Project

General

Profile

Actions
Copy link

Bug #5811

closed

smb: tx logs sometimes have duplicate `tree_id` output

Added by Andreas Herz about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
7.0.0-rc1
Affected Versions:
7.0.0-beta1, 6.0.9
Effort:
Difficulty:
Label:

Description

We have those events even for some suricata-verify tests, so should be easy to reproduce and debug, see for example:

smb-named-pipe-unicode/output/eve.json:{"timestamp":"2020-04-14T16:45:34.732215+0000","flow_id":1855357390218608,"pcap_cnt":14,"event_type":"alert","src_ip":"192.168.1.100","src_port":41688,"dest_ip":"192.168.1.3","dest_port":445,"proto":"TCP","pkt_src":"wire/pcap","tx_id":3,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"Ascii named_pipe","category":"","severity":3},"smb":{"id":4,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_TREE_CONNECT_ANDX","status":"STATUS_SUCCESS","status_code":"0x0","session_id":4096,"tree_id":2052,"tree_id":2052,"named_pipe":"\\192.168.1.3\\IPC$","service":{"request":"?????","response":"IPC"}},"app_proto":"smb","direction":"to_server","flow":{"pkts_toserver":8,"pkts_toclient":6,"bytes_toserver":1132,"bytes_toclient":1245,"start":"2020-04-14T16:45:34.694128+0000","src_ip":"192.168.1.100","dest_ip":"192.168.1.3","src_port":41688,"dest_port":445}}

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5933: smb: tx logs sometimes have duplicate `tree_id` output (6.0.x backport)ClosedJason IshActions
Actions
Copy link
 #2

Updated by Andreas Herz about 1 year ago

The reason for that is, that in `rust/src/smb.log.rs` we have an additional entry that is print in addition:

        Some(SMBTransactionTypeData::TREECONNECT(ref x)) => {
            jsb.set_uint("tree_id", x.tree_id as u64)?;

While the generic one that is printed everytime is `tx.hdr.tree_id` this one is `x.tree_id` but based on the testruns it's always the same as the `hdr` one. So it might just be not needed at all or the stored value is wrong.

Actions
Copy link
 #3

Updated by Jason Ish about 1 year ago

Andreas Herz wrote in #note-2:

The reason for that is, that in `rust/src/smb.log.rs` we have an additional entry that is print in addition:
[...]

While the generic one that is printed everytime is `tx.hdr.tree_id` this one is `x.tree_id` but based on the testruns it's always the same as the `hdr` one. So it might just be not needed at all or the stored value is wrong.

Thats my assumption as well. The `tree_id` is being "hoisted" up into the common header, cause if you look at the PCAP for a TREECONNECT, the Tree ID does exist only once, however our data structures suggest otherwise. My guess is that removing this line is the fix. Thoughts @Victor Julien ?

Actions
Copy link
 #4

Updated by Andreas Herz about 1 year ago

In addition to that I would also check if we read the correct tree_id.

In `smb-named-pipe-ascii-frames` we have the following event:

{"timestamp":"2020-03-10T18:22:46.113634+0000","flow_id":1704892135654207,"pcap_cnt":14,"event_type":"alert","src_ip":"192.168.1.100","src_port":55768,"dest_ip":"192.168.1.3","dest_port":445,"proto":"TCP","pkt_src":"wire/pcap","tx_id":3,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"Ascii named_pipe","category":"","severity":3},"smb":{"id":4,"dialect":"NT LM 0.12","command":"SMB1_COMMAND_TREE_CONNECT_ANDX","status":"STATUS_SUCCESS","status_code":"0x0","session_id":4096,"tree_id":2049,"tree_id":2049,"named_pipe":"\\127.0.0.1\\IPC$","service":{"request":"?????","response":"IPC"}},"app_proto":"smb","direction":"to_server","flow":{"pkts_toserver":8,"pkts_toclient":6,"bytes_toserver":1517,"bytes_toclient":1261,"start":"2020-03-10T18:22:46.069271+0000","src_ip":"192.168.1.100","dest_ip":"192.168.1.3","src_port":55768,"dest_port":445}}

When I look into the pcap, the 2049 id is not from this packet, this packet has 65535 as value in wireshark. ANd based on the command and the src/dst I would say this is the packet 11 from the pcap which is the request (check the Tree ID in wireshark).
But the packet 12 is the response which has tree id 2049. Is this expected or another bug?

Actions
Copy link
 #5

Updated by Jason Ish about 1 year ago

Andreas Herz wrote in #note-4:

In addition to that I would also check if we read the correct tree_id.

In `smb-named-pipe-ascii-frames` we have the following event:
[...]

When I look into the pcap, the 2049 id is not from this packet, this packet has 65535 as value in wireshark. ANd based on the command and the src/dst I would say this is the packet 11 from the pcap which is the request (check the Tree ID in wireshark).
But the packet 12 is the response which has tree id 2049. Is this expected or another bug?

SMB, I believe, correlates responses to requests before logging so you are seeing an amalgamation of the request and response being logged, and it appears to be choosing the tree_id from the response. Unfortunately, I'm not familiar enough with SMB to know what makes the most sense.

Actions
Copy link
 #6

Updated by Jason Ish about 1 year ago

Here are all the tests resulting in a duplicate tree_id field. In all cases that value is the same:

FAIL: ./tests/dcerpc/zerologon/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/output-eve-smb-01/output/eve.json: key=tree_id, current value=2052, new value=2052
FAIL: ./tests/smb-dce_iface/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb-dce_opnum/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb-eicar-andx/output/eve.json: key=tree_id, current value=2051, new value=2051
FAIL: ./tests/smb-eicar-file-frames/output/eve.json: key=tree_id, current value=2048, new value=2048
FAIL: ./tests/smb-eicar-file-nbss-more-ffsmb/output/eve.json: key=tree_id, current value=2052, new value=2052
FAIL: ./tests/smb-eicar-file-segmentation-postheader/output/eve.json: key=tree_id, current value=2050, new value=2050
FAIL: ./tests/smb-eicar-file-segmentation-random/output/eve.json: key=tree_id, current value=2052, new value=2052
FAIL: ./tests/smb-eicar-file/output/eve.json: key=tree_id, current value=2048, new value=2048
FAIL: ./tests/smb-eicar-overlap/output/eve.json: key=tree_id, current value=2053, new value=2053
FAIL: ./tests/smb-eicar-padding/output/eve.json: key=tree_id, current value=4102, new value=4102
FAIL: ./tests/smb-named-pipe-ascii-frames/output/eve.json: key=tree_id, current value=2049, new value=2049
FAIL: ./tests/smb-named-pipe-ascii/output/eve.json: key=tree_id, current value=2049, new value=2049
FAIL: ./tests/smb-named-pipe-unicode/output/eve.json: key=tree_id, current value=2052, new value=2052
FAIL: ./tests/smb2-01/output/eve.json: key=tree_id, current value=201977730, new value=201977730
FAIL: ./tests/smb2-02/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb2-03-rule/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb2-05/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb2-06/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb2-07-frames/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb2-07/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb2-delete/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb3-01/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb3-02-midstream/output/eve.json: key=tree_id, current value=5, new value=5
FAIL: ./tests/smb3-03-midstream/output/eve.json: key=tree_id, current value=5, new value=5
FAIL: ./tests/smb2-named-pipe-unicode/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/bug-5162/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/dcerpc-smb-fail/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/dcerpc-smb-test-01/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/filesize-keyword/output/eve.json: key=tree_id, current value=2048, new value=2048
FAIL: ./tests/streamsize-keyword/output/eve.json: key=tree_id, current value=2048, new value=2048
FAIL: ./tests/smb2-08-rule/output/eve.json: key=tree_id, current value=1, new value=1
FAIL: ./tests/smb2-async-read/output/eve.json: key=tree_id, current value=4162756537, new value=4162756537

Actions
Copy link
 #7

Updated by Victor Julien about 1 year ago

  • Subject changed from SMB events sometimes have duplicate `tree_id` output. to smb: tx logs sometimes have duplicate `tree_id` output
  • Label Needs backport to 6.0 added
Actions
Copy link
 #8

Updated by Victor Julien about 1 year ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from TBD to 7.0.0-rc1
Actions
Copy link
 #9

Updated by Victor Julien about 1 year ago

  • Status changed from In Review to Closed
Actions
Copy link
 #10

Updated by Victor Julien about 1 year ago

  • Status changed from Closed to Resolved
Actions
Copy link
 #11

Updated by OISF Ticketbot about 1 year ago

  • Subtask #5933 added
Actions
Copy link
 #12

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions
Copy link
 #13

Updated by Victor Julien about 1 year ago

  • Subtask deleted (#5933)
Actions
Copy link
 #14

Updated by Victor Julien about 1 year ago

  • Related to Bug #5933: smb: tx logs sometimes have duplicate `tree_id` output (6.0.x backport) added
Actions
Copy link
 #15

Updated by Victor Julien about 1 year ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF