Project

General

Profile

Actions

Bug #5332

open

Smb2 can not store files!

Added by yida zhang 5 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
high
Difficulty:
Label:
Protocol, Rust

Description

There is a pcap that cannot trigger filestore.

Note: turn on midstream when retesting.

I think the ASYN responses header is what is causing the problem.
https://docs.microsoft.com/zh-cn/openspecs/windows_protocols/ms-smb2/ea4560b7-90da-4803-82b5-344754b92a79


Files

smb_store_error.pcap (42.6 KB) smb_store_error.pcap file can not be stored yida zhang, 05/07/2022 09:15 AM
smb_store_ok.pcap (16.1 MB) smb_store_ok.pcap file can be stored yida zhang, 05/07/2022 09:16 AM
clipboard-202205071721-sbyqa.png (65 KB) clipboard-202205071721-sbyqa.png yida zhang, 05/07/2022 09:21 AM
Actions #1

Updated by yida zhang 5 months ago

  • Description updated (diff)
Actions #2

Updated by yida zhang 5 months ago

  • Description updated (diff)
Actions #3

Updated by Victor Julien 4 months ago

  • Status changed from New to Assigned
  • Assignee changed from Victor Julien to Philippe Antoine
  • Priority changed from High to Normal
  • Target version changed from TBD to 7.0rc1

Philippe could you have a look at what is going on here?

Actions #4

Updated by Philippe Antoine 4 months ago

I do not reproduce the problem on latest master :

./src/suricata -l log -k none -r /Users/catena/Downloads/smb_store_error.pcap -c suricata.yaml --set stream.midstream=true --set vlan.use-for-tracking=false --set outputs.0.file-store.enabled=yes -S smb.rules

with smb.rules being alert smb any any -> any any (msg:"test filestore required"; filestore; sid:10; rev:1;)

Then
find log/filestore/ -type f gives me log/filestore//d5/d50ea1b6b3e8ed084afc47537dd3dc0a5397d7f57595a9268c56c80e88095eee

Did you --set vlan.use-for-tracking=false and enable filestore output ?

Actions #5

Updated by Philippe Antoine 4 months ago

  • Status changed from Assigned to Feedback
Actions #6

Updated by Philippe Antoine 4 months ago

  • Assignee changed from Philippe Antoine to yida zhang
Actions

Also available in: Atom PDF