[Bro] SMB2 module

Danilo Nicolò dani.nicolo at gmail.com
Thu Mar 19 08:48:12 PDT 2015 

Hi Seth,

I'm a colleague of Vito and I'm trying to customize Bro with SMB2 protocol
analyzer .
I have got the latest version from GitHub and merged it with SMB2 version
taken from Vladg topic; i've tried to run broctl after the merge, but later
Bro crashes due to a SIGBUS event.
I've substituted src/analyzer/protocol/smb, src/analyzer/protocol/netbios,
init-bare.bro and init-default.bro from SMB2 version to master version.
Below a snippet taken from "./broctl diag":

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/local/bro/bin/bro -i eth0 -U .status -p broctl
-p broctl-live -p standalon'.
Program terminated with signal SIGBUS, Bus error.
#0  0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00, v=35329,
tag=0xb7a68f "stype") at /home/danko/bro/src/Serializer.h:57
57 DECLARE_IO(uint16)
.
.
.
Thread 1 (Thread 0x7f3337201780 (LWP 22674)):
#0  0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00, v=35329,
tag=0xb7a68f "stype") at /home/danko/bro/src/Serializer.h:57
#1  0x0000000000815fdc in SerialObj::DoSerialize (this=0x2b2bf00,
info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:268
#2  0x00000000007df8f6 in BroObj::DoSerialize (this=0x2b2bf00,
info=0x7fffc052fd60) at /home/danko/bro/src/Obj.cc:226
#3  0x0000000000843002 in BroType::DoSerialize (this=0x2b2bf00,
info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:283
#4  0x000000000081585b in SerialObj::Serialize (this=0x2b2bf00,
info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121
#5  0x0000000000842cce in BroType::Serialize (this=0x2b2bf00,
info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:212
#6  0x00000000008438ec in TypeList::DoSerialize (this=0x2b402e0,
info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:392
#7  0x000000000081585b in SerialObj::Serialize (this=0x2b402e0,
info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121
.
.
.
#81382 0x0000000000837f2a in ForStmt::DoExec (this=0x4c90610, f=0x6e5d9c0,
v=0x740a610, flow=@0x7fffc0530080: FLOW_NEXT) at
/home/danko/bro/src/Stmt.cc:1358
#81383 0x0000000000833db1 in ExprStmt::Exec (this=0x4c90610, f=0x6e5d9c0,
flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:373
#81384 0x0000000000839969 in StmtList::Exec (this=0x4c8f850, f=0x6e5d9c0,
flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:1764
#81385 0x0000000000839969 in StmtList::Exec (this=0x4c93a60, f=0x6e5d9c0,
flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:1764
#81386 0x00000000007a4828 in BroFunc::Call (this=0x4974a80, args=0x5acc3c0,
parent=0x0) at /home/danko/bro/src/Func.cc:403
#81387 0x000000000077d5a4 in EventHandler::Call (this=0x49ae420,
vl=0x5acc3c0, no_remote=false) at /home/danko/bro/src/EventHandler.cc:130
#81388 0x0000000000731ff1 in Event::Dispatch (this=0x70daec0,
no_remote=false) at /home/danko/bro/src/Event.h:50
#81389 0x000000000077ccdd in EventMgr::Dispatch (this=0xf65e60 <mgr>) at
/home/danko/bro/src/Event.cc:111
#81390 0x000000000077cde8 in EventMgr::Drain (this=0xf65e60 <mgr>) at
/home/danko/bro/src/Event.cc:128
#81391 0x00000000007dbfa7 in net_run () at /home/danko/bro/src/Net.cc:374
#81392 0x000000000073105c in main (argc=19, argv=0x7fffc05309b8) at
/home/danko/bro/src/main.cc:1212

==== No reporter.log

==== stderr.log
listening on eth0, capture length 8192 bytes

send-mail: SENDMAIL-NOTFOUND not found
/usr/local/bro/share/broctl/scripts/run-bro: line 100: 22674 Bus error
          (core dumped) nohup "$mybro" "$@"

==== stdout.log
max memory size         (kbytes, -m) unlimited
data seg size           (kbytes, -d) unlimited
virtual memory          (kbytes, -v) unlimited
core file size          (blocks, -c) unlimited

==== .cmdline
-i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro
local.bro broctl broctl/standalone broctl/auto

==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=

==== .status
RUNNING [net_run]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log

I've pasted also the gdb log :

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/local/bro/bin/bro -i eth0 -U .status -p broctl
-p broctl-live -p standalon'.
Program terminated with signal SIGBUS, Bus error.
#0  0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00, v=35329,
tag=0xb7a68f "stype") at /home/danko/bro/src/Serializer.h:57
57 DECLARE_IO(uint16)
(gdb) p *this
$1 = {_vptr.Serializer = 0xb83010 <vtable for CloneSerializer+16>, static
MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format =
0x73af900, current_cache = 0x0, error_descr = 0x0}
(gdb) up
#1  0x0000000000815fdc in SerialObj::DoSerialize (this=0x2b2bf00,
info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:268
268 bool ret = SERIALIZE(stype);
(gdb) p *this
$2 = {_vptr.SerialObj = 0xb82f70 <vtable for BroType+16>, static NEVER = 0,
static ALWAYS = 1, static factories = 0x2a8f1c0, static names = 0x2a8f200,
static time_counter = 3480072, serial_type = 51713}
(gdb) up
#2  0x00000000007df8f6 in BroObj::DoSerialize (this=0x2b2bf00,
info=0x7fffc052fd60) at /home/danko/bro/src/Obj.cc:226
226 DO_SERIALIZE(SER_BRO_OBJ, SerialObj);
(gdb)

Although Bro crashes, the module seems to work fine: in fact in a few
minutes after I ran it, I can see the smb log files.


Do you have any idea about this error?

Kind regards,

Danilo


2015-03-10 6:33 GMT+01:00 Seth Hall <seth at icir.org>:

>
> > On Mar 9, 2015, at 9:58 AM, Vito Logrillo <vitologrillo at gmail.com>
> wrote:
> >
> > The link above seems connected to a previous Bro version: an updated
> > version is present? If no, SMB2 will be implemented in next
> > releases?When?
>
> SMB will not be making it into the 2.4 release.  It’s still too unstable.
> That branch you pointed to however is very old and no longer represents the
> current development state of the SMB analyzer.  Probably the most up to
> date code today is in topic/vladg/smb but we know of a number of issues in
> that still.
>
> https://github.com/bro/bro/tree/topic/vladg/smb/src/analyzer/protocol/smb
>
> > Due to our requirements, we think to make that module from scratch if
> > anyone is working on; otherwise, can we take part to your team for the
> > development and testing of that module?
>
> SMB might be a larger task than you wish it were.  There are quite a
> number of dead ends and problems that you discover as you dig into the
> protocol more and more.  If you have spare development cycles and qualified
> developers, we’re certainly willing to talk. :)
>
> Thanks,
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150319/93574aa1/attachment.html

More information about the Bro mailing list