[Oisf-users] About SMB file capture function in 4.1beta support SMBv1 and v2 file capture
Tidy Huang
tidy at holonetsecurity.com
Tue May 22 09:02:13 UTC 2018
Hello,
Wondering if someone might be able to clarity this a bit for me:
Suricata 4.1 beta 1 ready for testing
Main features additions
SMBv1/2/3 parsing, logging, file extraction
I enabled RUST support for suricata 4.1 beta and turn on smb feature in configuration, but I didn’t see any output information about SMB file info.
In Debug mode, I only saw some limited information for filename in suricata.log, no other extra information.
[8864] 22/5/2018 -- 00:58:26 - (debug.rs:64 <http://debug.rs:64/>) <Notice> (<rust>) -- idx 18 tx id 141 ver:2 cmd:5 progress true/true type_data Some(CREATE(SMBTransactionCreate { disposition: 1, delete_on_close: false, directory: false, filename: [116, 0, 111, 0, 110, 0, 121, 0], guid: [169, 0, 0, 0, 0, 0, 0, 0, 169, 0, 0, 0, 255, 255, 255, 255], create_ts: 1497034296, last_access_ts: 1503015689, last_write_ts: 1503015689, last_change_ts: 1503015689, size: 8192 })) tx SMBTransaction { id: 141, vercmd: SMBVerCmdStat { smb_ver: 2, smb1_cmd: 0, smb2_cmd: 5, status_set: true, status_is_dos_error: false, status_error_class: 0, status: 0 }, hdr: SMBCommonHdr { ssn_id: 4398046511177, tree_id: 5, rec_type: 5, msg_id: 151 }, request_done: true, response_done: true, type_data: Some(CREATE(SMBTransactionCreate { disposition: 1, delete_on_close: false, directory: false, filename: [116, 0, 111, 0, 110, 0, 121, 0], guid: [169, 0, 0, 0, 0, 0, 0, 0, 169, 0, 0, 0, 255, 255, 255, 255], create_ts: 1497034296, last_access_ts: 1503015689, last_write_ts: 1503015689, last_change_ts: 1503015689, size: 8192 })), detect_flags_ts: 0, detect_flags_tc: 0, logged: LoggerFlags { flags: 0 }, de_state: None, events: 0x0 }
[8864] 22/5/2018 -- 00:58:26 - (debug.rs:64 <http://debug.rs:64/>) <Notice> (<rust>) -- idx 19 tx id 142 ver:2 cmd:11 progress true/true type_data Some(IOCTL(SMBTransactionIoctl { func: 590016 })) tx SMBTransaction { id: 142, vercmd: SMBVerCmdStat { smb_ver: 2, smb1_cmd: 0, smb2_cmd: 11, status_set: true, status_is_dos_error: false, status_error_class: 0, status: 0 }, hdr: SMBCommonHdr { ssn_id: 4398046511177, tree_id: 0, rec_type: 6, msg_id: 152 }, request_done: true, response_done: true, type_data: Some(IOCTL(SMBTransactionIoctl { func: 590016 })), detect_flags_ts: 0, detect_flags_tc: 0, logged: LoggerFlags { flags: 0 }, de_state: None, events: 0x0 }
Thanks,
Tidy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180522/5c7e70d0/attachment.html>
More information about the Oisf-users
mailing list