diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 8ad2fbd1e2..38ca34c820 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2819,76 +2819,190 @@ export { module SMB2; export { + ## An SMB2 header. + ## + ## For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2 + ## + ## .. bro:see:: smb2_message smb2_close_request smb2_close_response + ## smb2_create_request smb2_create_response smb2_negotiate_request + ## smb2_negotiate_response smb2_read_request + ## smb2_session_setup_request smb2_session_setup_response + ## smb2_set_info_request smb2_file_rename smb2_file_delete + ## smb2_tree_connect_request smb2_tree_connect_response + ## smb2_write_request type SMB2::Header: record { - credit_charge: count; - status: count; - command: count; - credits: count; - flags: count; - message_id: count; - process_id: count; - tree_id: count; - session_id: count; - signature: string; + ## The number of credits that this request consumes + credit_charge : count; + ## In a request, this is an indication to the server about the client's channel + ## change. In a response, this is the status field + status : count; + ## The command code of the packet + command : count; + ## The number of credits the client is requesting, or the number of credits + ## granted to the client in a response. + credits : count; + ## A flags field, which indicates how to process the operation (e.g. asynchronously) + flags : count; + ## A value that uniquely identifies the message request/response pair across all + ## messages that are sent on the same transport protocol connection + message_id : count; + ## A value that uniquely identifies the process that generated the event. + process_id : count; + ## A value that uniquely identifies the tree connect for the command. + tree_id : count; + ## A value that uniquely identifies the established session for the command. + session_id : count; + ## The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the ``flags`` + ## field. + signature : string; }; + ## An SMB2 globally unique identifier which identifies a file. + ## + ## For more information, see MS-SMB2:2.2.14.1 + ## + ## .. bro:see:: smb2_close_request smb2_create_response smb2_read_request + ## smb2_file_rename smb2_file_delete smb2_write_request type SMB2::GUID: record { + ## A file handle that remains persistent when reconnected after a disconnect persistent: count; + ## A file handle that can be changed when reconnected after a disconnect volatile: count; }; + ## A series of boolean flags describing basic and extended file attributes for SMB2. + ## + ## For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6 + ## + ## .. bro:see:: smb2_create_response type SMB2::FileAttrs: record { + ## The file is read only. Applications can read the file but cannot + ## write to it or delete it. read_only: bool; + ## The file is hidden. It is not to be included in an ordinary directory listing. hidden: bool; + ## The file is part of or is used exclusively by the operating system. system: bool; + ## The file is a directory. directory: bool; + ## The file has not been archived since it was last modified. Applications use + ## this attribute to mark files for backup or removal. archive: bool; + ## The file has no other attributes set. This attribute is valid only if used alone. normal: bool; + ## The file is temporary. This is a hint to the cache manager that it does not need + ## to flush the file to backing storage. temporary: bool; + ## A file that is a sparse file. sparse_file: bool; + ## A file or directory that has an associated reparse point. reparse_point: bool; + ## The file or directory is compressed. For a file, this means that all of the data + ## in the file is compressed. For a directory, this means that compression is the + ## default for newly created files and subdirectories. compressed: bool; + ## The data in this file is not available immediately. This attribute indicates that + ## the file data is physically moved to offline storage. This attribute is used by + ## Remote Storage, which is hierarchical storage management software. offline: bool; + ## A file or directory that is not indexed by the content indexing service. not_content_indexed: bool; + ## A file or directory that is encrypted. For a file, all data streams in the file + ## are encrypted. For a directory, encryption is the default for newly created files + ## and subdirectories. encrypted: bool; + ## A file or directory that is configured with integrity support. For a file, all + ## data streams in the file have integrity support. For a directory, integrity support + ## is the default for newly created files and subdirectories, unless the caller + ## specifies otherwise. integrity_stream: bool; + ## A file or directory that is configured to be excluded from the data integrity scan. no_scrub_data: bool; }; + ## The response to an SMB2 CLOSE Request, which is used by the client to close an instance + ## of a file that was opened previously. + ## + ## For more information, see MS-SMB2:2.2.16 + ## + ## .. bro:see:: smb2_close_response type SMB2::CloseResponse: record { + ## The size, in bytes of the data that is allocated to the file. alloc_size : count; + ## The size, in bytes, of the file. eof : count; + ## The creation, last access, last write, and change times. times : SMB::MACTimes; + ## The attributes of the file. attrs : SMB2::FileAttrs; }; + ## The response to an SMB2 NEGOTIATE Request, which is used by tghe client to notify the server + ## what dialects of the SMB2 protocol the client understands. + ## + ## For more information, see MS-SMB2:2.2.4 + ## + ## .. bro:see:: smb2_negotiate_response type SMB2::NegotiateResponse: record { + ## The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 + ## NEGOTIATE Request. dialect_revision : count; + ## The security mode field specifies whether SMB signing is enabled, required at the server, or both. security_mode : count; + ## A globally unique identifier that is generate by the server to uniquely identify the server. server_guid : string; + ## The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed. system_time : time; + ## The SMB2 server start time. server_start_time : time; }; + ## The request sent by the client to request a new authenticated session + ## within a new or existing SMB 2 Protocol transport connection to the server. + ## + ## For more information, see MS-SMB2:2.2.5 + ## + ## .. bro:see:: smb2_session_setup_request type SMB2::SessionSetupRequest: record { + ## The security mode field specifies whether SMB signing is enabled or required at the client. security_mode: count; }; + ## A flags field that indicates additional information about the session that's sent in the + ## SESSION SETUP response. + ## + ## For more information, see MS-SMB2:2.2.6 + ## + ## .. bro:see:: smb2_session_setup_response type SMB2::SessionSetupFlags: record { + ## If set, the client has been authenticated as a guest user. guest: bool; + ## If set, the client has been authenticated as an anonymous user. anonymous: bool; + ## If set, the server requires encryption of messages on this session. encrypt: bool; }; + ## The response to an SMB2 SESSION SETUP Request, which is sent by the client to request a + ## new authenticated session within a new or existing SMB 2 Protocol transport connection + ## to the server. + ## + ## For more information, see MS-SMB2:2.2.6 + ## + ## .. bro:see:: smb2_session_setup_response type SMB2::SessionSetupResponse: record { + ## Additional information about the session flags: SMB2::SessionSetupFlags; }; - type SMB2::SetInfoRequest: record { - eof: count; - }; - + ## The response to an SMB2 TREE_CONNECT Request, which is sent by the client to request + ## access to a particular share on the server. + ## + ## For more information, see MS-SMB2:2.2.9 + ## + ## .. bro:see:: smb2_tree_connect_response type SMB2::TreeConnectResponse: record { + ## The type of share being accessed. Physical disk, named pipe, or printer. share_type: count; }; } diff --git a/src/analyzer/protocol/smb/smb2_com_close.bif b/src/analyzer/protocol/smb/smb2_com_close.bif index 85b0ec53a1..23aefb0dd0 100644 --- a/src/analyzer/protocol/smb/smb2_com_close.bif +++ b/src/analyzer/protocol/smb/smb2_com_close.bif @@ -1,19 +1,25 @@ -## Generated for SMB2 request messages of type *close*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *close*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_name: The SMB2 GUID of the file being closed. +## +## .. bro:see:: smb2_message smb2_close_response event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID%); -## Generated for SMB2 response messages of type *close*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *close*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: A record of attributes returned from the server from the close. +## +## .. bro:see:: smb2_message smb2_close_request event smb2_close_response%(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse%); diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif index aae5a23c01..c582cddc32 100644 --- a/src/analyzer/protocol/smb/smb2_com_create.bif +++ b/src/analyzer/protocol/smb/smb2_com_create.bif @@ -1,17 +1,21 @@ -## Generated for SMB2 request messages of type *create*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *create*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_name: The name of the file being requested. +## +## .. bro:see:: smb2_message smb2_create_response event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%); -## Generated for SMB2 response messages of type *create*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *create*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: The SMB2 GUID for the file. ## @@ -20,4 +24,6 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%) ## times: Timestamps associated with the file in question. ## ## attrs: File attributes. +## +## .. bro:see:: smb2_message smb2_create_request event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); diff --git a/src/analyzer/protocol/smb/smb2_com_ioctl.bif b/src/analyzer/protocol/smb/smb2_com_ioctl.bif index 222a4a41e0..996cee9ad8 100644 --- a/src/analyzer/protocol/smb/smb2_com_ioctl.bif +++ b/src/analyzer/protocol/smb/smb2_com_ioctl.bif @@ -1 +1 @@ -# Emoty. +# Empty. diff --git a/src/analyzer/protocol/smb/smb2_com_negotiate.bif b/src/analyzer/protocol/smb/smb2_com_negotiate.bif index 370491f5ec..d52939eb0f 100644 --- a/src/analyzer/protocol/smb/smb2_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb2_com_negotiate.bif @@ -1,19 +1,25 @@ -## Generated for SMB2 messages of type *negotiate*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *negotiate*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## dialects: A vector of the client's supported dialects. +## +## .. bro:see:: smb2_message smb2_negotiate_response event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_vec%); -## Generated for SMB2 messages of type *negotiate response*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *negotiate*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: The negotiate response data structure. +## +## .. bro:see:: smb2_message smb2_negotiate_request event smb2_negotiate_response%(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_read.bif b/src/analyzer/protocol/smb/smb2_com_read.bif index d219063df4..07360c80d1 100644 --- a/src/analyzer/protocol/smb/smb2_com_read.bif +++ b/src/analyzer/protocol/smb/smb2_com_read.bif @@ -1,12 +1,15 @@ -## Generated for SMB2 request messages of type *read*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *read*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: The GUID being used for the file. ## ## offset: How far into the file this read should be taking place. ## ## length: The number of bytes of the file being read. +## +## .. bro:see:: smb2_message event smb2_read_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_com_session_setup.bif b/src/analyzer/protocol/smb/smb2_com_session_setup.bif index f49e47ff0b..04e9778982 100644 --- a/src/analyzer/protocol/smb/smb2_com_session_setup.bif +++ b/src/analyzer/protocol/smb/smb2_com_session_setup.bif @@ -1,19 +1,25 @@ -## Generated for SMB2 request messages of type *session_setup*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *session_setup*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## request: A record containing more information related to the request. +## +## .. bro:see:: smb2_message smb2_session_setup_response event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest%); -## Generated for SMB2 response messages of type *session_setup*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *session_setup*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: A record containing more information related to the response. +## +## .. bro:see:: smb2_message smb2_session_setup_request event smb2_session_setup_response%(c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif index 4ad99303a1..e128c86641 100644 --- a/src/analyzer/protocol/smb/smb2_com_set_info.bif +++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif @@ -1,31 +1,42 @@ -## Generated for SMB2 request messages of type *set_info*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *rename* subtype. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. -## -## request: A record containing more information related to the request. -event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%); - -type SMB2::SetInfoRequest: record; - -## Generated for SMB2 SetInfo File request messages of the rename subtype. -## -## c: The connection. -## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: A GUID to identify the file. ## ## dst_filename: The filename to rename the file into. +## +## .. bro:see:: smb2_message smb2_set_info_request smb2_file_delete event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%); -## Generated for SMB2 SetInfo File request messages of the disposition (delete) subtype. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *delete* subtype. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## delete_pending: A boolean value to indicate that a file should be deleted ## when it's closed if set to T. -event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); \ No newline at end of file +## +## .. bro:see:: smb2_message smb2_set_info_request smb2_file_rename +event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); + +# TODO - Not implemented + +# Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +# version 2 requests of type *set_info*. +# +# c: The connection. +# +# hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +# +# request: A record containing more information related to the request. +# +# .. bro:see:: smb2_message smb2_file_rename smb2_file_delete +# event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%); +# +# type SMB2::SetInfoRequest: record; diff --git a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif index 90501e341a..f64ae6c7da 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif @@ -1,19 +1,25 @@ -## Generated for SMB2 request messages of type *tree_connect*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *tree_connect*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## path: Path of the requested tree. +## +## .. bro:see:: smb2_message smb2_tree_connect_response event smb2_tree_connect_request%(c: connection, hdr: SMB2::Header, path: string%); -## Generated for SMB2 response messages of type *tree_connect*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *tree_connect*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: A record with more information related to the response. +## +## .. bro:see:: smb2_message smb2_tree_connect_request event smb2_tree_connect_response%(c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse%); type SMB2::TreeConnectResponse: record; diff --git a/src/analyzer/protocol/smb/smb2_com_write.bif b/src/analyzer/protocol/smb/smb2_com_write.bif index 729ad55805..f323c67308 100644 --- a/src/analyzer/protocol/smb/smb2_com_write.bif +++ b/src/analyzer/protocol/smb/smb2_com_write.bif @@ -1,12 +1,15 @@ -## Generated for SMB2 request messages of type *write*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *write*. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: The GUID being used for the file. ## ## offset: How far into the file this write should be taking place. ## ## length: The number of bytes of the file being written. +## +## .. bro:see:: smb2_message event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_events.bif b/src/analyzer/protocol/smb/smb2_events.bif index edfd226a8d..a8a2c439fc 100644 --- a/src/analyzer/protocol/smb/smb2_events.bif +++ b/src/analyzer/protocol/smb/smb2_events.bif @@ -1,12 +1,17 @@ -## Generated for all SMB2 messages. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 messages. +## +## See `Wikipedia `__ for more information about the +## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's +## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses +## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on +## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## is_orig: True if the message came from the originator side. +## +## .. bro:see:: smb1_message event smb2_message%(c: connection, hdr: SMB2::Header, is_orig: bool%); - - - -