[Bro] SMB2 module

Vlad Grigorescu vlad at grigorescu.org
Fri Mar 20 12:08:38 PDT 2015 

Please try to keep the Bro list CC-ed on this, as it might be useful to
others.

That error location makes sense - it's where I would expect to see problems
if there's an issue with DNS. What I'm confused about is that SMB and SSH
should be completely unrelated.

How exactly are you disabling the SMB plugin when you don't see any errors?
You might just want to comment out the following lines in your local.bro:

@load protocols/ssh/interesting-hostnames
@load frameworks/files/detect-MHR

Of course, the "better" solution would be to fix the system so that it can
do reverse DNS lookups (and TXT queries for detect-MHR) :-)

  --Vlad



On Fri, Mar 20, 2015 at 1:55 PM, Danilo Nicolò <dani.nicolo at gmail.com>
wrote:

> Hi Vlad,
>
> Thanks for your reply.
> Yes, I did the git merge and I didn't have any conflicts.
>
> About the stacktrace, that error is raised up when Bro logs SSH packets
> with SMB plugin active. In particular, the SIGBUS error is catched when the
> script
> /usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro is
> launched.
> I've debugged the stacktrace and I found the row when the SIGBUS is raised
> up on the script:
>
> 'when ( local hostname = lookup_addr(host) )'
>
> This is the gdb analysis:
>
> Reading symbols from ./bro...done.
> (gdb) r
> Starting program: /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p
> broctl-live -p standalon
> /usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> listening on eth0, capture length 8192 bytes
>
> [New Thread 0x7ffff588e700 (LWP 5824)]
> [New Thread 0x7ffff508d700 (LWP 5825)]
> tcmalloc: large alloc 1562501120 bytes == 0x42420000 @  0x7ffff70f1d9c
> 0x7ffff7111845 0x5e5846 0x5e5a5b 0x600f0c 0x603958 0x5e620d 0x60352c
> 0x5e620d 0x6038c2 0x603a25 0x5e620d 0x60317e 0x603209 0x5e620d 0x547d31
> 0x5e620d 0x6038a4 0x603a25 0x5e620d 0x547d31 0x5e620d 0x6038a4 0x603a25
> 0x5e620d 0x547d31 0x5e620d 0x6038a4 0x603a25 0x5e620d 0x547d31
>
> Program received signal SIGBUS, Bus error.
> 0x00000000005e58c7 in BinarySerializationFormat::Write (this=0x427a090,
> v=<optimised out>, tag=<optimised out>) at
> /home/danko/bro_stable/bro/src/SerializationFormat.cc:311
> 311 return WriteData(&v, sizeof(v));
> (gdb)
>
>
> If I try to disable smb plugin I don't receive any errors.
>
>
> Best regards,
>
> Danilo
>
>
>
> 2015-03-20 18:46 GMT+01:00 Vlad Grigorescu <vlad at grigorescu.org>:
>
>> Hi Danilo,
>>
>> One of the bottlenecks of SMB development has been a lack of real-world
>> testing, so I'd definitely appreciate any bugs or feedback you run into.
>>
>> On Thu, Mar 19, 2015 at 10:48 AM, Danilo Nicolò <dani.nicolo at gmail.com>
>> wrote:
>>
>> I've substituted src/analyzer/protocol/smb,
>>> src/analyzer/protocol/netbios, init-bare.bro and init-default.bro from SMB2
>>> version to master version.
>>>
>>
>> I don't quite understand this - can you elaborate on what specifically
>> you did here? If you did the git merge topic/vladg/smb, that should replace
>> everything for you. Were you seeing merge conflicts? I can get those
>> cleaned up, if so.
>>
>>
>>> Thread 1 (Thread 0x7f3337201780 (LWP 22674)):
>>> #0  0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00,
>>> v=35329, tag=0xb7a68f "stype") at /home/danko/bro/src/Serializer.h:57
>>> #1  0x0000000000815fdc in SerialObj::DoSerialize (this=0x2b2bf00,
>>> info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:268
>>> #2  0x00000000007df8f6 in BroObj::DoSerialize (this=0x2b2bf00,
>>> info=0x7fffc052fd60) at /home/danko/bro/src/Obj.cc:226
>>> #3  0x0000000000843002 in BroType::DoSerialize (this=0x2b2bf00,
>>> info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:283
>>> #4  0x000000000081585b in SerialObj::Serialize (this=0x2b2bf00,
>>> info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121
>>> #5  0x0000000000842cce in BroType::Serialize (this=0x2b2bf00,
>>> info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:212
>>> #6  0x00000000008438ec in TypeList::DoSerialize (this=0x2b402e0,
>>> info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:392
>>> #7  0x000000000081585b in SerialObj::Serialize (this=0x2b402e0,
>>> info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121
>>> ...
>>> #81382 0x0000000000837f2a in ForStmt::DoExec (this=0x4c90610,
>>> f=0x6e5d9c0, v=0x740a610, flow=@0x7fffc0530080: FLOW_NEXT) at
>>> /home/danko/bro/src/Stmt.cc:1358
>>> #81383 0x0000000000833db1 in ExprStmt::Exec (this=0x4c90610,
>>> f=0x6e5d9c0, flow=@0x7fffc0530080: FLOW_NEXT) at
>>> /home/danko/bro/src/Stmt.cc:373
>>> #81384 0x0000000000839969 in StmtList::Exec (this=0x4c8f850,
>>> f=0x6e5d9c0, flow=@0x7fffc0530080: FLOW_NEXT) at
>>> /home/danko/bro/src/Stmt.cc:1764
>>> #81385 0x0000000000839969 in StmtList::Exec (this=0x4c93a60,
>>> f=0x6e5d9c0, flow=@0x7fffc0530080: FLOW_NEXT) at
>>> /home/danko/bro/src/Stmt.cc:1764
>>> #81386 0x00000000007a4828 in BroFunc::Call (this=0x4974a80,
>>> args=0x5acc3c0, parent=0x0) at /home/danko/bro/src/Func.cc:403
>>> #81387 0x000000000077d5a4 in EventHandler::Call (this=0x49ae420,
>>> vl=0x5acc3c0, no_remote=false) at /home/danko/bro/src/EventHandler.cc:130
>>> #81388 0x0000000000731ff1 in Event::Dispatch (this=0x70daec0,
>>> no_remote=false) at /home/danko/bro/src/Event.h:50
>>> #81389 0x000000000077ccdd in EventMgr::Dispatch (this=0xf65e60 <mgr>) at
>>> /home/danko/bro/src/Event.cc:111
>>> #81390 0x000000000077cde8 in EventMgr::Drain (this=0xf65e60 <mgr>) at
>>> /home/danko/bro/src/Event.cc:128
>>> #81391 0x00000000007dbfa7 in net_run () at /home/danko/bro/src/Net.cc:374
>>> #81392 0x000000000073105c in main (argc=19, argv=0x7fffc05309b8) at
>>> /home/danko/bro/src/main.cc:1212
>>>
>>
>>  I've seen errors similar to this before, but I'm not sure it's related
>> to SMB. Usually the cause of this is that Bro can't do DNS queries (there
>> are a few scripts that do reverse lookups). Do you see the same behavior if
>> you run git/master on this system (with no SMB changes)?
>>
>> Thanks,
>>
>>   --Vlad
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150320/640cb9a3/attachment.html

More information about the Bro mailing list