[Bro] Crash on SMB Analyzer - Tree Connect AndX

Mike Kolkebeck mkolkebeck at gmail.com
Wed Nov 28 21:33:53 PST 2012 

On Nov 28, 2012, at 10:35 PM, Seth Hall <seth at icir.org> wrote:

> 
> On Nov 28, 2012, at 10:29 PM, Mike Kolkebeck <mkolkebeck at gmail.com> wrote:
> 
>> Is this a known bug?  Does anyone know of another event that would be better suited for identifying the share name, or is there any other easy workaround for this event?
> 
> There has been a lot of rework done on the smb analyzer that hasn't been released yet.  I know that I fixed a lot of bugs existing in the existing analyzer you're working with.  Unfortunately there probably isn't much of a way around the problem you're running into unless you want to try my in-progress branch.

If I use your in-progress branch, would this impact other Bro functionality, or could I isolate the update to just smb analyzer functionality?

> I assume you've written all of the scripts to enable the SMB analyzer and add the c$smb field?

Yes, I followed a few of the base protocol bro scripts as a guide, mostly leveraging the start of the SSH analyzer scripts.

> Would you be interested in putting the scripts up somewhere?

It's still a crude work in progress, but here is the full bro script that I'm currently using:
------

##! Custom SMB analysis script.

@load base/frameworks/notice
@load base/utils/site
@load base/utils/thresholds
@load base/utils/conn-ids
@load base/utils/directions-and-hosts

module SMB;

export {
	## The SMB protocol logging stream identifier.
	redef enum Log::ID += { LOG };

	type Info: record {
		## Time when the SMB connection began.
		ts:		time		&log;
		## Unique ID for the connection.
		uid:		string		&log;
		## The connection's 4-tuple of endpoint addresses/ports.
		id:		conn_id		&log;
		## The connection's smb_hdr variables
		status:		count		&log &optional;
		smb_flags:	count		&log &optional;
		smb_flags2:	count		&log &optional;
		## The connection's tree path (at the share level)
		smb_share:	string		&log &optional;
		## SMB path (past the share level)
		smb_path:	string		&log &default="\\";
	};

	global paths: set[string];
}

const smbports = {
	135/tcp, 137/tcp, 138/tcp, 139/tcp, 445/tcp
};

# Configure DPD and the packet filter
redef capture_filters += {
	["msrpc"] = "tcp port 135",
	["netbios-ns"] = "tcp port 137",
	["netbios-ds"] = "tcp port 138",
	["netbios"] = "tcp port 139",
	["smb"] = "tcp port 445",
};
redef dpd_config += { [ANALYZER_SMB] = [$ports = smbports] };
redef likely_server_ports += { 445/tcp };

redef record connection += {
	smb: Info &optional;
};

event bro_init() &priority=5
	{
	Log::create_stream(SMB::LOG, [$columns=Info]);
	}

function set_session(c: connection, hdr: smb_hdr)
	{
	if ( ! c?$smb )
	{
		c$smb = [$ts=network_time(), $id=c$id, $uid=c$uid];
		c$smb$status = hdr$status;
		c$smb$smb_flags = hdr$flags;
		c$smb$smb_flags2 = hdr$flags2;
	}
	}

event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string) &priority=5
	{
	set_session(c,hdr);
	local path_name = escape_string(path);
	c$smb$smb_share = path_name;
	}

event smb_com_nt_create_andx(c: connection, hdr: smb_hdr, name: string) &priority=0
	{
	set_session(c,hdr);

	c$smb$ts=network_time();

	# If the path has changed, then log the new name, otherwise skip it (may need to revisit)
	if ( name !in paths )
	{
		add paths[name];
		c$smb$smb_path = gsub(name,/ /,"%20");
		Log::write(SMB::LOG, c$smb);
	}
	}

---------

Thanks!
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121128/a749d2e6/attachment.html

More information about the Bro mailing list