SMB detection not working

[0x5a...@gmail.com]

Hi all,

I'm getting zero hits for anything SMB related, e.g. in Kibana, a search for event.dataset:smb* shows zero hits.

My 'current' log folder shows:

-rw-r--r--. 1 zeek zeek   3782 Feb 28 18:20 broker.log
-rw-r--r--. 1 zeek zeek    577 Feb 28 18:24 capture_loss.log
-rw-r--r--. 1 zeek zeek   2867 Feb 28 18:14 cluster.log
-rw-r--r--. 1 zeek zeek 925116 Feb 28 18:27 conn.log
-rw-r--r--. 1 zeek zeek   1563 Feb 28 18:24 dhcp.log
-rw-r--r--. 1 zeek zeek 731802 Feb 28 18:27 dns.log
-rw-r--r--. 1 zeek zeek 115055 Feb 28 18:26 files.log
-rw-r--r--. 1 zeek zeek  29187 Feb 28 18:27 http.log
-rw-r--r--. 1 zeek zeek    887 Feb 28 18:21 known_hosts.log
-rw-r--r--. 1 zeek zeek   1736 Feb 28 18:25 known_services.log
-rw-r--r--. 1 zeek zeek  32913 Feb 28 18:14 loaded_scripts.log
-rw-r--r--. 1 zeek zeek   5849 Feb 28 18:26 notice.log
-rw-r--r--. 1 zeek zeek 104468 Feb 28 18:26 ntp.log
-rw-r--r--. 1 zeek zeek      0 Feb 28 18:14 packet_filter.log
-rw-r--r--. 1 zeek zeek   2879 Feb 28 18:27 software.log
-rw-r--r--. 1 zeek zeek 105103 Feb 28 18:26 ssl.log
-rw-r--r--. 1 zeek zeek   5656 Feb 28 18:24 stats.log
-rw-r--r--. 1 zeek zeek      0 Feb 28 18:13 stderr.log
-rw-r--r--. 1 zeek zeek    188 Feb 28 18:13 stdout.log
-rw-r--r--. 1 zeek zeek    213 Feb 28 18:14 tunnel.log
-rw-r--r--. 1 zeek zeek   9323 Feb 28 18:27 weird.log
-rw-r--r--. 1 zeek zeek  46744 Feb 28 18:26 x509.log

I think I'm missing something really BASIC here ...

Thanks for any pointers....

[Liam Randall]

Where is your sensor installed?  Are you sure you have smb traffic crossing the link?

You can tcpreplay [1] a pcap with smb traffic to a local interface to see if it's working.

[1] https://tcpreplay.appneta.com/

--
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/8a91e6ed-1dc1-4200-bc30-9e9541a769a3n%40googlegroups.com.

[0x5a...@gmail.com]

Thanks for the swift reply Liam. That's a good suggestion. A quick answer is that my SO2 box is hanging off a mirrored port from a switch. It's seeing other traffic .... ah (possible light bulb moment!).... you may have hit on something. Checking the traffic for my main file server (a hypervisor running multiple VMs) I see very little activity. VERY LITTLE - 600+ events. And very little from every VM IP come down this one single Trunk Port (multiple VLANS). The port that is mirrored ( the 'WAN' port going to the main GW ) is UNTAGGED for VLAN1 and TAGGED for other VLANS. I think the problem lies here ....

You've given me something to try ... thanks Liam.  If you think I'm on the wrong track and you think of anything else, I'd appreciate it. In the meantime, I'm going to try a few things ...

[Shaun]

This was me being dumb! Too late a night ....

Liam, you did put me on the right track ... thank you

It was nothing to do with VLANs or the TAGGING of ports etc .... it was simply that the main File Server port was NOT mirrored to the port SO2 is capturing. Simply selecting multiple ports to be mirrored to the SO2 port solved everything!

Apologies for any inconvenience

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/eef52a01-6fab-45e9-a8b5-6b75b021aef7n%40googlegroups.com.

[Liam Randall]

>> This was me being dumb! Too late a night ....

We all overlook things; glad you were able to fix it so quickly.  Be nice to yourself; especially now, everyone deserves a little more grace and kindness (even ourselves).

Have a great week and best of luck.

Liam

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CACvRdiqiaKBR7%3DdTSuXiVGdgZiD5WPPQZvH1Ob8XMi1XTPCiyg%40mail.gmail.com.