Bug #5332
closedSmb2 can not store files!
Description
There is a pcap that cannot trigger filestore.
Note: turn on midstream when retesting.
I think the ASYN responses header is what is causing the problem.
https://docs.microsoft.com/zh-cn/openspecs/windows_protocols/ms-smb2/ea4560b7-90da-4803-82b5-344754b92a79
Files
Updated by Victor Julien almost 2 years ago
- Status changed from New to Assigned
- Assignee changed from Victor Julien to Philippe Antoine
- Priority changed from High to Normal
- Target version changed from TBD to 7.0.0-beta1
Philippe could you have a look at what is going on here?
Updated by Philippe Antoine almost 2 years ago
I do not reproduce the problem on latest master :
./src/suricata -l log -k none -r /Users/catena/Downloads/smb_store_error.pcap -c suricata.yaml --set stream.midstream=true --set vlan.use-for-tracking=false --set outputs.0.file-store.enabled=yes -S smb.rules
with smb.rules being alert smb any any -> any any (msg:"test filestore required"; filestore; sid:10; rev:1;)
Thenfind log/filestore/ -type f gives me log/filestore//d5/d50ea1b6b3e8ed084afc47537dd3dc0a5397d7f57595a9268c56c80e88095eee
Did you --set vlan.use-for-tracking=false and enable filestore output ?
Updated by Philippe Antoine almost 2 years ago
- Status changed from Assigned to Feedback
Updated by Philippe Antoine almost 2 years ago
- Assignee changed from Philippe Antoine to yida zhang
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-beta1 to TBD
Updated by Philippe Antoine 5 months ago
- Status changed from Feedback to Closed
Working as expected with --set vlan.use-for-tracking=false