Troubleshooting
Problem
Symptom
Important
IBM released QRadar protocol RPMs to support both SMBv1 and SMB2 to resolve the connection issues related Microsoft's disabling the SMBv1 connectivity. This release update enhanced the existing SMB protocols for QRadar to allow connections by using the SMBv2 file-sharing protocol. To enable SMBv2, all five protocol RPMs must be installed in a single command. Administrators can update their protocols to the latest version by using the procedure outlined as Option 1: Update QRadar protocols to a version that supports SMBv2.
Cause
- Microsoft IIS (agentless, WinCollect is unaffected)
- Microsoft Exchange
- SMB Tail Protocol
- Microsoft DHCP (agentless, WinCollect is unaffected)
- Oracle Database Listener
When log sources that use these protocols go into the error state, it might be due to the SMBv1 protocol being disabled. Malicious exploits are targeting SMBv1 protocol in accordance with Microsoft Security Bulletin MS17-010. This critical SMB Server exploit globally disables the SMBv1 on a number of Windows operating systems. This issue affects Windows hosts that use QRadar Protocols to collect events, instead of using WinCollect agents.
Diagnosing The Problem
- Windows Vista or 2008 & Windows 7/2008R2
Verify the following registry key on the Windows host to determine the status of the SMBv1 protocol. A value of 0 is disabled in the protocol and a value of 1 is enabled: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 - Windows 8 & Server 2012
Administrators can use PowerShell to detect whether the SMBv1 enabled or disabled with the following command:if ([bool](Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol)) { Write-Host "SMBv1 is Enabled" } else { write-host "SMBv1 is Disabled" }
- Windows 10 & Server 2016
Administrators can verify SMBv1 status by using Powershell with the following command:
Set-SmbServerConfiguration –AuditSmb1Access $true
Resolving The Problem
- PROTOCOL-SmbTailProtocol-<version>.noarch.rpm
- PROTOCOL-OracleDatabaseListener-<version>.noarch.rpm
- PROTOCOL-WindowsDHCPProtocol-<version>.noarch.rpm
- PROTOCOL-WindowsExchangeProtocol-<version>.noarch.rpm
- PROTOCOL-WindowsIISProtocol-<version>.noarch.rpm
WARNING: A Deploy Full Configuration temporarily interrupts event and flow collection while services are restarted on all hosts in the deployment. A web server restart expires the session token, that logs off from all users and interrupt reports in progress. Administrators can advise users to manually start reports that are interrupted by a web server restart.
For 7.2.x Consoles:
- Download the updated protocol files for QRadar 7.2.x: Fix Central download link for all five protocol rpms
- Using SCP or WinSCP, copy the protocol rpm files to the Console.
- Using SSH, log in to the Console as the root user.
- To install the five protocol rpms, type:
yum install -y PROTOCOL-SmbTailProtocol-7.2-20180410083224.noarch.rpm PROTOCOL-OracleDatabaseListener-7.2-20171212142247.noarch.rpm PROTOCOL-WindowsDHCPProtocol-7.2-20171212142247.noarch.rpm PROTOCOL-WindowsExchangeProtocol-7.2-20171212142247.noarch.rpm PROTOCOL-WindowsIISProtocol-7.2-20171212142247.noarch.rpm
- From the Admin tab, select Advanced > Deploy Full Configuration.
- From the Admin tab, select Advanced > Web Server Restart.
Results
After the protocols RPMs are installed, administrators must edit their log source configurations to enable SMBv2. A new user interface field is added to SMB-based log source configurations to allow administrators to define whether the protocol connects to the event source with SMBv1 or SMBv2.
For 7.3.x & 7.4.x Consoles:
- Download the updated protocol files for QRadar 7.3.x or 7.4.x based on the version of QRadar being used in the environment from: IBM Support Fix Central. Download the most recent protocols for:
PROTOCOL-SmbTailProtocol
PROTOCOL-OracleDatabaseListener
PROTOCOL-WindowsDHCPProtocol
PROTOCOL-WindowsExchangeProtocol
WindowsIISProtocol - Using SCP or WinSCP, copy the protocol rpm files to the Console.
- Using SSH, log in to the Console as the root user.
- Change to the directory containing the new protocols.
- To install the five protocol rpms, use tab completion to finish the correct names for each of the protocols downloaded: yum install PROTOCOL-WindowsDHCPProtocol- PROTOCOL-WindowsExchangeProtocol- PROTOCOL-WindowsIISProtocol-
For example,
yum install -y PROTOCOL-SmbTailProtocol-7.3-
20180402125212.noarch.rpm PROTOCOL-OracleDatabaseListener-7.3-
20171212192242.noarch.rpm PROTOCOL-WindowsDHCPProtocol-7.3-
20171212192242.noarch.rpm PROTOCOL-WindowsExchangeProtocol-7.3-
20171212192242.noarch.rpm PROTOCOL-WindowsIISProtocol-7.3-
20171212192242.noarch.rpm - From the Admin tab, select Advanced > Deploy Full Configuration.
- From the Admin tab, select Advanced > Web Server Restart.
Results
After the protocols RPMs are installed, administrators must edit their log source configurations to enable SMBv2. A new user interface field is added to SMB-based log source configurations to allow administrators to define whether the protocol connects to the event source with SMBv1 or SMBv2.
Option 2: Use an intermediate Linux server
This work around uses a Linux intermediate server to mount the remote shares by using SMBv2 and make them available through an SMBv1 share to QRadar. The intermediate server is locked down to communicate using SMBv1 and accept these connections from QRadar appliances using firewall rules. The purpose of this procedure is to allow SMBv1 between the QRadar appliance and the intermediate server for event collection. Administrators who require SMBv2 per company security policy can use the updated protocols listed in Option 1: Update QRadar protocols to a version that supports SMBv2.
IMPORTANT: The procedures described in this technical note are intended for an intermediate server that is running a Linux distribution. Do not run these procedures to create mount points on the QRadar appliance as it causes event collection issues. This procedure is only intended for a non-QRadar Linux server.
For example:
Figure 1: Example configuration using an intermediate server to collect events using QRadar protocols.
- Install a Linux distribution on a 3rd party or intermediate server or virtual machine.
Note: This cannot be a QRadar appliance or managed host. - Using SSH, log in to the Intermediate Linux server.
- To verify that SMB is enabled on the Intermediate Linux server, type: systemctl is-enabled smb
For example: root@RHEL7-Server ~]# systemctl is-enabled smb disabled - If Step 3 returns the value disabled, type the following command to enable SMB: systemctl enable smb
[root@RHEL7-Server ~]# systemctl enable smb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service. - To start the smb service, type: systemctl start smb
- Using vi editor, open /etc/samba/smb.conf and add the following lines:
[mnt]
comment = QRadar SMBTail Share
path = /mnt/smb
read only = Yes - Save the file by using the Esc key then typing :wq
- Create a User and password for a smbuser smbpasswd -a smbuser
Note: The user smbuser is intended as an example. This is the account name and password that QRadar uses to connect to the SMB1 share on the Linux intermediate server. - To create the directory /mnt/smb, type the following command: mkdir /mnt/smb
- To restart the smb service, type: systemctl restart smb
Results
SMB is now enabled on the intermediate Linux server. The administrator can now configure firewall rules to restrict communications from selected hosts or services.
- Type the following command to create a zone for your SMB share:
firewall-cmd --permanent --zone=public --add-service=samba
- Optionally, you can add ports individually:
firewall-cmd --permanent --zone=public --add-service=sambaxfirewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=138/tcp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=445/tcp - To load the changes in the firewall, type: firewall-cmd --reload
Results
The firewall for Red Hat Enterprise 7 or CentOS 7 is enabled to add SMB communications. If the firewall is not reloaded, as in Step 3, these firewall rules will not be enabled. Only select incoming connections are accepted when a zone is set to public. It is recommended that most users to add SMB ports for the service as it can be disabled easily.
- To add firewall rules in iptables, open the following file in any text editor: /etc/sysconfig/iptables
- Add the following lines:
A INPUT -s x.x.x.x/32 -m state –state NEW -p tcp –dport 137 -j ACCEPT
A INPUT -s x.x.x.x/32 -m state –state NEW -p tcp –dport 138 -j ACCEPT
A INPUT -s x.x.x.x/32 -m state –state NEW -p tcp –dport 139 -j ACCEPT
A INPUT -s x.x.x.x/32 -m state –state NEW -p tcp –dport 445 -j ACCEPTWhere x.x.x.x is the host sending incoming connections to the Intermediate Linux Server. -
Save the file changes.
-
Reload the updated firewall configuration by using this command: service iptables restart.
- Copy the /etc/fstab file to back it up
cp -p /etc/fstab /etc/fstab.bak - Using vi editor create a credentials file: vi secret.txt
Note: The credentials file can be a name of your choice. - Add a username and password in the following format:
username=<domain/username_of_host>
password=<Your_password> - Save the changes by using the Esc key then typing :wq
- Change the permissions of the file to read/write for root only: chmod 600 /root/secret.txt
- Add the following line to the bottom of the /etc/fstab file:
//IP_Address_Windows_Host/Shared_Folder/ /mnt/smb type cifs credentials=/root/secret.txt,_netdev,uid=0,gid=dba, ro,cache=strict,soft,dir_mode=0755 0 0
Note: The example file path /mnt/smb is only an example and administrators need to mount each default folder that is used by their Windows hosts for the logs.
Examples of files that need an individual mount point:
For Microsoft Exchange 2016 SMTP logs, the default directory is c$/Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/ProtocolLog/ and the mount point could be /mnt/smtp_exchange2016.
For Microsoft Exchange 2016 OWA logs, the default directory is c$/inetpub/logs/LogFiles/W3SVC1/ and the mount point could be /mnt/owa_exchange2016.
For Microsoft Exchange 2016 SMGTRK logs, the default directory is c$/Program Files/Microsoft/Exchange Server/V15/TransportRoles/Logs/MessageTracking/ and the mount point could be /mnt/msgtrk_exchange2016.
For Microsoft DHCP logs, the default directory is Windows/system32/dhcp/ and the mount point could be /mnt/dhcp.
For Microsoft IIS logs, the default error log path is Windows/system32/LogFiles/W3SVC1/ and the mount point could be /mnt/iis_logfiles
Results
The Administrators might need to repeat this procedure for multiple folders. For example, the Microsoft Exchange protocol supports MSGTRK, OWA, and SMTP logs and each folder needs a mount point. Depending on your collection requirements, repeat this procedure for the other SMB mount points. Your log sources require an update to reference the intermediate server IP address and any paths for new mount points you create to the new location of Windows log you want to collect.
Was this topic helpful?
Document Information
Modified date:
23 February 2023
UID
swg22004891