Project

General

Profile

Actions
Copy link

Feature #3297

closed

more verbose dcerpc logging

Added by Andreas Herz almost 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
6.0.0
Effort:
Difficulty:
Label:

Description

Jason Taylor requested more verbose logging for dcerpc. He will provide examples with pcaps.

Files

Download all files
smb-on-windows-10.pcapng (139 KB) smb-on-windows-10.pcapng SMB PCAP Joseph Feather, 01/03/2020 03:04 PM
smb.json (16.8 KB) smb.json Suricata SMB Eve log Joseph Feather, 01/03/2020 03:06 PM

Related issues 2 (1 open1 closed)

Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Related to Suricata - Optimization #2779: Convert DCE_RPC from C to RustClosedShivani BhardwajActions
Actions
Copy link
 #1

Updated by Victor Julien almost 5 years ago

  • Parent task deleted (#3288)
Actions
Copy link
 #2

Updated by Victor Julien almost 5 years ago

  • Related to Task #3288: Suricon 2019 brainstorm added
Actions
Copy link
 #3

Updated by Victor Julien almost 5 years ago

Actions
Copy link
 #4

Updated by Victor Julien almost 5 years ago

Currently only the DCERPC over SMB generates output as part of the SMB logging.

Actions
Copy link
 #5

Updated by Jason Taylor almost 5 years ago

looking at the pcaps I have there is a bit much to sanitize. I emailed the pcaps and logs to Victor. I will gather/organize some more pcap but wanted to get something over in the interim to give an idea of what we are looking for in a parser.

Actions
Copy link Download all files
 #6

Updated by Joseph Feather almost 5 years ago

Suricata dcerpc output doesn't contain the opnum for the procedure call, in this example 15 (NetShareEnum). Full smb log is attached along with the pcap.

{
  "timestamp": "2016-10-16T08:16:01.434363+0000",
  "flow_id": 1881918157182233,
  "pcap_cnt": 874,
  "event_type": "smb",
  "src_ip": "192.168.199.132",
  "src_port": 49675,
  "dest_ip": "192.168.199.133",
  "dest_port": 445,
  "proto": "TCP",
  "smb": {
    "id": 8,
    "dialect": "3.11",
    "command": "SMB2_COMMAND_WRITE",
    "status": "STATUS_SUCCESS",
    "status_code": "0x0",
    "session_id": 127543348822037,
    "tree_id": 1,
    "dcerpc": {
      "request": "BIND",
      "response": "BINDACK",
      "interfaces": [
        {
          "uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188",
          "version": "3.0",
          "ack_result": 2,
          "ack_reason": 0
        },
        {
          "uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188",
          "version": "3.0",
          "ack_result": 0,
          "ack_reason": 0
        },
        {
          "uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188",
          "version": "3.0",
          "ack_result": 3,
          "ack_reason": 0
        }
      ],
      "call_id": 2
    }
  },
  "host": "roundrob2_eint" 
}
Actions
Copy link
 #7

Updated by Shivani Bhardwaj almost 4 years ago

  • Status changed from Feedback to Closed
  • Assignee changed from Jason Taylor to Shivani Bhardwaj
  • Target version changed from TBD to 6.0.0
Actions
Copy link

Also available in: Atom PDF