Help enabling SMB protocol detection

Hello Bro Community!

First, let me apologize for asking a very dumb question. I have
sincerely tried to RTFM and I have done my research (Google, right/)
but cannot seem to find the answer. I am attempting to analyize a pcap
file that contains lots of SMB traffic using bro. I have a version of
bro with built-in SMB protocol support:

$ bro -n Bro::SMB
Bro::SMB - SMB analyzer (built-in)

That said, when I run

bro -C -r ../XXX.pcapng

I do not get a smb.log. That leads me to believe that SMB analysis is
not enabled. I've tried looking for bro files in /usr/share/protocols/
(etc) and cannot seem to find any. Editing a bro config file and
adding

@load base/protocols/smb

gives me an error on bro startup.

Can you tell me what stupid thing I am doing wrong? Thank you very
much for your help. Again, I am sorry that this is such a silly
question. I wish that I could answer it on my own!

Will

Well, I've figured out my own problem. Sorry to be so dense.

It turns out that the packaged version of bro for Ubuntu has built-in
support for SMB but it does not have any of the attendant protocol or
policy files. I built bro from git to make sure that everything was
up-to-date and had success.

Once you get the right bro version, the only step of enabling SMB
protocol analysis is to follow the comments in the local.bro file and
uncomment and single line:

# @load policy/protocols/smb

Once that's uncommented, everything works great! Again, sorry about
the previous question.

Thanks for being such an inviting and helpful community for the bro
users. It's a great tool and having a great community is icing on the
cake!

Will

Well, I've figured out my own problem. Sorry to be so dense.

It turns out that the packaged version of bro for Ubuntu has built-in
support for SMB but it does not have any of the attendant protocol or
policy files. I built bro from git to make sure that everything was
up-to-date and had success.

Out of curiosity - Is that the Bro version that ships with Ubuntu (as
opposed to the packages that we provide)?

If yes, we should probably contact the Ubuntu folks and tell them that
that is not that great

Johanna

> Well, I've figured out my own problem. Sorry to be so dense.
>
> It turns out that the packaged version of bro for Ubuntu has built-in
> support for SMB but it does not have any of the attendant protocol or
> policy files. I built bro from git to make sure that everything was
> up-to-date and had success.

Out of curiosity - Is that the Bro version that ships with Ubuntu (as
opposed to the packages that we provide)?

If yes, we should probably contact the Ubuntu folks and tell them that
that is not that great

Thanks for taking the time to respond, Johanna!

I am running Ubuntu 16.04 LTS. That was the most up-to-date LTS until a few
months ago when they released 18.04 LTS. That means that it may not be as
meaningful to follow up with them about a bad distribution of bro. However,
I will still give you the details in case they have not fixed the issue in
the latest version.

On Ubuntu 16.04 LTS, I have

$ bro --version
bro version 2.4.1

and I have native support for SMB:

$ bro -N | grep -i smb
Bro::SMB - SMB analyzer (built-in)

However, I do not have the necessary policy and protocol files necessary to
actually use that support:
pwd /usr/share/bro find . -iname '*smb*' -print
./base/bif/plugins/Bro_SMB.events.bif.bro

Compare that with the files that I have when I install from source:

$ find . -iname '*smb*' -print
./policy/protocols/smb
./policy/protocols/smb/smb2-main.bro
./policy/protocols/smb/smb1-main.bro
./base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro
./base/bif/plugins/Bro_SMB.smb2_events.bif.bro
./base/bif/plugins/Bro_SMB.smb1_events.bif.bro
./base/bif/plugins/Bro_SMB.consts.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
./base/bif/plugins/Bro_SMB.events.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro
./base/bif/plugins/Bro_SMB.types.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
./base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
./base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro
./base/protocols/smb

I am waiting for Ubuntu to finalize it's 16.04 to 18.04 upgrade pathway to
install the latest LTS on my laptop. As soon as that happens, I am happy to
try this test again if you think it would be worthwhile!

I hope that this information helps!

Thanks again for reaching out and responding -- the bro community is really
great!
Will

ah.. SMB support was part of 2.5. 2.4.1 only had a few events and not the full analyzer.

Ubuntu 18.0.4 (bionic) has 2.5.3 and has the expected files:

$ curl -s https://packages.ubuntu.com/xenial/all/bro-common/filelist|grep -i smb
/usr/share/bro/base/bif/plugins/Bro_SMB.events.bif.bro

$ curl -s https://packages.ubuntu.com/bionic/all/bro-common/filelist|grep -i smb
/usr/share/bro/base/bif/plugins/Bro_SMB.consts.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.events.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb1_events.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
/usr/share/bro/base/bif/plugins/Bro_SMB.types.bif.bro
/usr/share/bro/base/protocols/smb/__load__.bro
/usr/share/bro/base/protocols/smb/const-dos-error.bro
/usr/share/bro/base/protocols/smb/const-nt-status.bro
/usr/share/bro/base/protocols/smb/consts.bro
/usr/share/bro/policy/protocols/smb/__load__.bro
/usr/share/bro/policy/protocols/smb/dpd.sig
/usr/share/bro/policy/protocols/smb/files.bro
/usr/share/bro/policy/protocols/smb/main.bro
/usr/share/bro/policy/protocols/smb/smb1-main.bro
/usr/share/bro/policy/protocols/smb/smb2-main.bro

I figured that the problem was largely related to the fact that the LTS distribution I was using had an outdated version of bro. Thank you for confirming. Like I said, once I get 18.04 LTS installed, I will run this little experiment again and make sure that everything “just works” with the latest distribution. If there are still problems, we can tackle them then.

Thanks again for following up!

Will