[Bro] Crash on SMB Analyzer - Tree Connect AndX

Wed Nov 28 21:46:19 PST 2012

I like what I'm seeing on this new SMB work!

On Wed, Nov 28, 2012 at 11:33 PM, Mike Kolkebeck <mkolkebeck at gmail.com>wrote:

>
> On Nov 28, 2012, at 10:35 PM, Seth Hall <seth at icir.org> wrote:
>
>
> On Nov 28, 2012, at 10:29 PM, Mike Kolkebeck <mkolkebeck at gmail.com> wrote:
>
> Is this a known bug?  Does anyone know of another event that would be
> better suited for identifying the share name, or is there any other easy
> workaround for this event?
>
>
> There has been a lot of rework done on the smb analyzer that hasn't been
> released yet.  I know that I fixed a lot of bugs existing in the existing
> analyzer you're working with.  Unfortunately there probably isn't much of a
> way around the problem you're running into unless you want to try my
> in-progress branch.
>
>
> If I use your in-progress branch, would this impact other Bro
> functionality, or could I isolate the update to just smb analyzer
> functionality?
>
> I assume you've written all of the scripts to enable the SMB analyzer and
> add the c$smb field?
>
>
> Yes, I followed a few of the base protocol bro scripts as a guide, mostly
> leveraging the start of the SSH analyzer scripts.
>
> Would you be interested in putting the scripts up somewhere?
>
>
> It's still a crude work in progress, but here is the full bro script that
> I'm currently using:
> ------
>
> ##! Custom SMB analysis script.
>
> @load base/frameworks/notice
> @load base/utils/site
> @load base/utils/thresholds
> @load base/utils/conn-ids
> @load base/utils/directions-and-hosts
>
> module SMB;
>
> export {
> ## The SMB protocol logging stream identifier.
>  redef enum Log::ID += { LOG };
>
>  type Info: record {
> ## Time when the SMB connection began.
>  ts: time &log;
>  ## Unique ID for the connection.
>  uid: string &log;
>  ## The connection's 4-tuple of endpoint addresses/ports.
> id: conn_id &log;
>  ## The connection's smb_hdr variables
>  status: count &log &optional;
>  smb_flags: count &log &optional;
>  smb_flags2: count &log &optional;
>  ## The connection's tree path (at the share level)
> smb_share: string &log &optional;
>  ## SMB path (past the share level)
>  smb_path: string &log &default="\\";
>  };
>
>  global paths: set[string];
> }
>
> const smbports = {
> 135/tcp, 137/tcp, 138/tcp, 139/tcp, 445/tcp
> };
>
> # Configure DPD and the packet filter
> redef capture_filters += {
>  ["msrpc"] = "tcp port 135",
> ["netbios-ns"] = "tcp port 137",
>  ["netbios-ds"] = "tcp port 138",
>  ["netbios"] = "tcp port 139",
> ["smb"] = "tcp port 445",
> };
> redef dpd_config += { [ANALYZER_SMB] = [$ports = smbports] };
> redef likely_server_ports += { 445/tcp };
>
> redef record connection += {
> smb: Info &optional;
> };
>
> event bro_init() &priority=5
> {
>  Log::create_stream(SMB::LOG, [$columns=Info]);
> }
>
> function set_session(c: connection, hdr: smb_hdr)
>  {
> if ( ! c?$smb )
>  {
> c$smb = [$ts=network_time(), $id=c$id, $uid=c$uid];
>  c$smb$status = hdr$status;
>  c$smb$smb_flags = hdr$flags;
> c$smb$smb_flags2 = hdr$flags2;
>  }
>  }
>
> event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string,
> service: string) &priority=5
> {
>  set_session(c,hdr);
>  local path_name = escape_string(path);
> c$smb$smb_share = path_name;
>  }
>
> event smb_com_nt_create_andx(c: connection, hdr: smb_hdr, name: string)
> &priority=0
>  {
> set_session(c,hdr);
>
> c$smb$ts=network_time();
>
> # If the path has changed, then log the new name, otherwise skip it (may
> need to revisit)
>  if ( name !in paths )
>  {
> add paths[name];
>  c$smb$smb_path = gsub(name,/ /,"%20");
> Log::write(SMB::LOG, c$smb);
>  }
> }
>
> ---------
>
> Thanks!
> Mike
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121128/e632a503/attachment.html 