[Oisf-users] About SMB file capture function in 4.1beta support SMBv1 and v2 file capture

[Peter Manev]

On Tue, May 22, 2018 at 11:02 AM, Tidy Huang <tidy at holonetsecurity.com> wrote:
> Hello,
>
> Wondering if someone might be able to clarity this a bit for me:
>
> Suricata 4.1 beta 1 ready for testing
>
> Main features additions
>
> SMBv1/2/3 parsing, logging, file extraction
>
>
> I enabled RUST support for suricata 4.1 beta and turn on smb feature in
> configuration, but I didn’t see any output information about SMB file info.
>
> In Debug mode, I only saw some limited information for filename in
> suricata.log, no other extra information.
>

I think you may find that info in JSON in /var/log/suricata/eve.json
(one possible default location) - it is where all logs go by default
if you have enabled those.

> [8864] 22/5/2018 -- 00:58:26 - (debug.rs:64) <Notice> (<rust>) -- idx 18 tx
> id 141 ver:2 cmd:5 progress true/true type_data
> Some(CREATE(SMBTransactionCreate { disposition: 1, delete_on_close: false,
> directory: false, filename: [116, 0, 111, 0, 110, 0, 121, 0], guid: [169, 0,
> 0, 0, 0, 0, 0, 0, 169, 0, 0, 0, 255, 255, 255, 255], create_ts: 1497034296,
> last_access_ts: 1503015689, last_write_ts: 1503015689, last_change_ts:
> 1503015689, size: 8192 })) tx SMBTransaction { id: 141, vercmd:
> SMBVerCmdStat { smb_ver: 2, smb1_cmd: 0, smb2_cmd: 5, status_set: true,
> status_is_dos_error: false, status_error_class: 0, status: 0 }, hdr:
> SMBCommonHdr { ssn_id: 4398046511177, tree_id: 5, rec_type: 5, msg_id: 151
> }, request_done: true, response_done: true, type_data:
> Some(CREATE(SMBTransactionCreate { disposition: 1, delete_on_close: false,
> directory: false, filename: [116, 0, 111, 0, 110, 0, 121, 0], guid: [169, 0,
> 0, 0, 0, 0, 0, 0, 169, 0, 0, 0, 255, 255, 255, 255], create_ts: 1497034296,
> last_access_ts: 1503015689, last_write_ts: 1503015689, last_change_ts:
> 1503015689, size: 8192 })), detect_flags_ts: 0, detect_flags_tc: 0, logged:
> LoggerFlags { flags: 0 }, de_state: None, events: 0x0 }
> [8864] 22/5/2018 -- 00:58:26 - (debug.rs:64) <Notice> (<rust>) -- idx 19 tx
> id 142 ver:2 cmd:11 progress true/true type_data
> Some(IOCTL(SMBTransactionIoctl { func: 590016 })) tx SMBTransaction { id:
> 142, vercmd: SMBVerCmdStat { smb_ver: 2, smb1_cmd: 0, smb2_cmd: 11,
> status_set: true, status_is_dos_error: false, status_error_class: 0, status:
> 0 }, hdr: SMBCommonHdr { ssn_id: 4398046511177, tree_id: 0, rec_type: 6,
> msg_id: 152 }, request_done: true, response_done: true, type_data:
> Some(IOCTL(SMBTransactionIoctl { func: 590016 })), detect_flags_ts: 0,
> detect_flags_tc: 0, logged: LoggerFlags { flags: 0 }, de_state: None,
> events: 0x0 }
>
>
> Thanks,
> Tidy
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev