[Bro] Help enabling SMB protocol detection

Will Hawkins whh8b at virginia.edu
Sun Aug 12 20:53:42 PDT 2018


On Sun, Aug 12, 2018 at 8:57 PM, Johanna Amann <johanna at icir.org> wrote:

> On Mon, Aug 06, 2018 at 04:20:13PM -0400, Will Hawkins wrote:
> > Well, I've figured out my own problem. Sorry to be so dense.
> >
> > It turns out that the packaged version of bro for Ubuntu has built-in
> > support for SMB but it does not have any of the attendant protocol or
> > policy files. I built bro from git to make sure that everything was
> > up-to-date and had success.
>
> Out of curiosity - Is that the Bro version that ships with Ubuntu (as
> opposed to the packages that we provide)?
>
> If yes, we should probably contact the Ubuntu folks and tell them that
> that is not that great :)
>
>
Thanks for taking the time to respond, Johanna!

I am running Ubuntu 16.04 LTS. That was the most up-to-date LTS until a few
months ago when they released 18.04 LTS. That means that it may not be as
meaningful to follow up with them about a bad distribution of bro. However,
I will still give you the details in case they have not fixed the issue in
the latest version.

On Ubuntu 16.04 LTS, I have

$ bro --version
bro version 2.4.1

and I have native support for SMB:

$ bro -N | grep -i smb
Bro::SMB - SMB analyzer (built-in)

However, I do not have the necessary policy and protocol files necessary to
actually use that support:
$ pwd
/usr/share/bro
$ find . -iname '*smb*' -print
./base/bif/plugins/Bro_SMB.events.bif.bro

Compare that with the files that I have when I install from source:

$ find . -iname '*smb*' -print
./policy/protocols/smb
./policy/protocols/smb/smb2-main.bro
./policy/protocols/smb/smb1-main.bro
./base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro
./base/bif/plugins/Bro_SMB.smb2_events.bif.bro
./base/bif/plugins/Bro_SMB.smb1_events.bif.bro
./base/bif/plugins/Bro_SMB.consts.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
./base/bif/plugins/Bro_SMB.events.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro
./base/bif/plugins/Bro_SMB.types.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro
./base/protocols/smb

I am waiting for Ubuntu to finalize it's 16.04 to 18.04 upgrade pathway to
install the latest LTS on my laptop. As soon as that happens, I am happy to
try this test again if you think it would be worthwhile!

I hope that this information helps!

Thanks again for reaching out and responding -- the bro community is really
great!
Will




> Johanna
>
> >
> > Once you get the right bro version, the only step of enabling SMB
> > protocol analysis is to follow the comments in the local.bro file and
> > uncomment and single line:
> >
> > # @load policy/protocols/smb
> >
> > Once that's uncommented, everything works great! Again, sorry about
> > the previous question.
> >
> > Thanks for being such an inviting and helpful community for the bro
> > users. It's a great tool and having a great community is icing on the
> > cake!
> >
> > Will
> >
> >
> > On Mon, Aug 6, 2018 at 2:29 PM, Will Hawkins <whh8b at virginia.edu> wrote:
> > > Hello Bro Community!
> > >
> > > First, let me apologize for asking a very dumb question. I have
> > > sincerely tried to RTFM and I have done my research (Google, right/)
> > > but cannot seem to find the answer. I am attempting to analyize a pcap
> > > file that contains lots of SMB traffic using bro. I have a version of
> > > bro with built-in SMB protocol support:
> > >
> > > $ bro -n Bro::SMB
> > > Bro::SMB - SMB analyzer (built-in)
> > >
> > > That said, when I run
> > >
> > > bro -C -r ../XXX.pcapng
> > >
> > > I do not get a smb.log. That leads me to believe that SMB analysis is
> > > not enabled. I've tried looking for bro files in /usr/share/protocols/
> > > (etc) and cannot seem to find any. Editing a bro config file and
> > > adding
> > >
> > > @load base/protocols/smb
> > >
> > > gives me an error on bro startup.
> > >
> > > Can you tell me what stupid thing I am doing wrong? Thank you very
> > > much for your help. Again, I am sorry that this is such a silly
> > > question. I wish that I could answer it on my own!
> > >
> > > Will
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180812/694c20ce/attachment.html 


More information about the Bro mailing list