mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Add username tracking
This commit is contained in:
Vlad Grigorescu
parent
f38a580c8c
commit
10db1b552d
2 changed files with 46 additions and 6 deletions
|
|
@ -95,9 +95,14 @@ export {
|
|||
## Version of SMB for the command
|
||||
version : string &log;
|
||||
|
||||
## Authenticated username, if available
|
||||
username : string &log &optional;
|
||||
|
||||
## If this is related to a tree, this is the tree
|
||||
## that was used for the current command.
|
||||
tree : string &log &optional;
|
||||
## The type of tree (disk share, printer share, named pipe, etc.)
|
||||
tree_service : string &log &optional;
|
||||
|
||||
## If the command referenced a file, store it here.
|
||||
referenced_file : FileInfo &optional;
|
||||
|
|
@ -116,11 +121,13 @@ export {
|
|||
current_tree : TreeInfo &optional;
|
||||
|
||||
## Indexed on MID to map responses to requests.
|
||||
pending_cmds : table[count] of CmdInfo &optional;
|
||||
pending_cmds: table[count] of CmdInfo &optional;
|
||||
## File map to retrieve file information based on the file ID.
|
||||
fid_map : table[count] of FileInfo &optional;
|
||||
## Tree map to retrieve tree information based on the tree ID.
|
||||
tid_map : table[count] of TreeInfo &optional;
|
||||
## User map to retrieve user name based on the user ID.
|
||||
uid_map : table[count] of string &optional;
|
||||
};
|
||||
|
||||
redef record connection += {
|
||||
|
|
@ -133,6 +140,7 @@ export {
|
|||
const deferred_logging_cmds: set[string] = {
|
||||
"NEGOTIATE",
|
||||
"SESSION_SETUP_ANDX",
|
||||
"TREE_CONNECT_ANDX",
|
||||
};
|
||||
|
||||
## This is an internally used function.
|
||||
|
|
|
|||
|
|
@ -12,22 +12,37 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
|
|||
local state: SMB::State;
|
||||
state$fid_map = table();
|
||||
state$tid_map = table();
|
||||
state$uid_map = table();
|
||||
state$pending_cmds = table();
|
||||
c$smb_state = state;
|
||||
}
|
||||
|
||||
local smb_state = c$smb_state;
|
||||
local tid = hdr$tid;
|
||||
local pid = hdr$pid;
|
||||
local uid = hdr$uid;
|
||||
local pid = hdr$pid;
|
||||
local mid = hdr$mid;
|
||||
|
||||
if ( uid in smb_state$uid_map )
|
||||
{
|
||||
smb_state$current_cmd$username = smb_state$uid_map[uid];
|
||||
}
|
||||
|
||||
if ( tid !in smb_state$tid_map )
|
||||
{
|
||||
local tmp_tree: SMB::TreeInfo = [$uid=c$uid, $id=c$id];
|
||||
smb_state$tid_map[tid] = tmp_tree;
|
||||
}
|
||||
smb_state$current_tree = smb_state$tid_map[tid];
|
||||
if ( smb_state$current_tree?$path )
|
||||
{
|
||||
smb_state$current_cmd$tree = smb_state$current_tree$path;
|
||||
}
|
||||
|
||||
if ( smb_state$current_tree?$service )
|
||||
{
|
||||
smb_state$current_cmd$tree_service = smb_state$current_tree$service;
|
||||
}
|
||||
|
||||
if ( mid !in smb_state$pending_cmds )
|
||||
{
|
||||
|
|
@ -106,7 +121,11 @@ event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: str
|
|||
|
||||
event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=5
|
||||
{
|
||||
c$smb_state$current_cmd$referenced_tree$service = service;
|
||||
c$smb_state$current_cmd$tree_service = service;
|
||||
|
||||
c$smb_state$current_cmd$referenced_tree$native_file_system = native_file_system;
|
||||
|
||||
c$smb_state$current_tree = c$smb_state$current_cmd$referenced_tree;
|
||||
c$smb_state$tid_map[hdr$tid] = c$smb_state$current_tree;
|
||||
}
|
||||
|
|
@ -114,6 +133,11 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service:
|
|||
event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=-5
|
||||
{
|
||||
Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree);
|
||||
|
||||
if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
|
||||
{
|
||||
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
|
||||
}
|
||||
}
|
||||
|
||||
event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5
|
||||
|
|
@ -201,6 +225,9 @@ event smb1_close_request(c: connection, hdr: SMB1::Header, file_id: count) &prio
|
|||
# Need to check for existence of path in case tree connect message wasn't seen.
|
||||
if ( c$smb_state$current_tree?$path )
|
||||
fl$path = c$smb_state$current_tree$path;
|
||||
|
||||
c$smb_state$current_cmd$argument = fl$name;
|
||||
|
||||
delete c$smb_state$fid_map[file_id];
|
||||
|
||||
SMB::write_file_log(fl);
|
||||
|
|
@ -269,10 +296,15 @@ event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLM
|
|||
else if ( request?$domain_name && request$domain_name != "" )
|
||||
user = fmt("%s\\", request$domain_name);
|
||||
else if ( request?$workstation && request$workstation != "" )
|
||||
user = fmt("%s\\", request$workstation);
|
||||
user = fmt("%s", request$workstation);
|
||||
|
||||
if ( user != "" )
|
||||
{
|
||||
c$smb_state$current_cmd$argument = user;
|
||||
}
|
||||
|
||||
if ( hdr$uid !in c$smb_state$uid_map )
|
||||
{
|
||||
c$smb_state$uid_map[hdr$uid] = user;
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue