Project

General

Profile

Feature #3297 » smb.json

Suricata SMB Eve log - Joseph Feather, 01/03/2020 03:06 PM

 
{"timestamp":"2016-10-16T08:09:24.000315+0000","flow_id":948003262372759,"pcap_cnt":197,"event_type":"smb","src_ip":"192.168.199.133","src_port":49671,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":1,"dialect":"2.??","command":"SMB1_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["PC NETWORK PROGRAM 1.0","LANMAN1.0","Windows for Workgroups 3.1a","LM1.2X002","LANMAN2.1","NT LM 0.12","SMB 2.002","SMB 2.???"],"server_guid":"3f3dd02c-00b2-4fe1-d4bd-b7c86656270c"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:09:24.001928+0000","flow_id":948003262372759,"pcap_cnt":200,"event_type":"smb","src_ip":"192.168.199.133","src_port":49671,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":2,"dialect":"3.02","command":"SMB2_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["2.02","2.10","3.00","3.02","3.11"],"client_guid":"a8df4bb2-9377-11e6-1da0-0c005ff56129","server_guid":"3f3dd02c-00b2-4fe1-d4bd-b7c86656270c"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:09:24.033848+0000","flow_id":1146127956343745,"pcap_cnt":240,"event_type":"smb","src_ip":"192.168.199.133","src_port":49672,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":1,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["PC NETWORK PROGRAM 1.0","LANMAN1.0","Windows for Workgroups 3.1a","LM1.2X002","LANMAN2.1","NT LM 0.12"],"server_guid":"3f3dd02c-00b2-4fe1-d4bd-b7c86656270c"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:09:24.039910+0000","flow_id":1146127956343745,"pcap_cnt":242,"event_type":"smb","src_ip":"192.168.199.133","src_port":49672,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":2,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_SESSION_SETUP_ANDX","status":"STATUS_MORE_PROCESSING_REQUIRED","status_code":"0xc0000016","session_id":2048,"tree_id":65535,"request":{"native_os":"","native_lm":""},"response":{"native_os":"Windows 8.1 9600","native_lm":"Windows 8.1 6.3"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:09:24.042364+0000","flow_id":1146127956343745,"pcap_cnt":244,"event_type":"smb","src_ip":"192.168.199.133","src_port":49672,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":3,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_SESSION_SETUP_ANDX","status":"STATUS_SUCCESS","status_code":"0x0","session_id":2048,"tree_id":65535,"ntlmssp":{"domain":"","user":"","host":"DESKTOP-V1FA0UQ"},"request":{"native_os":"","native_lm":""},"response":{"native_os":"Windows 8.1 9600","native_lm":"Windows 8.1 6.3"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:09:24.043217+0000","flow_id":1146127956343745,"pcap_cnt":246,"event_type":"smb","src_ip":"192.168.199.133","src_port":49672,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":4,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_TREE_CONNECT_ANDX","status":"STATUS_SUCCESS","status_code":"0x0","session_id":2048,"tree_id":2048,"named_pipe":"\\SCV\\IPC$","service":{"request":"?????","response":"IPC"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:09:34.753773+0000","flow_id":1146127956343745,"pcap_cnt":259,"event_type":"smb","src_ip":"192.168.199.133","src_port":49672,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":5,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_TREE_DISCONNECT","status":"STATUS_SUCCESS","status_code":"0x0","session_id":2048,"tree_id":2048},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:09:34.755137+0000","flow_id":1146127956343745,"pcap_cnt":263,"event_type":"smb","src_ip":"192.168.199.133","src_port":49672,"dest_ip":"192.168.199.1","dest_port":139,"proto":"TCP","smb":{"id":6,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_LOGOFF_ANDX","status":"STATUS_SUCCESS","status_code":"0x0","session_id":2048,"tree_id":0},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.432895+0000","flow_id":1699538802194514,"pcap_cnt":705,"event_type":"smb","src_ip":"192.168.199.132","src_port":49670,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":1,"dialect":"2.??","command":"SMB1_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["PC NETWORK PROGRAM 1.0","LANMAN1.0","Windows for Workgroups 3.1a","LM1.2X002","LANMAN2.1","NT LM 0.12","SMB 2.002","SMB 2.???"],"server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.442053+0000","flow_id":1699538802194514,"pcap_cnt":707,"event_type":"smb","src_ip":"192.168.199.132","src_port":49670,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":2,"dialect":"3.11","command":"SMB2_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["2.02","2.10","3.00","3.02","3.11"],"client_guid":"0eca551c-9378-11e6-f4aa-0c00addf0329","server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.445032+0000","flow_id":1699538802194514,"pcap_cnt":709,"event_type":"smb","src_ip":"192.168.199.132","src_port":49670,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":3,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","status":"STATUS_MORE_PROCESSING_REQUIRED","status_code":"0xc0000016","session_id":127543348822017,"tree_id":0},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.474118+0000","flow_id":747400387239139,"pcap_cnt":717,"event_type":"smb","src_ip":"192.168.199.132","src_port":49671,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":1,"dialect":"3.11","command":"SMB2_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["2.02","2.10","3.00","3.02","3.11"],"client_guid":"0eca551c-9378-11e6-f4aa-0c00addf0329","server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.475151+0000","flow_id":747400387239139,"pcap_cnt":719,"event_type":"smb","src_ip":"192.168.199.132","src_port":49671,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":2,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","status":"STATUS_MORE_PROCESSING_REQUIRED","status_code":"0xc0000016","session_id":127543348822021,"tree_id":0},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.484196+0000","flow_id":1205031300122625,"pcap_cnt":727,"event_type":"smb","src_ip":"192.168.199.132","src_port":49672,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":1,"dialect":"3.11","command":"SMB2_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["2.02","2.10","3.00","3.02","3.11"],"client_guid":"0eca551c-9378-11e6-f4aa-0c00addf0329","server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.485343+0000","flow_id":1205031300122625,"pcap_cnt":729,"event_type":"smb","src_ip":"192.168.199.132","src_port":49672,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":2,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","status":"STATUS_MORE_PROCESSING_REQUIRED","status_code":"0xc0000016","session_id":127543348822025,"tree_id":0},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.496004+0000","flow_id":723258376091863,"pcap_cnt":737,"event_type":"smb","src_ip":"192.168.199.132","src_port":49673,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":1,"dialect":"3.11","command":"SMB2_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["2.02","2.10","3.00","3.02","3.11"],"client_guid":"0eca551c-9378-11e6-f4aa-0c00addf0329","server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:10.496963+0000","flow_id":723258376091863,"pcap_cnt":739,"event_type":"smb","src_ip":"192.168.199.132","src_port":49673,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":2,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","status":"STATUS_MORE_PROCESSING_REQUIRED","status_code":"0xc0000016","session_id":127543348822029,"tree_id":0},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:29.923202+0000","flow_id":323016817507552,"pcap_cnt":761,"event_type":"smb","src_ip":"192.168.199.132","src_port":49674,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":1,"dialect":"2.??","command":"SMB1_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["PC NETWORK PROGRAM 1.0","LANMAN1.0","Windows for Workgroups 3.1a","LM1.2X002","LANMAN2.1","NT LM 0.12","SMB 2.002","SMB 2.???"],"server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:29.932360+0000","flow_id":323016817507552,"pcap_cnt":763,"event_type":"smb","src_ip":"192.168.199.132","src_port":49674,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":2,"dialect":"3.11","command":"SMB2_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["2.02","2.10","3.00","3.02","3.11"],"client_guid":"0eca551d-9378-11e6-f4aa-0c00addf0329","server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:13:29.932956+0000","flow_id":323016817507552,"pcap_cnt":765,"event_type":"smb","src_ip":"192.168.199.132","src_port":49674,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":3,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","status":"STATUS_MORE_PROCESSING_REQUIRED","status_code":"0xc0000016","session_id":127543348822033,"tree_id":0},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.422926+0000","flow_id":1881918157182233,"pcap_cnt":856,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":1,"dialect":"2.??","command":"SMB1_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["PC NETWORK PROGRAM 1.0","LANMAN1.0","Windows for Workgroups 3.1a","LM1.2X002","LANMAN2.1","NT LM 0.12","SMB 2.002","SMB 2.???"],"server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.429700+0000","flow_id":1881918157182233,"pcap_cnt":858,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":2,"dialect":"3.11","command":"SMB2_COMMAND_NEGOTIATE_PROTOCOL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":0,"tree_id":0,"client_dialects":["2.02","2.10","3.00","3.02","3.11"],"client_guid":"0eca552d-9378-11e6-f4aa-0c00addf0329","server_guid":"a3af6e96-7f35-4004-f9a5-3e64568cfa1b"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.430353+0000","flow_id":1881918157182233,"pcap_cnt":860,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":3,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","status":"STATUS_MORE_PROCESSING_REQUIRED","status_code":"0xc0000016","session_id":127543348822037,"tree_id":0},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.431708+0000","flow_id":1881918157182233,"pcap_cnt":862,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":4,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","status":"STATUS_SUCCESS","status_code":"0x0","session_id":127543348822037,"tree_id":0,"ntlmssp":{"domain":"DESKTOP-2AEFM7G","user":"Willi Wireshark","host":"DESKTOP-2AEFM7G"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.431994+0000","flow_id":1881918157182233,"pcap_cnt":864,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":5,"dialect":"3.11","command":"SMB2_COMMAND_TREE_CONNECT","status":"STATUS_SUCCESS","status_code":"0x0","session_id":127543348822037,"tree_id":1,"named_pipe":"\\\\192.168.199.133\\IPC$","share_type":"PIPE"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.433420+0000","flow_id":1881918157182233,"pcap_cnt":866,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":6,"dialect":"3.11","command":"SMB2_COMMAND_IOCTL","status":"STATUS_SUCCESS","status_code":"0x0","session_id":127543348822037,"tree_id":1,"function":"FSCTL_QUERY_NETWORK_INTERFACE_INFO"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.433753+0000","flow_id":1881918157182233,"pcap_cnt":868,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":7,"dialect":"3.11","command":"SMB2_COMMAND_CREATE","status":"STATUS_SUCCESS","status_code":"0x0","session_id":127543348822037,"tree_id":1,"filename":"srvsvc","disposition":"FILE_OPEN","access":"normal","created":0,"accessed":0,"modified":0,"changed":0,"size":0,"fuid":"00000001-001d-0000-0001-00000000001d"},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.434363+0000","flow_id":1881918157182233,"pcap_cnt":874,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":8,"dialect":"3.11","command":"SMB2_COMMAND_WRITE","status":"STATUS_SUCCESS","status_code":"0x0","session_id":127543348822037,"tree_id":1,"dcerpc":{"request":"BIND","response":"BINDACK","interfaces":[{"uuid":"4b324fc8-1670-01d3-1278-5a47bf6ee188","version":"3.0","ack_result":2,"ack_reason":0},{"uuid":"4b324fc8-1670-01d3-1278-5a47bf6ee188","version":"3.0","ack_result":0,"ack_reason":0},{"uuid":"4b324fc8-1670-01d3-1278-5a47bf6ee188","version":"3.0","ack_result":3,"ack_reason":0}],"call_id":2}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.436312+0000","flow_id":1881918157182233,"pcap_cnt":878,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":9,"dialect":"3.11","command":"SMB2_COMMAND_WRITE","status":"STATUS_SUCCESS","status_code":"0x0","session_id":127543348822037,"tree_id":1,"dcerpc":{"request":"REQUEST","response":"RESPONSE","opnum":15,"req":{"frag_cnt":1,"stub_data_size":128},"res":{"frag_cnt":1,"stub_data_size":412},"call_id":2}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:16:01.497030+0000","flow_id":1881918157182233,"pcap_cnt":880,"event_type":"smb","src_ip":"192.168.199.132","src_port":49675,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":10,"dialect":"3.11","command":"SMB2_COMMAND_CLOSE","status":"STATUS_SUCCESS","status_code":"0x0","session_id":127543348822037,"tree_id":1},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:19:05.957581+0000","flow_id":1699538802194514,"event_type":"smb","src_ip":"192.168.199.132","src_port":49670,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":4,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","session_id":127543348822017,"tree_id":0,"ntlmssp":{"domain":"DESKTOP-2AEFM7G","user":"user","host":"DESKTOP-2AEFM7G"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:19:05.957581+0000","flow_id":723258376091863,"event_type":"smb","src_ip":"192.168.199.132","src_port":49673,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":3,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","session_id":127543348822029,"tree_id":0,"ntlmssp":{"domain":"DESKTOP-2AEFM7G","user":"user","host":"DESKTOP-2AEFM7G"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:19:05.957581+0000","flow_id":323016817507552,"event_type":"smb","src_ip":"192.168.199.132","src_port":49674,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":4,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","session_id":127543348822033,"tree_id":0,"ntlmssp":{"domain":"DESKTOP-2AEFM7G","user":"Tim Tester","host":"DESKTOP-2AEFM7G"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:19:05.957581+0000","flow_id":747400387239139,"event_type":"smb","src_ip":"192.168.199.132","src_port":49671,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":3,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","session_id":127543348822021,"tree_id":0,"ntlmssp":{"domain":"DESKTOP-2AEFM7G","user":"user","host":"DESKTOP-2AEFM7G"}},"host":"roundrob2_eint"}
{"timestamp":"2016-10-16T08:19:05.957581+0000","flow_id":1205031300122625,"event_type":"smb","src_ip":"192.168.199.132","src_port":49672,"dest_ip":"192.168.199.133","dest_port":445,"proto":"TCP","smb":{"id":3,"dialect":"3.11","command":"SMB2_COMMAND_SESSION_SETUP","session_id":127543348822025,"tree_id":0,"ntlmssp":{"domain":"DESKTOP-2AEFM7G","user":"user","host":"DESKTOP-2AEFM7G"}},"host":"roundrob2_eint"}
(2-2/2)