Bro's file extraction from SMB appears to be reassembling incorrectly and producing incorrect metadata. I unfortunately cannot attach a pcap to reproduce (contains company data).
Here are the fields we see:
There are two issues with this:
Bro outputs a 4096 byte chunk from an EXE (mime_type:application/x-dosexec) for an excel document (filename:\Blah\Desktop\blah.xls). The 4096 bytes are correctly dumped by wireshark and show the first 4096 bytes of an excel spreadsheet. However, Bro's SMB extraction seems to be reassembling using a chunk from another file – a PE file.
file_missing_bytes is set to zero even though file_seen_bytes
does not equal file_total_bytes – from the extracted files metadata we see the following: file_seen_bytes:4,096 file_total_bytes:82,469 file_missing_bytes:0
RHEL7, Bro release 2.5 (latest as of 20170424)