The following change, or something like it, will go into Wireshark in a short while

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
Hi folks,

We will be putting something like the following (see the screen shot)
change into Wireshark soon.

If you want me to tweak the wording, let me know.

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

SMB_Considered_Harmful-1.JPG (686K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
LGTM

On Thu, Nov 9, 2017 at 2:17 AM, Richard Sharpe via samba-technical
<[hidden email]> wrote:

> Hi folks,
>
> We will be putting something like the following (see the screen shot)
> change into Wireshark soon.
>
> If you want me to tweak the wording, let me know.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)

Reply | Threaded
Open this post in threaded view
|

Re: The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, Nov 08, 2017 at 08:17:44AM -0800, Richard Sharpe via samba-technical wrote:
> We will be putting something like the following (see the screen shot)
> change into Wireshark soon.
>
> If you want me to tweak the wording, let me know.

Please do that at a higher level. The initial SMB1 negotiate request
is perfectly legitimate. In you screenshot, you can see that the
server directly replies with a SMB2 packet. Please only print this
message in case it's not the very first full SMB packet in the TCP
connection.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Fri, Nov 10, 2017 at 07:02:30PM +1000, ronnie sahlberg via samba-technical wrote:
> LGTM

The message as such of course. Please see my comment about this being
perfectly legitimate. This is NOT a dangerous condition, it only is if
SMB1 is actually negotiated.

Or is this first packet also considered to be dangerous?

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Hi Richard,

On 2017-11-08 at 08:17 -0800 Richard Sharpe via samba-technical sent off:
> We will be putting something like the following (see the screen shot)
> change into Wireshark soon.
>
> If you want me to tweak the wording, let me know.

I would prefer not to see any text like "SMB1/CIFS has many known security
vulnerabilities and you should remove it from your network" in the wireshark
dissector at all. It's really up to the people which protocol they want to use.
Wireshark is for network experts who know what they do and this text in the
expert info is wasting space, there is already a lot of information overkill in
the dissector. It would get really annoying if all the protocols which are
"insecure" would show up "expert info" like this in the dissector.

Just my 2¢
Björn

Reply | Threaded
Open this post in threaded view
|

Re: The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Yeah. I have had further discussion with people and a different concept
will likely be submitted.

It will likely be under the control of a preference and only if the server
accepts SMB.
On Nov 10, 2017 9:10 AM, "Volker Lendecke" <[hidden email]>
wrote:

> On Wed, Nov 08, 2017 at 08:17:44AM -0800, Richard Sharpe via
> samba-technical wrote:
> > We will be putting something like the following (see the screen shot)
> > change into Wireshark soon.
> >
> > If you want me to tweak the wording, let me know.
>
> Please do that at a higher level. The initial SMB1 negotiate request
> is perfectly legitimate. In you screenshot, you can see that the
> server directly replies with a SMB2 packet. Please only print this
> message in case it's not the very first full SMB packet in the TCP
> connection.
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:[hidden email]
>
Reply | Threaded
Open this post in threaded view
|

Re: The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
I agree with Björn, unless other protocols in wireshark have something
similar I don't think it's the place to do so.

--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

Reply | Threaded
Open this post in threaded view
|

Re: The following change, or something like it, will go into Wireshark in a short while

Samba - samba-technical mailing list
On Fri, Nov 10, 2017 at 3:09 AM, Aurélien Aptel <[hidden email]> wrote:
> I agree with Björn, unless other protocols in wireshark have something
> similar I don't think it's the place to do so.

However, users at the recent SharkFest Europe asked for such things ...

> --
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
> GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)



--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)