Bro-Dev Group, ISSUE: I encountered an issue where Bro is not logging some rather significant SMB1 commands in the smb_cmd.log file. I understand that some SMB commands are deliberately omitted from the log (such as Negotiate Protocol, Session Setup, and Tree Connect); however, I observe that an instance of NT Create and Delete are not being recorded. I also understand that some SMB messages are deliberately omitted based on the status code; but the status codes ire STATUS_SUCCESS, so it should be logged. In this particular traffic sample, there are more than 100+ SMB messages going back and forth in the TCP stream, but only first several are recorded in smb_cmd.log, then it stops. Please help. Bro Version: I am using the Bro v2.5.1 docker image I pulled from the following URL: https://hub.docker.com/r/rsmmr/hilti/ PCAP File: I downloaded the "smbtorture" pcap file from the Wireshark public repository, at the URL: https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=sm btorture.cap.gz The issue I observe corresponds to stream #1 extracted from the file above, via filter: 'tcp.stream eq 1'. I attached a PCAP file containing stream #1 only. PCAP Analysis of SMB Messages: >From the PCAP file, using Wireshark, the following sequence of SMB Messages are observed (summarized below as Request & Response pairs): (01) Negotiate Protocol Req & Resp (02) Session Setup AndX Req & Resp [x2] (03) Tree Connect AndX Req & Resp (04) Delete Req & Resp [file \torture_qfileinfo.txt] (05) NT Create AndX Req & Resp [fid 4000, file \torture_qfileinfo.txt] (06) Write AndX Req & Resp (07) Trans2 Req & Resp (08) Set Information2 Req & Resp (09) Query Information2 Req & Resp (10) Query Information Req & Resp (11) Query Information2 Req & Resp (12) Trans2 Req & Resp [x57] (13) Close Req & Resp [fid 4000] (14) NT Create AndX Req & Resp [fid 4001, file TORTUR~1.TXT] (15) Close Req & Resp [fid 4001] (16) Delete Req & Resp [file \torture_qfileinfo.txt -> formerly fid 4000] (17) Tree Disconnect Bro Analysis of smb_cmd.log: The Bro smb_cmd.log records events (04) - (10). I understand that events (01) - (03) are deliberately omitted from the log, but I am concerned that nothing is logged after event (10), Query Information Req & Resp. I think this is an important issue because the smb_cmd.log fails to record two significant events in this TCP stream: (i) A second file is created in step (14) (ii) The first file (create in step [05]) is deleted in step (16) The SMB messages look well-formed in Wireshark. Nothing seems to be wrong. The SMB status code is STATUS_SUCCESS for the requests and the responses, so it should be logged. Artifacts: Attached are the following artifacts to help you reproduce the issue: (a) ws_smbtorture_stream001.pcap (pcap of stream #1 only) (b) test.bro script (c) smb_cmd.log (d) smb_files.log (e) files.log (f) conn.log (g) packet_filter.log Not sure what is going wrong. Please help. Cheers, Mark
ws_smbtorture_stream001.pcap
Description: Binary data
Description: Binary data
Description: Binary data
Description: Binary data
Description: Binary data
Description: Binary data
Description: Binary data
Description: S/MIME cryptographic signature_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
