[Bro] SMB2 module

Vlad Grigorescu vlad at grigorescu.org
Fri Mar 20 10:46:20 PDT 2015 

Hi Danilo,

One of the bottlenecks of SMB development has been a lack of real-world
testing, so I'd definitely appreciate any bugs or feedback you run into.

On Thu, Mar 19, 2015 at 10:48 AM, Danilo Nicolò <dani.nicolo at gmail.com>
wrote:

I've substituted src/analyzer/protocol/smb, src/analyzer/protocol/netbios,
> init-bare.bro and init-default.bro from SMB2 version to master version.
>

I don't quite understand this - can you elaborate on what specifically you
did here? If you did the git merge topic/vladg/smb, that should replace
everything for you. Were you seeing merge conflicts? I can get those
cleaned up, if so.


> Thread 1 (Thread 0x7f3337201780 (LWP 22674)):
> #0  0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00, v=35329,
> tag=0xb7a68f "stype") at /home/danko/bro/src/Serializer.h:57
> #1  0x0000000000815fdc in SerialObj::DoSerialize (this=0x2b2bf00,
> info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:268
> #2  0x00000000007df8f6 in BroObj::DoSerialize (this=0x2b2bf00,
> info=0x7fffc052fd60) at /home/danko/bro/src/Obj.cc:226
> #3  0x0000000000843002 in BroType::DoSerialize (this=0x2b2bf00,
> info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:283
> #4  0x000000000081585b in SerialObj::Serialize (this=0x2b2bf00,
> info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121
> #5  0x0000000000842cce in BroType::Serialize (this=0x2b2bf00,
> info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:212
> #6  0x00000000008438ec in TypeList::DoSerialize (this=0x2b402e0,
> info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:392
> #7  0x000000000081585b in SerialObj::Serialize (this=0x2b402e0,
> info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121
> ...
> #81382 0x0000000000837f2a in ForStmt::DoExec (this=0x4c90610, f=0x6e5d9c0,
> v=0x740a610, flow=@0x7fffc0530080: FLOW_NEXT) at
> /home/danko/bro/src/Stmt.cc:1358
> #81383 0x0000000000833db1 in ExprStmt::Exec (this=0x4c90610, f=0x6e5d9c0,
> flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:373
> #81384 0x0000000000839969 in StmtList::Exec (this=0x4c8f850, f=0x6e5d9c0,
> flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:1764
> #81385 0x0000000000839969 in StmtList::Exec (this=0x4c93a60, f=0x6e5d9c0,
> flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:1764
> #81386 0x00000000007a4828 in BroFunc::Call (this=0x4974a80,
> args=0x5acc3c0, parent=0x0) at /home/danko/bro/src/Func.cc:403
> #81387 0x000000000077d5a4 in EventHandler::Call (this=0x49ae420,
> vl=0x5acc3c0, no_remote=false) at /home/danko/bro/src/EventHandler.cc:130
> #81388 0x0000000000731ff1 in Event::Dispatch (this=0x70daec0,
> no_remote=false) at /home/danko/bro/src/Event.h:50
> #81389 0x000000000077ccdd in EventMgr::Dispatch (this=0xf65e60 <mgr>) at
> /home/danko/bro/src/Event.cc:111
> #81390 0x000000000077cde8 in EventMgr::Drain (this=0xf65e60 <mgr>) at
> /home/danko/bro/src/Event.cc:128
> #81391 0x00000000007dbfa7 in net_run () at /home/danko/bro/src/Net.cc:374
> #81392 0x000000000073105c in main (argc=19, argv=0x7fffc05309b8) at
> /home/danko/bro/src/main.cc:1212
>

 I've seen errors similar to this before, but I'm not sure it's related to
SMB. Usually the cause of this is that Bro can't do DNS queries (there are
a few scripts that do reverse lookups). Do you see the same behavior if you
run git/master on this system (with no SMB changes)?

Thanks,

  --Vlad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150320/7f8a6f9b/attachment.html

More information about the Bro mailing list