Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/seth/fix-smb-ts-fields'

Browse source 
* origin/topic/seth/fix-smb-ts-fields:
  Updating external test commit pointers
  ts fields in SMB logs now default to network_time()
This commit is contained in:
Jon Siwek 2021-03-11 12:43:21 -08:00
commit 07bad2d40e
6 changed files with 22 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

9
CHANGES
View file

@ -1,4 +1,13 @@
4.1.0-dev.323 | 2021-03-11 12:43:21 -0800
* ts fields in SMB logs now default to network_time() (Seth Hall, Corelight)
This avoids a problem identified by amanbansal2709 in pull
request #1288. I fixed it in a different way than that pull request
by making sure the ts field is always set so that this isssue doesn't
return in the future.
4.1.0-dev.320 | 2021-03-10 12:29:13 -0800 4.1.0-dev.320 | 2021-03-10 12:29:13 -0800
* GH-1432: Use buffered IO for file extraction (Jon Siwek, Corelight) * GH-1432: Use buffered IO for file extraction (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
4.1.0-dev.320 4.1.0-dev.323

6
scripts/base/protocols/smb/main.zeek
View file

@ -48,7 +48,7 @@ export {
## This record is for the smb_files.log ## This record is for the smb_files.log
type FileInfo: record { type FileInfo: record {
## Time when the file was first discovered. ## Time when the file was first discovered.
ts : time &log; ts : time &log &default=network_time();
## Unique ID of the connection the file was sent over. ## Unique ID of the connection the file was sent over.
uid : string &log; uid : string &log;
## ID of the connection the file was sent over. ## ID of the connection the file was sent over.
@ -74,7 +74,7 @@ export {
## This record is for the smb_mapping.log ## This record is for the smb_mapping.log
type TreeInfo: record { type TreeInfo: record {
## Time when the tree was mapped. ## Time when the tree was mapped.
ts : time &log &optional; ts : time &log &default=network_time();
## Unique ID of the connection the tree was mapped over. ## Unique ID of the connection the tree was mapped over.
uid : string &log; uid : string &log;
## ID of the connection the tree was mapped over. ## ID of the connection the tree was mapped over.
@ -94,7 +94,7 @@ export {
## This record is for the smb_cmd.log ## This record is for the smb_cmd.log
type CmdInfo: record { type CmdInfo: record {
## Timestamp of the command request. ## Timestamp of the command request.
ts : time &log; ts : time &log &default=network_time();
## Unique ID of the connection the request was sent over. ## Unique ID of the connection the request was sent over.
uid : string &log; uid : string &log;
## ID of the connection the request was sent over. ## ID of the connection the request was sent over.

8
scripts/base/protocols/smb/smb1-main.zeek
View file

@ -47,9 +47,9 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
if ( mid !in smb_state$pending_cmds ) if ( mid !in smb_state$pending_cmds )
{ {
local tmp_cmd = SMB::CmdInfo($ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB1", $command = SMB1::commands[hdr$command]); local tmp_cmd = SMB::CmdInfo($uid=c$uid, $id=c$id, $version="SMB1", $command = SMB1::commands[hdr$command]);
local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id); local tmp_file = SMB::FileInfo($uid=c$uid, $id=c$id);
tmp_cmd$referenced_file = tmp_file; tmp_cmd$referenced_file = tmp_file;
tmp_cmd$referenced_tree = smb_state$current_tree; tmp_cmd$referenced_tree = smb_state$current_tree;
@ -104,7 +104,7 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::
event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5 event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5
{ {
local tmp_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id, $path=path, $service=service); local tmp_tree = SMB::TreeInfo($uid=c$uid, $id=c$id, $path=path, $service=service);
c$smb_state$current_cmd$referenced_tree = tmp_tree; c$smb_state$current_cmd$referenced_tree = tmp_tree;
c$smb_state$current_cmd$argument = path; c$smb_state$current_cmd$argument = path;
@ -132,7 +132,7 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service:
event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5 event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5
{ {
local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id); local tmp_file = SMB::FileInfo($uid=c$uid, $id=c$id);
c$smb_state$current_cmd$referenced_file = tmp_file; c$smb_state$current_cmd$referenced_file = tmp_file;
c$smb_state$current_cmd$referenced_file$name = name; c$smb_state$current_cmd$referenced_file$name = name;

8
scripts/base/protocols/smb/smb2-main.zeek
View file

@ -26,8 +26,8 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
if ( mid !in smb_state$pending_cmds ) if ( mid !in smb_state$pending_cmds )
{ {
local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id); local tmp_file = SMB::FileInfo($uid=c$uid, $id=c$id);
local tmp_cmd = SMB::CmdInfo($ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB2", $command = SMB2::commands[hdr$command]); local tmp_cmd = SMB::CmdInfo($uid=c$uid, $id=c$id, $version="SMB2", $command = SMB2::commands[hdr$command]);
tmp_cmd$referenced_file = tmp_file; tmp_cmd$referenced_file = tmp_file;
smb_state$pending_cmds[mid] = tmp_cmd; smb_state$pending_cmds[mid] = tmp_cmd;
} }
@ -41,14 +41,14 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
} }
else if ( tid !in smb_state$tid_map ) else if ( tid !in smb_state$tid_map )
{ {
local tmp_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id); local tmp_tree = SMB::TreeInfo($uid=c$uid, $id=c$id);
smb_state$tid_map[tid] = tmp_tree; smb_state$tid_map[tid] = tmp_tree;
} }
smb_state$current_cmd$referenced_tree = smb_state$tid_map[tid]; smb_state$current_cmd$referenced_tree = smb_state$tid_map[tid];
} }
else else
{ {
smb_state$current_cmd$referenced_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id); smb_state$current_cmd$referenced_tree = SMB::TreeInfo($uid=c$uid, $id=c$id);
} }
smb_state$current_file = smb_state$current_cmd$referenced_file; smb_state$current_file = smb_state$current_cmd$referenced_file;

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
10fcc15327154796ec9cfd4e1448f92d00fde2c5 d15d95ad14e8974d828f9ee64fcd6cb313f004a2