Forum Discussion
Azure ATP connection closed errors
I am seeing the following error in the Azure ATP Sensor logs in my environment when running net group "Domain Admins" /domain from member workstations. I do not see the correlated event of a user querying Domain Admins in AATP portal either. I am using VMWare to virtualize all components and have made the settings adjustments mentioned in the Azure ATP documentation for network adapters on VMWare hosted systems with the AATP sensor.
Has anyone else seen this? Can anyone from Microsoft provide some guidance? All other detections appear to be working as I only see the parsing errors when running net group or net user queries (I have not done exhaustive testing).
2019-06-21 18:20:37.0249 Error TransportStreamExtension+Disposable Error parsing segment [transportSessionKey=DCIP:445 => WorkstationIP:57133]
Microsoft.Tri.Infrastructure.ExtendedException: Parser read out of bounds [_messageLength=0 readDataLength=3]
at void Microsoft.Tri.Sensor.TransportStreamExtension+Disposable.Dispose()
at void Microsoft.Tri.Sensor.SmbParser.ParseDceRpcPayload(TransportPacket transportPacket, Session session, Command command, ITransportDataStream transportDataStream)
at void Microsoft.Tri.Sensor.SmbParser.ParseReadPayload(TransportPacket transportPacket, Session session, Command command, ITransportDataStream transportDataStream)
at bool Microsoft.Tri.Sensor.SmbParser.ParseSmb1Command(TransportPacket transportPacket, SessionId transportSessionId, Session session, Header header, PayloadInfo payloadInfo, bool isLastInChain, ITransportDataStream transportDataStream)
at void Microsoft.Tri.Sensor.SmbParser.ParseSmb1(TransportPacket transportPacket, SessionId transportSessionId, uint messageLength, ITransportDataStream transportDataStream)
at void Microsoft.Tri.Sensor.SmbParser.Parse(TransportPacket transportPacket, SessionId transportSessionId, uint messageLength, ITransportDataStream transportDataStream)
at void Microsoft.Tri.Sensor.TcpParser.ParseApplicationProtocol(IpDatagram ipDatagram, TransportSessionKey transportSessionKey, TcpSession tcpSession)
at void Microsoft.Tri.Sensor.TcpParser.ParseInternal(IpDatagram ipDatagram, TransportSessionKey transportSessionKey, BufferSlice bufferSlice)
at void Microsoft.Tri.Sensor.TcpParser.Parse(IpDatagram ipDatagram, BufferSlice bufferSlice)
- Engineering has researched the sampled capture ans managed to reproduce the issue.Sadly, this is not an easy fix, it's a specific traffic/rare traffic on top of SMB1 we were not aware of before and currently cannot parse.We have opened a bug for it.It is planned but in low priority for now as telemetry shows it happens rarely.We will update once we get it resolved so the fix can be verified.
12 Replies
- EliOfek
Microsoft
archedmeerkat Can you verify TSO offload is disabled?
from elevated powershell, run:
Get-NetAdapterAdvancedProperty | Where-Object DisplayName -Match "^Large*"
Check it the feature is enabled, if it is, run:
Disable-NetAdapterLso -Name {name of adapter} \\ this will disable LSO for both IPv4 and IPv6.Then verify the previous command again to make sure it was disabled.
Eli
EliOfek- Is there a way to enable Debug logging or extra logging on the ATP sensor? It appears to only be happening on one of the four sensors we have.
- EliOfek
archedmeerkat Hi, I am on-boarding internally the engineer who wrote most of the code for parsing this protocol...
For now I don't think raising the trace log will produce meaningful results.
But something that might help is if you are able to use netmon 3.4 to capture a cap file trace of this specific traffic (recording while we have at least one incident like this in the log)
in which case we can use it to repro the problem in our lab which will speed up the research considerably...
EliOfek- Commands returned that TSO offload is disabled on both on ipv4 and ipv6
