Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 12:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix a segfault, and add script-level support for some more commands.

Browse source
This commit is contained in:
Vlad Grigorescu 2014-10-08 12:06:33 -04:00
parent e9c398a41c
commit 261f6e8c45
4 changed files with 97 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

79
src/analyzer/protocol/smb/smb1-com-open-andx.pcap Normal file
View file

@ -0,0 +1,79 @@
# Copyright (c) Broala LLC. All Rights Reserved. No use or distribution without permission.
refine connection SMB_Conn += {
function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool
%{
if ( smb1_open_andx_request )
BifEvent::generate_smb1_open_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h),
${val.flags},
${val.access_mode},
${val.search_attrs},
${val.file_attrs},
${val.creation_time},
${val.open_mode},
${val.allocation_size},
${val.timeout},
smb_string2stringval(${val.filename}));
return true;
%}
function proc_smb1_open_andx_response(h: SMB_Header, val: SMB1_open_andx_response): bool
%{
if ( smb1_open_andx_response )
BifEvent::generate_smb1_open_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h),
${val.fid},
${val.file_attrs},
${val.last_write_time},
${val.file_data_size},
${val.access_rights},
${val.resource_type},
${val.nm_pipe_status},
${val.open_results});
return true;
%}
};
type SMB1_open_andx_request(header: SMB_Header) = record {
word_count : uint8;
andx : SMB_andx;
flags : uint16;
access_mode : uint16;
search_attrs : uint16;
file_attrs : uint16;
creation_time : uint32;
open_mode : uint16;
allocation_size : uint32;
timeout : uint32;
reserved : padding[2];
byte_count : uint16;
filename : SMB_string(header.unicode, offsetof(filename);
} &let {
proc : bool = $context.connection.proc_smb1_open_andx_request(header, this);
} &byteorder=littleendian;
type SMB1_open_andx_response(header: SMB_Header) = record {
word_count : uint8;
andx : SMB_andx;
fid : uint16;
file_attrs : uint16;
last_write_time : uint32;
file_data_size : uint32;
access_rights : uint16;
resource_type : uint16;
nm_pipe_status : uint16;
open_results : uint16;
reserved : padding[3];
byte_count : uint16;
} &let {
proc : bool = $context.connection.proc_smb1_open_andx_response(header, this);
} &byteorder=littleendian;

4
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -27,7 +27,7 @@ type SMB1_transaction_data(header: SMB_Header, count: uint16, sub_cmd: uint16,
# SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count);
# SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count, sub_cmd);
SMB_PIPE -> pipe : SMB_Pipe_message(header.unicode, count, sub_cmd);
# SMB_UNKNOWN -> unknown : bytestring &restofdata;
SMB_UNKNOWN -> unknown : bytestring &restofdata;
# default -> data : bytestring &restofdata;
};
@ -83,7 +83,7 @@ type SMB1_transaction_response(header: SMB_Header) = record {
pad1 : padding to data_offset - SMB_Header_length;
handle_response : case $context.connection.isATSVC() of {
true -> pipe_data : SMB1_transaction_data(header, data_count, 0, SMB_PIPE);
# false -> unk_data : SMB1_transaction_data(header, data_count, 0, SMB_UNKNOWN);
false -> unk_data : SMB1_transaction_data(header, data_count, 0, SMB_UNKNOWN);
};
} &let {
proc : bool = $context.connection.proc_smb1_transaction_response(header, this);

10
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -182,8 +182,14 @@ refine connection SMB_Conn += {
function proc_trans2_query_path_info_request(header: SMB_Header, val: trans2_query_path_info_request): bool
%{
// TODO: implement this.
//printf("trans2_query_path_info request!\n");
if ( smb1_trans2_query_path_info_request )
{
BifEvent::generate_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), \
BuildHeaderVal(header), \
smb_string2stringval(${val.file_name}),\
${val.level_of_interest});
}
return true;
%}