SMB2 module

Hi all,
we are working on an application based on Bro: we need to implement
some features based on SMB2.
On Bitbucket, we have found this link:

https://bitbucket.org/delbert77/bro/src/886ed4689c391129be3d45745a6c63e4033fd1c3/src/SMB2.cc?at=topic/seth/smb-smb2-work

The link above seems connected to a previous Bro version: an updated
version is present? If no, SMB2 will be implemented in next
releases?When?

Due to our requirements, we think to make that module from scratch if
anyone is working on; otherwise, can we take part to your team for the
development and testing of that module?

Regards,
Vito Logrillo

The link above seems connected to a previous Bro version: an updated
version is present? If no, SMB2 will be implemented in next
releases?When?

SMB will not be making it into the 2.4 release. It’s still too unstable. That branch you pointed to however is very old and no longer represents the current development state of the SMB analyzer. Probably the most up to date code today is in topic/vladg/smb but we know of a number of issues in that still.
  https://github.com/bro/bro/tree/topic/vladg/smb/src/analyzer/protocol/smb

Due to our requirements, we think to make that module from scratch if
anyone is working on; otherwise, can we take part to your team for the
development and testing of that module?


SMB might be a larger task than you wish it were. There are quite a number of dead ends and problems that you discover as you dig into the protocol more and more. If you have spare development cycles and qualified developers, we’re certainly willing to talk. :slight_smile:

Thanks,
  .Seth

Hi Seth,

I’m a colleague of Vito and I’m trying to customize Bro with SMB2 protocol analyzer .
I have got the latest version from GitHub and merged it with SMB2 version taken from Vladg topic; i’ve tried to run broctl after the merge, but later Bro crashes due to a SIGBUS event.
I’ve substituted src/analyzer/protocol/smb, src/analyzer/protocol/netbios, init-bare.bro and init-default.bro from SMB2 version to master version.

Below a snippet taken from “./broctl diag”:

Using host libthread_db library “/lib/x86_64-linux-gnu/libthread_db.so.1”.
Core was generated by `/usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalon’.
Program terminated with signal SIGBUS, Bus error.
#0 0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00, v=35329, tag=0xb7a68f “stype”) at /home/danko/bro/src/Serializer.h:57
57 DECLARE_IO(uint16)

.
.
.

Thread 1 (Thread 0x7f3337201780 (LWP 22674)):
#0 0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00, v=35329, tag=0xb7a68f “stype”) at /home/danko/bro/src/Serializer.h:57
#1 0x0000000000815fdc in SerialObj::DoSerialize (this=0x2b2bf00, info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:268
#2 0x00000000007df8f6 in BroObj::DoSerialize (this=0x2b2bf00, info=0x7fffc052fd60) at /home/danko/bro/src/Obj.cc:226
#3 0x0000000000843002 in BroType::DoSerialize (this=0x2b2bf00, info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:283
#4 0x000000000081585b in SerialObj::Serialize (this=0x2b2bf00, info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121
#5 0x0000000000842cce in BroType::Serialize (this=0x2b2bf00, info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:212
#6 0x00000000008438ec in TypeList::DoSerialize (this=0x2b402e0, info=0x7fffc052fd60) at /home/danko/bro/src/Type.cc:392
#7 0x000000000081585b in SerialObj::Serialize (this=0x2b402e0, info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:121

.
.
.

#81382 0x0000000000837f2a in ForStmt::DoExec (this=0x4c90610, f=0x6e5d9c0, v=0x740a610, flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:1358
#81383 0x0000000000833db1 in ExprStmt::Exec (this=0x4c90610, f=0x6e5d9c0, flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:373
#81384 0x0000000000839969 in StmtList::Exec (this=0x4c8f850, f=0x6e5d9c0, flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:1764
#81385 0x0000000000839969 in StmtList::Exec (this=0x4c93a60, f=0x6e5d9c0, flow=@0x7fffc0530080: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:1764
#81386 0x00000000007a4828 in BroFunc::Call (this=0x4974a80, args=0x5acc3c0, parent=0x0) at /home/danko/bro/src/Func.cc:403
#81387 0x000000000077d5a4 in EventHandler::Call (this=0x49ae420, vl=0x5acc3c0, no_remote=false) at /home/danko/bro/src/EventHandler.cc:130
#81388 0x0000000000731ff1 in Event::Dispatch (this=0x70daec0, no_remote=false) at /home/danko/bro/src/Event.h:50
#81389 0x000000000077ccdd in EventMgr::Dispatch (this=0xf65e60 ) at /home/danko/bro/src/Event.cc:111
#81390 0x000000000077cde8 in EventMgr::Drain (this=0xf65e60 ) at /home/danko/bro/src/Event.cc:128
#81391 0x00000000007dbfa7 in net_run () at /home/danko/bro/src/Net.cc:374
#81392 0x000000000073105c in main (argc=19, argv=0x7fffc05309b8) at /home/danko/bro/src/main.cc:1212

==== No reporter.log

==== stderr.log
listening on eth0, capture length 8192 bytes

send-mail: SENDMAIL-NOTFOUND not found
/usr/local/bro/share/broctl/scripts/run-bro: line 100: 22674 Bus error (core dumped) nohup “$mybro” “$@”

==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited

==== .cmdline
-i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=

==== .status
RUNNING [net_run]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log

I’ve pasted also the gdb log :

[Thread debugging using libthread_db enabled]
Using host libthread_db library “/lib/x86_64-linux-gnu/libthread_db.so.1”.
Core was generated by `/usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalon’.
Program terminated with signal SIGBUS, Bus error.
#0 0x0000000000816193 in Serializer::Write (this=0x7fffc052fd00, v=35329, tag=0xb7a68f “stype”) at /home/danko/bro/src/Serializer.h:57
57 DECLARE_IO(uint16)
(gdb) p *this
$1 = {_vptr.Serializer = 0xb83010 <vtable for CloneSerializer+16>, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format = 0x73af900, current_cache = 0x0, error_descr = 0x0}
(gdb) up
#1 0x0000000000815fdc in SerialObj::DoSerialize (this=0x2b2bf00, info=0x7fffc052fd60) at /home/danko/bro/src/SerialObj.cc:268
268 bool ret = SERIALIZE(stype);
(gdb) p *this
$2 = {_vptr.SerialObj = 0xb82f70 <vtable for BroType+16>, static NEVER = 0, static ALWAYS = 1, static factories = 0x2a8f1c0, static names = 0x2a8f200, static time_counter = 3480072, serial_type = 51713}
(gdb) up
#2 0x00000000007df8f6 in BroObj::DoSerialize (this=0x2b2bf00, info=0x7fffc052fd60) at /home/danko/bro/src/Obj.cc:226
226 DO_SERIALIZE(SER_BRO_OBJ, SerialObj);
(gdb)

Although Bro crashes, the module seems to work fine: in fact in a few minutes after I ran it, I can see the smb log files.

Do you have any idea about this error?

Kind regards,

Danilo

Hi Danilo,

One of the bottlenecks of SMB development has been a lack of real-world testing, so I’d definitely appreciate any bugs or feedback you run into.

Please try to keep the Bro list CC-ed on this, as it might be useful to others.

That error location makes sense - it’s where I would expect to see problems if there’s an issue with DNS. What I’m confused about is that SMB and SSH should be completely unrelated.

How exactly are you disabling the SMB plugin when you don’t see any errors? You might just want to comment out the following lines in your local.bro:

@load protocols/ssh/interesting-hostnames
@load frameworks/files/detect-MHR

Of course, the “better” solution would be to fix the system so that it can do reverse DNS lookups (and TXT queries for detect-MHR) :slight_smile:

–Vlad

Another option here is to force Bro into a mode where it fakes DNS responses internally. Unfortunately there isn’t a switch to enable this in scripts, but you can change the behavior with an environment variable:

BRO_DNS_FAKE=1 bro -r somepackets.pcap

  .Seth

Hi,

Hi Seth,

Sorry, I’ve to rectify my latest reply: inserting the environment variable BRO_DNS_FAKE Bro seems to work now.
I’ve tried also to disable the affected scripts and Bro works too.

I’m little confused about the different behavior: if I set BRO_DNS_FAKE=1, Will dns logs be altered significantly?

Thank you so much.

Best regards,

Danilo

No, BRO_DNS_FAKE only changes active DNS lookups. When Bro itself goes out to lookup a name in DNS it will return junk information.

  .Seth

Hi Seth,

I’ve tested much Bro and in many cases it crashes with SIGSEV or SIGBUS (with BRO_DNS_FAKE=1).
The problem is always in ssh/interesting-hostnames.bro in the when condition… so I modified this script: before trying to remove the when condition and Bro didn’t crash, later trying to remove lookup_addr function keeping the when condition and Bro crashed.

Below you can see a snippet of the modified script with when condition

local hostname : string;

when ( hostname == “10.1.2.3” )

{

if ( interesting_hostnames in hostname )

{

NOTICE([$note=Interesting_Hostname_Login,

$msg=fmt(“Possible SSH login involving a %s %s with an interesting hostname.”,

Site::is_local_addr(host) ? “local” : “remote”,

host == c$id$orig_h ? “client” : “server”),

$sub=hostname, $conn=c]);

}

}

hostname = “10.1.2.3”;

The gdb log is :

Starting program: /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro /usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro
[Thread debugging using libthread_db enabled]
Using host libthread_db library “/lib/x86_64-linux-gnu/libthread_db.so.1”.
listening on eth0, capture length 8192 bytes

[New Thread 0x7ffff5a9a700 (LWP 6916)]
WARNING: No Site::local_nets have been defined. It’s usually a good idea to define your local networks.
[New Thread 0x7ffff5299700 (LWP 6917)]
[New Thread 0x7ffff4a98700 (LWP 6918)]
[New Thread 0x7ffff4297700 (LWP 6919)]
[New Thread 0x7ffff3a96700 (LWP 6920)]
[New Thread 0x7ffff3295700 (LWP 6921)]
1427301195.578365 error in /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro, line 30: Bro was not configured for GeoIP support (lookup_location(SSH::lookup_ip))

Program received signal SIGSEGV, Segmentation fault.
0x00000000007423e2 in Serializer::Write (this=0x7fffffffd860, v=true, tag=0xb7a563 “full”) at /home/danko/bro/src/Serializer.h:62
62 DECLARE_IO(bool)

(gdb) up 81400
#81400 0x0000000000851a58 in MutableVal::DoSerialize (this=0x44a79e0, info=0x7fffffffd8c0) at /home/danko/bro/src/Val.cc:656
656 DO_SERIALIZE(SER_MUTABLE_VAL, Val);
(gdb) up
#81401 0x000000000085a732 in RecordVal::DoSerialize (this=0x44a79e0, info=0x7fffffffd8c0) at /home/danko/bro/src/Val.cc:2813
2813 DO_SERIALIZE(SER_RECORD_VAL, MutableVal);
(gdb) up
#81402 0x000000000081587b in SerialObj::Serialize (this=0x44a79e0, info=0x7fffffffd8c0) at /home/danko/bro/src/SerialObj.cc:121
121 bool ret = DoSerialize(info);
(gdb) up
#81403 0x000000000084fdcb in Val::Serialize (this=0x44a79e0, info=0x7fffffffd8c0) at /home/danko/bro/src/Val.cc:100
100 return SerialObj::Serialize(info);
(gdb) up
#81404 0x000000000084fc7d in Val::Clone (this=0x44a79e0) at /home/danko/bro/src/Val.cc:83
83 if ( ! this->Serialize(&sinfo) )
(gdb) up
#81405 0x00000000007a2fb3 in Frame::Clone (this=0x4482bd0) at /home/danko/bro/src/Frame.cc:78
78 f->frame[i] = frame[i] ? frame[i]->Clone() : 0;
(gdb) up
#81406 0x000000000083ee4c in Trigger::Trigger (this=0x18031e0, arg_cond=0x35ab080, arg_body=0x35ab020, arg_timeout_stmts=0x0, arg_timeout=0x0, arg_frame=0x4482bd0, arg_is_return=false, arg_location=0x35b94c0)
at /home/danko/bro/src/Trigger.cc:108
108 frame = arg_frame->Clone();
(gdb) up
#81407 0x000000000083b302 in WhenStmt::Exec (this=0x35b18e0, f=0x4482bd0, flow=@0x7fffffffdbe0: FLOW_NEXT) at /home/danko/bro/src/Stmt.cc:2166
2166 new Trigger(cond, s1, s2, timeout, f, is_return, location);
(gdb) p *this.location
$1 = { = {_vptr.SerialObj = 0xb71e30 <vtable for Location+16>, static NEVER = 0, static ALWAYS = 1, static factories = 0x1786000, static names = 0x1786060, static time_counter = 19515, serial_type = 0},
filename = 0x3586500 “/usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro”, first_line = 36, last_line = 46, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0,
static register_type = {}, tid = {id = 417376, static counter = 455184}}
(gdb)

I’ve tried to search anything problem about the when condition like this but I haven’t found nothing similar issues.
Have you ever had this kind of problem?

I hope I was helpful.

Best regards,

Danilo