Bro-Dev Group,
ISSUE**:** I encountered an issue where Bro is not logging some rather significant SMB1 commands in the smb_cmd.log file. I understand that some SMB commands are deliberately omitted from the log (such as Negotiate Protocol, Session Setup, and Tree Connect); however, I observe that an instance of NT Create and Delete are not being recorded. I also understand that some SMB messages are deliberately omitted based on the status code; but the status codes ire STATUS_SUCCESS, so it should be logged. In this particular traffic sample, there are more than 100+ SMB messages going back and forth in the TCP stream, but only first several are recorded in smb_cmd.log, then it stops. Please help.
Bro Version:
I am using the Bro v2.5.1 docker image I pulled from the following URL:
https://hub.docker.com/r/rsmmr/hilti/
PCAP File:
I downloaded the “smbtorture” pcap file from the Wireshark public repository, at the URL:
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=smbtorture.cap.gz
The issue I observe corresponds to stream #1 extracted from the file above, via filter: ‘tcp.stream eq 1’. I attached a PCAP file containing stream #1 only.
PCAP Analysis of SMB Messages:
From the PCAP file, using Wireshark, the following sequence of SMB Messages are observed (summarized below as Request & Response pairs):
(01) Negotiate Protocol Req & Resp
(02) Session Setup AndX Req & Resp [x2]
(03) Tree Connect AndX Req & Resp
(04) Delete Req & Resp [file \torture_qfileinfo.txt]
(05) NT Create AndX Req & Resp [fid 4000, file \torture_qfileinfo.txt]
(06) Write AndX Req & Resp
(07) Trans2 Req & Resp
(08) Set Information2 Req & Resp
(09) Query Information2 Req & Resp
(10) Query Information Req & Resp
(11) Query Information2 Req & Resp
(12) Trans2 Req & Resp [x57]
(13) Close Req & Resp [fid 4000]
(14) NT Create AndX Req & Resp [fid 4001, file TORTUR~1.TXT]
(15) Close Req & Resp [fid 4001]
(16) Delete Req & Resp [file \torture_qfileinfo.txt → formerly fid 4000]
(17) Tree Disconnect
Bro Analysis of smb_cmd.log:
The Bro smb_cmd.log records events (04) - (10). I understand that events (01) - (03) are deliberately omitted from the log, but I am concerned that nothing is logged after event (10), Query Information Req & Resp.
I think this is an important issue because the smb_cmd.log fails to record two significant events in this TCP stream:
(i) A second file is created in step (14)
(ii) The first file (create in step [05]) is deleted in step (16)
The SMB messages look well-formed in Wireshark. Nothing seems to be wrong. The SMB status code is STATUS_SUCCESS for the requests and the responses, so it should be logged.
Artifacts:
Attached are the following artifacts to help you reproduce the issue:
(a) ws_smbtorture_stream001.pcap (pcap of stream #1 only)
(b) test.bro script
(c) smb_cmd.log
(d) smb_files.log
(e) files.log
(f) conn.log
(g) packet_filter.log
Not sure what is going wrong. Please help.
Cheers,
Mark
ws_smbtorture_stream001.pcap (26.5 KB)
test.bro (105 Bytes)
smb_cmd.log (2.76 KB)
smb_files.log (582 Bytes)
files.log (726 Bytes)
conn.log (646 Bytes)
packet_filter.log (253 Bytes)