Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/vern/smb-filtering'

Browse source 
* origin/topic/vern/smb-filtering:
  Fix for suppressing SMB logging of previously-logged files
This commit is contained in:
Tim Wojtulewicz 2024-05-20 15:54:09 -07:00
commit 04c8a6bde7
4 changed files with 12 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
7.0.0-dev.270 | 2024-05-20 15:54:09 -0700
* Fix for suppressing SMB logging of previously-logged files (Vern Paxson, Corelight)
7.0.0-dev.268 | 2024-05-17 08:56:31 -0700
* Bump Spicy to latest dev snapshot (Benjamin Bannier, Corelight)

2
VERSION
View file

@ -1 +1 @@
7.0.0-dev.268
7.0.0-dev.270

8
scripts/base/protocols/smb/main.zeek
View file

@ -215,12 +215,18 @@ function write_file_log(state: State)
# seen files in the SMB::State $recent_files field.
if ( f?$times )
{
# For repeated reads of the same file, the access
# time can change, so make a copy of the various times
# and zero that one out.
local times = copy(f$times);
times$accessed_raw = 0;
times$accessed = double_to_time(0.0);
local file_ident = cat(f$action,
f?$fuid ? f$fuid : "",
f?$name ? f$name : "",
f?$path ? f$path : "",
f$size,
f$times);
times);
if ( file_ident in state$recent_files )
{
# We've already seen this file and don't want to log it again.

7
testing/btest/Baseline/scripts.base.protocols.smb.smb3-multichannel/smb_files.log
View file

@ -10,12 +10,10 @@
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 <share_root> 4096 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.exe 77824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.exe 77824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 00bfsvc.exe 77824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 01bootstat.docx 67584 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 <share_root> 4096 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 01bootstat.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 01bootstat.docx 67584 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 01bootstat.docx 67584 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 02DtcInstall.doc 1947 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 02DtcInstall.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
@ -28,11 +26,9 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::F
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 06lsasetup.pdf 1376 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 07mib.pdf 43131 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 07mib.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 07mib.pdf 43131 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 07mib.pdf 43131 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 08notepad.exe 202240 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 08notepad.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 08notepad.exe 202240 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 08notepad.exe 202240 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 09PFRO.doc 4772 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 09PFRO.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
@ -41,17 +37,14 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::F
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 10Professional.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 10Professional.docx 30831 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 11regedit.exe 369664 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 11regedit.exe 369664 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 11regedit.exe 369664 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 12splwow64.exe 135168 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 12splwow64.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 12splwow64.exe 135168 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.17.0.184 57093 172.17.0.189 445 - SMB::FILE_OPEN - 13system.pdf 219 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 13system.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 172.17.0.184 57095 172.17.0.189 445 - SMB::FILE_OPEN - 13system.pdf 219 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 14twain_32.pdf 65024 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.17.0.184 57093 172.17.0.189 445 - SMB::FILE_OPEN - 14twain_32.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 14twain_32.pdf 65024 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 <share_root> 4096 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 00bfsvc.enc 103968 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.enc 103968 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX