Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/dnthayer/ticket1963

Browse source
This commit is contained in:
Daniel Thayer 2018-08-17 14:11:47 -05:00
commit 1a4629b0dc
90 changed files with 851 additions and 777 deletions
Download patch file Download diff file Expand all files Collapse all files

82
scripts/policy/protocols/smb/log-cmds.bro Normal file
View file

@ -0,0 +1,82 @@
##! Load this script to generate an SMB command log, smb_cmd.log.
##! This is primarily useful for debugging.
@load base/protocols/smb
module SMB;
export {
redef enum Log::ID += {
CMD_LOG,
};
## The server response statuses which are *not* logged.
option ignored_command_statuses: set[string] = {
"MORE_PROCESSING_REQUIRED",
};
}
## Internal use only.
## Some commands shouldn't be logged by the smb1_message event.
const deferred_logging_cmds: set[string] = {
"NEGOTIATE",
"READ_ANDX",
"SESSION_SETUP_ANDX",
"TREE_CONNECT_ANDX",
};
event bro_init() &priority=5
{
Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
}
event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
{
if ( is_orig )
return;
if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
return;
if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
return;
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
{
if ( is_orig )
return;
# This is for deferred commands only.
# The more specific messages won't fire for errors
if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
return;
if ( c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
return;
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
{
if ( is_orig )
return;
# If the command that is being looked at right now was
# marked as PENDING, then we'll skip all of this and wait
# for a reply that isn't marked pending.
if ( c$smb_state$current_cmd$status == "PENDING" )
return;
if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
return;
if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
return;
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}