[RFC] Feature/smb/v18.0 #3266
Closed
[RFC] Feature/smb/v18.0 #3266
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
Improve ntlmssp version extraction and logging, make its data structures optional. Extract native os/lm from smb1 ssn setup. Move session setup handling into their own files. Only log auth data for the session setup tx.
|
Rather minor, but I just noticed that this, and nfs use "_" in filenames. Whereas the C code uses "-". Is there a specific reason for this? |
|
My first look at this was as a user and here are some things I noticed:
But overall this looks great! I think there's just too much information for the basic use case. |
jasonish
reviewed
Mar 7, 2018
| @@ -798,13 +800,12 @@ app-layer: | |||
| enabled: detection-only | |||
| msn: | |||
| enabled: detection-only | |||
| # Note: --enable-rust is required for full SMB1/2 support. W/o rust | |||
| # only minimal SMB1 support is available. | |||
There was a problem hiding this comment.
We're missing an "smb" stub in the eve-log types.
|
I see a lot of these in verbose mode (though I have no debugging enabled but running with was wondering if that is expected? |
|
On 07-03-18 18:41, Jason Ish wrote:
#
Can the disposition field use a value in ALL_CAPS? Looks like the MSDN
docs use FILE_OPEN, FILE_CREATE, etc.
#
Can the access field also use ALL_CAPS values? Again the MSDN docs use
strings like DELETE_ON_CLOSE.
Can you add a link?
|
|
On 07-03-18 18:41, Jason Ish wrote:
#
Rename "file" to "filename". It looks like NFS uses "filename", as well
as fileinfo.
I think it would be good to maybe have a common object in the root for this?
For example I now have a few more fields:
<pre>
"smb": {
"id": 143,
"dialect": "2.10",
"command": "SMB2_COMMAND_CREATE",
"status": "STATUS_SUCCESS",
"statux": "0x0",
"session_id": 2332899971,
"tree_id": 2531469078,
"request_done": true,
"response_done": true,
"file": "sandnet.pcap",
"disposition": "open",
"access": "normal",
"created": 1300461378,
"accessed": 1505857809,
"modified": 1300461378,
"changed": 1300461378,
"size": 435432725
}
</pre>
I guess it would make sense to have something like:
<pre>
"file": {
"name": "sandnet.pcap",
"disposition": "open",
"access": "normal",
"created": 1300461378,
"accessed": 1505857809,
"modified": 1300461378,
"changed": 1300461378,
"size": 435432725
}
</pre>
Although 'file' might be a misnomer as it can also be a dir or a pipe or
a few other things.
|
|
On 06-03-18 20:05, Jason Ish wrote:
Rather minor, but I just noticed that this, and nfs use "_" in
filenames. Whereas the C code uses "-". Is there a specific reason for this?
No idea. We can change it.
|
|
On 07-03-18 18:41, Jason Ish wrote:
#
My Linux to Linux CIFS shares use very long running sessions. So I had
to remount those to get Suricata to pick anything up. This would be a
good use case for per-protocol midstream pickup?
Yeah. The code is already quite good at post-GAP sync up. I was thinking
that on midstream session pickup we can simply set the GAP flag so that
the parser knows the start of the record might not align with the start
of the data.
|
|
On 07-03-18 18:41, Jason Ish wrote:
#
I think we need a way, right from the start to filter out certain types
of SMB logging. One example is to play a movie from an SMB mount and
watch the flood of SMB2_COMMAND_READ messages go by. Is there a default
set that would give us the following information: who mounted it, files
created/deleted/read - without logging ever read block?
Agreed. We have the same issue with NFS. There would be 2 rough approaches:
1. log filtering: only log for certain txs
2. tx filtering: only create tx for certain commands
There is some basic code to do (2), but it's not configurable yet.
I'm playing with logic like this:
1. for READ/WRITE/TRANS/TRANS2 don't create tx
2. *unless* there was an parser event
Probably should extend it to a few more commands.
However, I will be introducing some keywords to match on commands,
status and some other things as well. So if I'd have a 'smb_command;
content:"READ";' keyword, I do need a tx per command/status pair.
So I'm also thinking about making it a bit more dynamic:
1. if smb logger wants to output each command: tx for each command
2. if rules match on command/status: tx for each command
Then if logging is limited to 'important events' and detection is on,
we'd need to do output filtering.
|
|
On 07-03-18 18:41, Jason Ish wrote:
#
The statux field looks like its the status-code. Can we call it
"status_code" even though its logged as a hex string. The other option
is to log it as an integer, but we do have some other cases where flags
are logged as a hex string as well.
I'm fine with renaming it. Field will have to be hex though, as that is
how the codes are documented in the spec, and displayed by tools like
wireshark.
|
|
In general I think I'd like to break out some of the sub-objects I created: smb.dcerpc: dcerpc can be on it's own as well on the wire |
|
On 08-03-18 12:41, Peter Manev wrote:
I see a lot of these in verbose mode (though I have no debugging enabled
but running with |-vvv| on the command line):
...
was wondering if that is expected?
Right now, yes. I will refine it a bit but the goal right now is to find
conditions in which the parser isn't behaving as it should. But for this
PR you can ignore it.
|
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx - See FILE_FLAG_DELETE_ON_CLOSE. I think this is more of Windows programming guide, but its pretty closely tied to SMB. |
|
On 2018-03-09 03:15 AM, Victor Julien wrote:
On 07-03-18 18:41, Jason Ish wrote:
> #
>
> Rename "file" to "filename". It looks like NFS uses "filename", as well
> as fileinfo.
>
I think it would be good to maybe have a common object in the root for this?
For example I now have a few more fields:
<pre>
"smb": {
"id": 143,
"dialect": "2.10",
"command": "SMB2_COMMAND_CREATE",
"status": "STATUS_SUCCESS",
"statux": "0x0",
"session_id": 2332899971,
"tree_id": 2531469078,
"request_done": true,
"response_done": true,
"file": "sandnet.pcap",
"disposition": "open",
"access": "normal",
"created": 1300461378,
"accessed": 1505857809,
"modified": 1300461378,
"changed": 1300461378,
"size": 435432725
}
</pre>
I guess it would make sense to have something like:
<pre>
"file": {
"name": "sandnet.pcap",
"disposition": "open",
"access": "normal",
"created": 1300461378,
"accessed": 1505857809,
"modified": 1300461378,
"changed": 1300461378,
"size": 435432725
}
</pre>
Although 'file' might be a misnomer as it can also be a dir or a pipe or
a few other things.
I think we're all pretty used to the file as thing, not necessarily a
plain file these days.
But still I think the smb.file should be smb.filename, just for consistency.
|
|
On 2018-03-09 03:18 AM, Victor Julien wrote:
On 07-03-18 18:41, Jason Ish wrote:
> #
>
> The statux field looks like its the status-code. Can we call it
> "status_code" even though its logged as a hex string. The other option
> is to log it as an integer, but we do have some other cases where flags
> are logged as a hex string as well.
>
I'm fine with renaming it. Field will have to be hex though, as that is
how the codes are documented in the spec, and displayed by tools like
wireshark.
Yeah, for display that is fine. But if it all packs into an integer,
thats should be the serialized format, and converted on display :)
But like a said, we don't follow that strictly, so thats OK. I just
don't think the fact that its hex has to be encoded into the name. So
simplye "status-code", and hex as a string, starting with 0x. I think
our other usage might not have the 0x.
Jason
|
|
Replaced by #3281 |
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Oct 30, 2019
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Oct 30, 2019
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Nov 12, 2019
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Nov 12, 2019
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Dec 5, 2019
catenacyber
added a commit
to catenacyber/suricata
that referenced
this pull request
Dec 6, 2019
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Dec 9, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes since #3260:
PRScript output (if applicable):