SMB file extraction bugs on partial files

Description

Bro's file extraction from SMB appears to be reassembling incorrectly and producing incorrect metadata. I unfortunately cannot attach a pcap to reproduce (contains company data).

Here are the fields we see:

There are two issues with this:

  • Bro outputs a 4096 byte chunk from an EXE (mime_type:application/x-dosexec) for an excel document (filename:\Blah\Desktop\blah.xls). The 4096 bytes are correctly dumped by wireshark and show the first 4096 bytes of an excel spreadsheet. However, Bro's SMB extraction seems to be reassembling using a chunk from another file – a PE file.

  • file_missing_bytes is set to zero even though file_seen_bytes
    does not equal file_total_bytes – from the extracted files metadata we see the following: file_seen_bytes:4,096 file_total_bytes:82,469 file_missing_bytes:0

Environment

RHEL7, Bro release 2.5 (latest as of 20170424)

Assignee

Unassigned

Reporter

Jojo

Labels

External issue ID

None

Components

Affects versions

Priority

Normal
Configure