diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index e63f9f7853..b92ac9a5e4 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2861,6 +2861,25 @@ export { setup_count: count; }; + type SMB1::Trans_Sec_Args: record { + ## Total parameter count + total_param_count: count; + ## Total data count + total_data_count: count; + ## Parameter count + param_count: count; + ## Parameter offset + param_offset: count; + ## Parameter displacement + param_displacement: count; + ## Data count + data_count: count; + ## Data offset + data_offset: count; + ## Data displacement + data_displacement: count; + }; + type SMB1::Find_First2_Request_Args: record { ## File attributes to apply as a constraint to the search search_attrs : count; diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index bf44501b96..6b594d5367 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -18,6 +18,7 @@ bro_plugin_bif( smb1_com_read_andx.bif smb1_com_session_setup_andx.bif smb1_com_transaction.bif + smb1_com_transaction_secondary.bif smb1_com_transaction2.bif smb1_com_tree_connect_andx.bif smb1_com_tree_disconnect.bif diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index 156037f614..c747d87e92 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -24,6 +24,7 @@ #include "smb1_com_read_andx.bif.h" #include "smb1_com_session_setup_andx.bif.h" #include "smb1_com_transaction.bif.h" +#include "smb1_com_transaction_secondary.bif.h" #include "smb1_com_transaction2.bif.h" #include "smb1_com_tree_connect_andx.bif.h" #include "smb1_com_tree_disconnect.bif.h" diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac index bcd9ba91bb..a9ccddea73 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac @@ -1,3 +1,66 @@ +refine connection SMB_Conn += { + + function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool + %{ + RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args); + args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); + args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); + args->Assign(2, new Val(${val.param_count}, TYPE_COUNT)); + args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT)); + args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT)); + args->Assign(5, new Val(${val.data_count}, TYPE_COUNT)); + args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT)); + args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT)); + + StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *payload_str = nullptr; + SMB1_transaction_data *payload = nullptr; + + if ( !parameters ) + { + parameters = new StringVal(""); + } + + if ( ${val.data_count > 0} ) + { + payload = ${val.data}; + } + + if ( payload ) + { + switch ( payload->trans_type() ) + { + case SMB_PIPE: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data()); + break; + case SMB_UNKNOWN: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data()); + break; + default: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data()); + break; + } + } + + if ( !payload_str ) + { + payload_str = new StringVal(""); + } + + if ( smb1_transaction_secondary_request ) + { + BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + args, + parameters, + payload_str); + } + + return true; + %} +}; + type SMB1_transaction_secondary_request(header: SMB_Header) = record { word_count : uint8; total_param_count : uint16; @@ -14,4 +77,6 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record { parameters : bytestring &length = param_count; pad2 : padding to data_offset - SMB_Header_length; data : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN, false); +} &let { + proc : bool = $context.connection.proc_smb1_transaction_secondary_request(header, this); }; diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index 4b38feefcb..92a448ea8e 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -170,7 +170,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_ # #SMB_COM_QUERY_INFORMATION2 -> query_information2 : SMB_query_information2_request(header); SMB_COM_LOCKING_ANDX -> locking_andx : SMB1_locking_andx_request(header, offset); SMB_COM_TRANSACTION -> transaction : SMB1_transaction_request(header); -# SMB_COM_TRANSACTION_SECONDARY -> transaction_secondary : SMB1_transaction_secondary_request(header); + SMB_COM_TRANSACTION_SECONDARY -> transaction_secondary : SMB1_transaction_secondary_request(header); # #SMB_COM_IOCTL -> ioctl : SMB_ioctl_request(header); # #SMB_COM_IOCTL_SECONDARY -> ioctl_secondary : SMB_ioctl_secondary_request(header); # #SMB_COM_COPY -> copy : SMB_copy_request(header); diff --git a/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif new file mode 100644 index 0000000000..ee658d4b76 --- /dev/null +++ b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif @@ -0,0 +1,19 @@ +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *transaction_secondary*. This command +## serves as an additional request data container for the +## Transaction Subprotocol Commands (carried by *transaction* requests). +## +## For more information, see MS-CIFS:2.2.4.34 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. +## +## parameters: the SMB_Data.Trans_Parameters field content +## +## data: the SMB_Data.Trans_Data field content +## +event smb1_transaction_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string%); + +## Types +type SMB1::Trans_Sec_Args: record;