fid 4001]
>                 (16) Delete Req & Resp [file \torture_qfileinfo.txt ->
> formerly fid 4000]
>                 (17) Tree Disconnect
>
>
> Bro Analysis of smb_cmd.log:
> The Bro smb_cmd.log records events (04) - (10).  I understand that 
> events
> (01) - (03) are deliberately omitted from the log, but I am concerned 
> that
> nothing is logged after event (10), Query Information Req & Resp.
>
> I think this is an important issue because the smb_cmd.log fails to 
> record
> two significant events in this TCP stream:
>                 (i) A second file is created in step (14)
>                 (ii) The first file (create in step [05]) is deleted 
> in step
> (16)
>
> The SMB messages look well-formed in Wireshark.  Nothing seems to be 
> wrong.
> The SMB status code is STATUS_SUCCESS for the requests and the 
> responses, so
> it should be logged.
>
>
> Artifacts:
> Attached are the following artifacts to help you reproduce the issue:
>                 (a) ws_smbtorture_stream001.pcap (pcap of stream #1 
> only)
>                 (b) test.bro script
>                 (c) smb_cmd.log
>                 (d) smb_files.log
>                 (e) files.log
>                 (f) conn.log
>                 (g) packet_filter.log
>
>
> Not sure what is going wrong.  Please help.
>
> Cheers,
> Mark


> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180223/d9655684/attachment-0001.html 


More information about the bro-dev mailing list