Add more SMB subcommands and arguments. Log SMB1 error messages too.

2025-10-12 03:28:19 +00:00 · 2014-10-07 17:32:01 -04:00 · 2014-10-07 17:32:01 -04:00 · 0d615b0319
commit 0d615b0319
parent a6de23aaa3
6 changed files with 61 additions and 7 deletions
--- a/scripts/base/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@ -127,10 +127,12 @@ export {
 		smb_state : State &optional;
 	};
 	
+
 	## Internal use only
 	## Some commands shouldn't be logged by the smb1_message event
 	const deferred_logging_cmds: set[string] = {
 		"NEGOTIATE",
+		"SESSION_SETUP_ANDX",
 	};
 	
 	## This is an internally used function.
--- a/scripts/base/protocols/smb/smb1-main.bro
+++ b/scripts/base/protocols/smb/smb1-main.bro
@ -214,3 +214,52 @@ event smb1_trans2_get_dfs_referral_request(c: connection, hdr: SMB1::Header, fil
 	{
 	c$smb_state$current_cmd$argument = file_name;
 	}
+
+event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5
+	{
+	if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
+		{
+		Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+		}
+	}
+	
+event smb_ntlm_negotiate(c: connection, hdr: SMB1::Header, request: SMB::NTLMNegotiate)
+	{
+	c$smb_state$current_cmd$sub_command = "NTLMSSP_NEGOTIATE";
+	}
+
+event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
+	{
+	if ( ! is_orig )
+		{
+		# This is for deferred commands only.
+		# The more specific messages won't fire for errors
+		if ( ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) &&
+		     ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds ) )
+			{
+			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+			}
+		}
+	}
+	
+event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLMAuthenticate)
+	{
+	c$smb_state$current_cmd$sub_command = "NTLMSSP_AUTHENTICATE";
+
+	local user: string = "";
+	if ( ( request?$domain_name && request$domain_name != "" ) && ( request?$user_name && request$user_name != "" ) )
+		user = fmt("%s\\%s", request$domain_name, request$user_name);	
+	else if ( ( request?$workstation && request$workstation != "" ) && ( request?$user_name && request$user_name != "" ) )
+		user = fmt("%s\\%s", request$workstation, request$user_name);
+	else if ( request?$user_name && request$user_name != "" )
+		user = request$user_name;
+	else if ( request?$domain_name && request$domain_name != "" )
+		user = fmt("%s\\", request$domain_name);
+	else if ( request?$workstation && request$workstation != "" )
+		user = fmt("%s\\", request$workstation);
+
+	if ( user != "" )
+		{
+		c$smb_state$current_cmd$argument = user;
+		}
+	}
--- a/src/analyzer/protocol/smb/smb-ntlmssp.pac
+++ b/src/analyzer/protocol/smb/smb-ntlmssp.pac
@ -156,13 +156,13 @@ refine connection SMB_Conn += {
 		RecordVal* result = new RecordVal(BifType::Record::SMB::NTLMAuthenticate);
 		result->Assign(0, build_negotiate_flag_record(${val.flags}));

-		if ( ${val.flags.negotiate_oem_domain_supplied} )
+		if ( ${val.domain_name_fields.length} > 0 )
 			result->Assign(1, bytestring_to_val(${val.domain_name.string.data}));

 		if ( ${val.user_name_fields.length} > 0 )
 			result->Assign(2, bytestring_to_val(${val.user_name.string.data}));

-		if ( ${val.flags.negotiate_oem_workstation_supplied} )
+		if ( ${val.workstation_fields.length} > 0 )
 			result->Assign(3, bytestring_to_val(${val.workstation.string.data}));

 		if ( ${val.flags.negotiate_version} )
@ -298,9 +298,9 @@ type SMB_NTLM_Authenticate(header: SMB_Header, offset: uint16) = record {
 	payload			     		: bytestring &restofdata;
 } &let {
 	absolute_offset			: uint16 = offsetof(payload) + offset;
-	domain_name				: SMB_NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_domain_supplied);
+	domain_name				: SMB_NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0);
 	user_name				: SMB_NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0);
-	workstation				: SMB_NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_workstation_supplied);
+	workstation				: SMB_NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);
 	encrypted_session_key	: SMB_NTLM_String(encrypted_session_key_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_key_exch);
 	proc					: bool = $context.connection.proc_smb_ntlm_authenticate(header, this);
 };
--- a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
@ -103,7 +103,7 @@ refine connection SMB_Conn += {
 					response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));
 					//response->Assign(5, bytestring_to_val(${val.ntlm.security_blob}));
 					break;
-				case 0:		// Error!
+				default:		// Error!
 					break;
 				}
 			
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@ -68,7 +68,7 @@ refine connection SMB_Conn += {
 			{
 			BifEvent::generate_smb1_error(bro_analyzer(),
 			                              bro_analyzer()->Conn(),
-			                              BuildHeaderVal(h));
+			                              BuildHeaderVal(h), is_orig);
 			}
 		return true;
 		%}
--- a/src/analyzer/protocol/smb/smb1_events.bif
+++ b/src/analyzer/protocol/smb/smb1_events.bif
@ -25,5 +25,8 @@ event smb1_empty_response%(c: connection, hdr: SMB1::Header%);
 ## c: The connection.
 ##
 ## hdr: The parsed header of the SMB message.
-event smb1_error%(c: connection, hdr: SMB1::Header%);
+##
+## is_orig: True if the message was sent by the originator of the underlying
+##       transport-level connection.
+event smb1_error%(c: connection, hdr: SMB1::Header, is_orig: bool%);