Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add username tracking

Browse source
This commit is contained in:
Vlad Grigorescu 2014-10-08 17:23:20 -04:00
parent f38a580c8c
commit 10db1b552d
2 changed files with 46 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/smb/main.bro
View file

@ -95,9 +95,14 @@ export {
## Version of SMB for the command ## Version of SMB for the command
version : string &log; version : string &log;
## Authenticated username, if available
username : string &log &optional;
## If this is related to a tree, this is the tree ## If this is related to a tree, this is the tree
## that was used for the current command. ## that was used for the current command.
tree : string &log &optional; tree : string &log &optional;
## The type of tree (disk share, printer share, named pipe, etc.)
tree_service : string &log &optional;
## If the command referenced a file, store it here. ## If the command referenced a file, store it here.
referenced_file : FileInfo &optional; referenced_file : FileInfo &optional;
@ -116,11 +121,13 @@ export {
current_tree : TreeInfo &optional; current_tree : TreeInfo &optional;
## Indexed on MID to map responses to requests. ## Indexed on MID to map responses to requests.
pending_cmds : table[count] of CmdInfo &optional; pending_cmds: table[count] of CmdInfo &optional;
## File map to retrieve file information based on the file ID. ## File map to retrieve file information based on the file ID.
fid_map : table[count] of FileInfo &optional; fid_map : table[count] of FileInfo &optional;
## Tree map to retrieve tree information based on the tree ID. ## Tree map to retrieve tree information based on the tree ID.
tid_map : table[count] of TreeInfo &optional; tid_map : table[count] of TreeInfo &optional;
## User map to retrieve user name based on the user ID.
uid_map : table[count] of string &optional;
}; };
redef record connection += { redef record connection += {
@ -133,6 +140,7 @@ export {
const deferred_logging_cmds: set[string] = { const deferred_logging_cmds: set[string] = {
"NEGOTIATE", "NEGOTIATE",
"SESSION_SETUP_ANDX", "SESSION_SETUP_ANDX",
"TREE_CONNECT_ANDX",
}; };
## This is an internally used function. ## This is an internally used function.

38
scripts/base/protocols/smb/smb1-main.bro
View file

@ -12,22 +12,37 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
local state: SMB::State; local state: SMB::State;
state$fid_map = table(); state$fid_map = table();
state$tid_map = table(); state$tid_map = table();
state$uid_map = table();
state$pending_cmds = table(); state$pending_cmds = table();
c$smb_state = state; c$smb_state = state;
} }
local smb_state = c$smb_state; local smb_state = c$smb_state;
local tid = hdr$tid; local tid = hdr$tid;
local pid = hdr$pid;
local uid = hdr$uid; local uid = hdr$uid;
local pid = hdr$pid;
local mid = hdr$mid; local mid = hdr$mid;
if ( uid in smb_state$uid_map )
{
smb_state$current_cmd$username = smb_state$uid_map[uid];
}
if ( tid !in smb_state$tid_map ) if ( tid !in smb_state$tid_map )
{ {
local tmp_tree: SMB::TreeInfo = [$uid=c$uid, $id=c$id]; local tmp_tree: SMB::TreeInfo = [$uid=c$uid, $id=c$id];
smb_state$tid_map[tid] = tmp_tree; smb_state$tid_map[tid] = tmp_tree;
} }
smb_state$current_tree = smb_state$tid_map[tid]; smb_state$current_tree = smb_state$tid_map[tid];
if ( smb_state$current_tree?$path )
{
smb_state$current_cmd$tree = smb_state$current_tree$path;
}
if ( smb_state$current_tree?$service )
{
smb_state$current_cmd$tree_service = smb_state$current_tree$service;
}
if ( mid !in smb_state$pending_cmds ) if ( mid !in smb_state$pending_cmds )
{ {
@ -106,7 +121,11 @@ event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: str
event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=5 event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=5
{ {
c$smb_state$current_cmd$referenced_tree$service = service;
c$smb_state$current_cmd$tree_service = service;
c$smb_state$current_cmd$referenced_tree$native_file_system = native_file_system; c$smb_state$current_cmd$referenced_tree$native_file_system = native_file_system;
c$smb_state$current_tree = c$smb_state$current_cmd$referenced_tree; c$smb_state$current_tree = c$smb_state$current_cmd$referenced_tree;
c$smb_state$tid_map[hdr$tid] = c$smb_state$current_tree; c$smb_state$tid_map[hdr$tid] = c$smb_state$current_tree;
} }
@ -114,6 +133,11 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service:
event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=-5 event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=-5
{ {
Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree); Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree);
if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
{
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
} }
event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5 event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5
@ -201,6 +225,9 @@ event smb1_close_request(c: connection, hdr: SMB1::Header, file_id: count) &prio
# Need to check for existence of path in case tree connect message wasn't seen. # Need to check for existence of path in case tree connect message wasn't seen.
if ( c$smb_state$current_tree?$path ) if ( c$smb_state$current_tree?$path )
fl$path = c$smb_state$current_tree$path; fl$path = c$smb_state$current_tree$path;
c$smb_state$current_cmd$argument = fl$name;
delete c$smb_state$fid_map[file_id]; delete c$smb_state$fid_map[file_id];
SMB::write_file_log(fl); SMB::write_file_log(fl);
@ -269,10 +296,15 @@ event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLM
else if ( request?$domain_name && request$domain_name != "" ) else if ( request?$domain_name && request$domain_name != "" )
user = fmt("%s\\", request$domain_name); user = fmt("%s\\", request$domain_name);
else if ( request?$workstation && request$workstation != "" ) else if ( request?$workstation && request$workstation != "" )
user = fmt("%s\\", request$workstation); user = fmt("%s", request$workstation);
if ( user != "" ) if ( user != "" )
{ {
c$smb_state$current_cmd$argument = user; c$smb_state$current_cmd$argument = user;
} }
if ( hdr$uid !in c$smb_state$uid_map )
{
c$smb_state$uid_map[hdr$uid] = user;
}
} }