https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022010-06-21T09:10:22ZOpen Information Security FoundationSuricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=6692010-06-21T09:10:22ZVictor Julienvictor@inliniac.net
<ul></ul><p>We should have a match on the smb part of the stream, right? Is that not happening?</p>
<p>Can you attach (part of) the pcap?</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=6702010-06-21T09:30:17ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>Victor Julien wrote:</p>
<blockquote>
<p>We should have a match on the smb part of the stream, right? Is that not happening?</p>
<p>Can you attach (part of) the pcap?</p>
</blockquote>
<p>Frame 4, we receive a netbios header without the smb data. The subsequent frames which have smb, have the netbios section(4 bytes) as well. But it is this first frame with the netbios header and without the smb part, that is setting the no_reassembly flag.</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=7002010-06-27T00:55:40ZGurvinder Singhgurvindersinghdahiya@gmail.com
<ul></ul><p>Hey Anoop,</p>
<p>Can you send me the pcap, so that I can look in to the issue.</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=7172010-06-28T01:17:43ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>pcap mailed privately to Gurvinder</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=8952010-09-02T04:41:14ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> set to <i>1.1beta1</i></li></ul><p>What is the status of this bug?</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=8982010-09-05T09:02:06ZGurvinder Singhgurvindersinghdahiya@gmail.com
<ul></ul><p>The 72 bytes Netbios packet is sent by the client in the start of the session. This makes the sig for SMB proto detection to fail and also as the max_len for the proto detection is 64, it passes that limit too and result in ALPROTO_UNKNOWN and also no reassembly flag has been set.</p>
<p>I changed the sig for SMB detection as</p>
<p><code>@ -412,8 +407,8 </code>@ void AppLayerDetectProtoThreadInit(void) {<br /> //AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);</p>
<pre><code>/** SMB */<br />- AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT);<br />- AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);<br />+ AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 100, 4, STREAM_TOCLIENT);<br />+ AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 100, 4, STREAM_TOSERVER);</code></pre>
<pre><code>/** SMB2 */<br /> AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT);</code></pre>
<p>and engine detects the SMB protocol fine and engine start to work normally. As shown below in the snippet from log</p>
<p>[9579] 5/9/2010 -- 17:12:28 - (stream.c:109) <Debug> (StreamMsgDequeue) -- Returning pointer 0xb33a84b8 of type StreamMsg ... <<<br />[9579] 5/9/2010 -- 17:12:28 - (stream-tcp-reassemble.c:2133) <Debug> (StreamTcpReassembleProcessAppLayer) -- smsg 0xb33a84b8, next (nil), prev (nil), flow 0x8e2f2a8, q->len 0<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:118) <Debug> (AppLayerHandleMsg) -- Entering ... >><br />[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:123) <Debug> (AppLayerHandleMsg) -- smsg 0xb33a84b8<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:148) <Debug> (AppLayerHandleMsg) -- Stream initializer (len 172 (2048))<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:440) <Debug> (AppLayerDetectGetProto) -- Entering ... >><br />[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:492) <Debug> (AppLayerDetectGetProto) -- search cnt 1<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:501) <Debug> (AppLayerDetectGetProto) -- array count is 1 patid 37<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:163) <Debug> (AlpProtoMatchSignature) -- Entering ... >><br />[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:185) <Debug> (AlpProtoMatchSignature) -- s->co->offset (4) s->co->depth (100)<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:193) <Debug> (AlpProtoMatchSignature) -- Returning: 10 ... <<<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:581) <Debug> (AppLayerDetectGetProto) -- Returning: 10 ... <<<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:187) <Debug> (AppLayerHandleMsg) -- app layer proto has been detected<br />[9579] 5/9/2010 -- 17:12:28 - (stream.c:123) <Debug> (StreamMsgReturnToPool) -- s 0xb33a84b8<br />[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:198) <Debug> (AppLayerHandleMsg) -- Returning: 0 ... <<<br />[9579] 5/9/2010 -- 17:12:28 - (stream-tcp-reassemble.c:2147) <Debug> (StreamTcpReassembleProcessAppLayer) -- Returning: 0 ... <<</p>
<p>So I guess Kirby can suggest the exact modification needed for the SMB session detection in such a scenario. As far as stream reassembly is in question, it works fine.</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=9742010-12-20T23:49:36ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>1.1beta1</i> to <i>1.1beta2</i></li></ul><p>Anoop/Gurvinder, can you resend me the pcap?</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=10802011-04-06T11:38:06ZVictor Julienvictor@inliniac.net
<ul><li><strong>Subject</strong> changed from <i>stream reassembly not working</i> to <i>SMB protocol detection issues (was: stream reassembly not working)</i></li><li><strong>Due date</strong> set to <i>04/15/2011</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Anoop Saldanha</i></li><li><strong>Estimated time</strong> set to <i>0.00 h</i></li></ul><p>The problem seems to be in a weakness of our protocol detection engine design. Tasks written for this.</p> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=10992011-04-13T08:09:53ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>1.1beta2</i> to <i>1.1beta3</i></li></ul> Suricata - Bug #181: SMB protocol detection issues (was: stream reassembly not working)https://redmine.openinfosecfoundation.org/issues/181?journal_id=11262011-05-13T07:09:58ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Fixed in the current master.</p>