search

DinoTools / dionaea

Home of the dionaea honeypot
https://dionaea.readthedocs.io/
GNU General Public License v2.0
710 stars 182 forks source link

Improve logging of smb module #106

Open phibos opened 7 years ago

phibos commented 7 years ago
ISSUE TYPE
DIONAEA VERSION
master
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

At the moment the smb module generate a lot of log messages with a critical severity. But some of these log messages are only informational or relevant for debugging purposes.

STEPS TO REPRODUCE
EXPECTED RESULTS

Log messages with info or debug severity.

ACTUAL RESULTS

A lot of log messages with a critical severity.

fe7ch commented 7 years ago

I think it could be improved further.

I run dionaea with the following command:

bin/dionaea -l all,-debug -L '*' -u dionaea -g dionaea -c etc/dionaea/dionaea.cfg -p var/run/dionaea.pid

After merging of the #121 PR uploading via DoublePulsar looks like this:

[27062017 12:03:49] SMB dionaea/smb/smb.py:630: DoublePulsar request opcode: c8 command: exec
[27062017 12:03:49] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:49] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:49] SMB dionaea/smb/smb.py:618: Possible DoublePulsar connection attempts..
[27062017 12:03:49] SMB dionaea/smb/smb.py:630: DoublePulsar request opcode: c8 command: exec
[27062017 12:03:49] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:49] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:49] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:49] SMB dionaea/smb/smb.py:618: Possible DoublePulsar connection attempts..
[27062017 12:03:49] SMB dionaea/smb/smb.py:630: DoublePulsar request opcode: c8 command: exec
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:50] SMB dionaea/smb/smb.py:618: Possible DoublePulsar connection attempts..
[27062017 12:03:50] SMB dionaea/smb/smb.py:630: DoublePulsar request opcode: c8 command: exec
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:50] SMB dionaea/smb/smb.py:618: Possible DoublePulsar connection attempts..
[27062017 12:03:50] SMB dionaea/smb/smb.py:630: DoublePulsar request opcode: c8 command: exec
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:50] SMB dionaea/smb/smb.py:618: Possible DoublePulsar connection attempts..
[27062017 12:03:50] SMB dionaea/smb/smb.py:630: DoublePulsar request opcode: c8 command: exec
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data
[27062017 12:03:50] SMB dionaea/smb/smb.py:618: Possible DoublePulsar connection attempts..
[27062017 12:03:50] SMB dionaea/smb/smb.py:630: DoublePulsar request opcode: c8 command: exec
[27062017 12:03:50] SMB dionaea/smb/smb.py:112: === SMB did not get enough data

So for every pair of "Possible DoublePulsar connection attempts" and "DoublePulsar request opcode: c8 command: exec" now we get at least one line of "=== SMB did not get enough data". It's little bit annoying.

I think the log level of "=== SMB did not get enough data" could be reduced to "debug", since it's a normal situation when we have not full packet yet - we just continue receiving data till we get a full packet.