Bro SMB1 Issue in smb_cmd.log

Bro-Dev Group,

ISSUE**:** I encountered an issue where Bro is not logging some rather significant SMB1 commands in the smb_cmd.log file. I understand that some SMB commands are deliberately omitted from the log (such as Negotiate Protocol, Session Setup, and Tree Connect); however, I observe that an instance of NT Create and Delete are not being recorded. I also understand that some SMB messages are deliberately omitted based on the status code; but the status codes ire STATUS_SUCCESS, so it should be logged. In this particular traffic sample, there are more than 100+ SMB messages going back and forth in the TCP stream, but only first several are recorded in smb_cmd.log, then it stops. Please help.

Bro Version:

I am using the Bro v2.5.1 docker image I pulled from the following URL:

PCAP File:

I downloaded the “smbtorture” pcap file from the Wireshark public repository, at the URL:

The issue I observe corresponds to stream #1 extracted from the file above, via filter: ‘ eq 1’. I attached a PCAP file containing stream #1 only.

PCAP Analysis of SMB Messages:

From the PCAP file, using Wireshark, the following sequence of SMB Messages are observed (summarized below as Request & Response pairs):

(01) Negotiate Protocol Req & Resp

(02) Session Setup AndX Req & Resp [x2]

(03) Tree Connect AndX Req & Resp

(04) Delete Req & Resp [file \torture_qfileinfo.txt]

(05) NT Create AndX Req & Resp [fid 4000, file \torture_qfileinfo.txt]

(06) Write AndX Req & Resp

(07) Trans2 Req & Resp

(08) Set Information2 Req & Resp

(09) Query Information2 Req & Resp

(10) Query Information Req & Resp

(11) Query Information2 Req & Resp

(12) Trans2 Req & Resp [x57]

(13) Close Req & Resp [fid 4000]

(14) NT Create AndX Req & Resp [fid 4001, file TORTUR~1.TXT]

(15) Close Req & Resp [fid 4001]

(16) Delete Req & Resp [file \torture_qfileinfo.txt → formerly fid 4000]

(17) Tree Disconnect

Bro Analysis of smb_cmd.log:

The Bro smb_cmd.log records events (04) - (10). I understand that events (01) - (03) are deliberately omitted from the log, but I am concerned that nothing is logged after event (10), Query Information Req & Resp.

I think this is an important issue because the smb_cmd.log fails to record two significant events in this TCP stream:

(i) A second file is created in step (14)

(ii) The first file (create in step [05]) is deleted in step (16)

The SMB messages look well-formed in Wireshark. Nothing seems to be wrong. The SMB status code is STATUS_SUCCESS for the requests and the responses, so it should be logged.


Attached are the following artifacts to help you reproduce the issue:

(a) ws_smbtorture_stream001.pcap (pcap of stream #1 only)

(b) test.bro script

(c) smb_cmd.log

(d) smb_files.log

(e) files.log

(f) conn.log

(g) packet_filter.log

Not sure what is going wrong. Please help.



ws_smbtorture_stream001.pcap (26.5 KB)

test.bro (105 Bytes)

smb_cmd.log (2.76 KB)

smb_files.log (582 Bytes)

files.log (726 Bytes)

conn.log (646 Bytes)

packet_filter.log (253 Bytes)

This is probably a bug. That smb torture pcap is a notoriously bad example (although it does exhibit some far, far edge case type of behavior). I deliberately did not use that pcap as an example while I was writing the SMB analyzer because it sent me down a lot of rabbit holes that didn’t provide much benefit for the first run at the SMB analyzer.

If you identify the bug, please report back. My experience is that just running down these bugs to the exact failure can take quite a while.