On all SMB eve events have double tree_id in the events. “tree_id”:0,“tree_id”:0,
This is a problem when I use elastic to store all eve events.
can you provide a test case?
This is a exemple of the eve event:
{“timestamp”:“2023-01-24T22:58:37.213379+0000”,“flow_id”:1465644208335260,“in_iface”:“tap1”,“event_type”:“smb”,“src_ip”:“10.32.X.X”,“src_port”:57717,“dest_ip”:“10.100.X.X”,“dest_port”:445,“proto”:“TCP”,“smb”:{“id”:1310,“dialect”:“3.11”,“command”:“SMB2_COMMAND_TREE_CONNECT”,“status”:“STATUS_ACCESS_DENIED”,“status_code”:“0xc0000022”,“session_id”:760906405380213,“tree_id”:0,“tree_id”:0,“share”:“\\PC-475-Y.mydomain.local\ADMIN$”,“share_type”:“UNKNOWN”},“metadata”:{“flowbits”:[“ET.smb.binary”]},“community_id”:“1:ekGnmKy57l4o7WAsYOToidEVXXX=”}
What version are you using?
Can you post your suricata.yaml and also how you start suricata?
Besides that I can confirm that this happens even on some of the suricata-verify
tests. We created a bug tracking ticket for that at our redmine, see Bug #5811: SMB events sometimes have duplicate `tree_id` output. - Suricata - Open Information Security Foundation
The sample data is from a default confige. Only changed the interface.
But I see you have the bug created.