From 328ab790252293c168cfcbc41ee37cc6bc60345e Mon Sep 17 00:00:00 2001 From: mauro Date: Wed, 13 Feb 2019 18:03:17 +0100 Subject: [PATCH 1/2] fixing some missing log lines in smb_files.log --- aux/broker | 2 +- doc | 2 +- scripts/base/protocols/smb/files.bro | 2 ++ src/3rdparty | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/aux/broker b/aux/broker index bf734622dc..c7b1dfd38e 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit bf734622dceaafaf7a481185efd22bd7cc805f9b +Subproject commit c7b1dfd38ec6c42729f8c462eef6457a8dd948b6 diff --git a/doc b/doc index 5acafa0d34..c0092fab7b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5acafa0d340a6f4096dccbe69b8fb62d7c9ce87f +Subproject commit c0092fab7b28c029eddb6b9b654f6096d8e4456a diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro index d01aa815a5..be30f0ea76 100644 --- a/scripts/base/protocols/smb/files.bro +++ b/scripts/base/protocols/smb/files.bro @@ -65,5 +65,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori if ( c$smb_state$current_file?$name ) f$info$filename = c$smb_state$current_file$name; + write_file_log(c$smb_state); + } } diff --git a/src/3rdparty b/src/3rdparty index 6e93c5546a..b822eeed58 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 6e93c5546a4770d513fb57213d7b29e39e12bf4d +Subproject commit b822eeed58c4a1ee3781f1f8c8a19fd590dc4a04 From 84afafc5127df6832434a50d8894ae5b141f9ed3 Mon Sep 17 00:00:00 2001 From: mauro Date: Thu, 14 Feb 2019 16:51:50 +0100 Subject: [PATCH 2/2] added test and pcap files for smb_files.log fix --- .../files.log | 11 +++++++++++ .../smb_files.log | 16 ++++++++++++++++ testing/btest/Traces/smb/smb2readwrite.pcap | Bin 0 -> 20770 bytes .../scripts/base/protocols/smb/smb2-fix.test | 9 +++++++++ 4 files changed, 36 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log create mode 100644 testing/btest/Traces/smb/smb2readwrite.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb2-fix.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log new file mode 100644 index 0000000000..7704087a53 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/files.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2019-02-14-15-17-09 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1549644186.691869 FG403EpKSkh5CwCre 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - - +1549644186.699376 FLCGB5TxPTWKKeQf4 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - - +#close 2019-02-14-15-17-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log new file mode 100644 index 0000000000..197ad14bca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fix/smb_files.log @@ -0,0 +1,16 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smb_files +#open 2019-02-14-15-17-09 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed +#types time string addr port addr port string enum string string count string time time time time +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FG403EpKSkh5CwCre SMB::FILE_READ - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FLCGB5TxPTWKKeQf4 SMB::FILE_WRITE - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644187.702245 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - 0 - 1549644186.688000 1549644187.700000 1549644186.688000 1549644186.688000 +#close 2019-02-14-15-17-09 diff --git a/testing/btest/Traces/smb/smb2readwrite.pcap b/testing/btest/Traces/smb/smb2readwrite.pcap new file mode 100644 index 0000000000000000000000000000000000000000..723dd58c258cef9e3d3d9c93c45978c2f99a3710 GIT binary patch literal 20770 zcmeHPd32Q36~7Z;fC)=bmIy%xDG-99Q3q?Ao=zweG>|wzA^`-$;z+;_=@4i@gy{j7 zDD6=cDq*K^+Jefy3SkH!5JeGC7HhSN)Osk}L5|kI^xiw)o0;#;%$Enq@t^PIyzhR? zeD~h>yZ0^Md-vt&?sZF(pgu%WeX!s~<=SD7-Cb^jJMe;XBk1~oBL|P2R*h-|F0iz; z<~qS|UHtUluljGn+&oavvcu)A9PV?hJ>gD;tGPp&=hs&U=Jj$iPk;s*r6&h9p~0&F zQ=YnQU?8ni7QZ1K9t3EdB;BLS3b+OQNb6xHjf*jtLrZuWX%Xg9m<(kw2F8OIJWv8p z!4q&V-cQGz!X-{c3efu@Z+|2)DHZRC-_gUo^6XLKN748D=ah`5`-E8gDK^MJWhe`* zLbxGfX`Wl1;IvL(NoWyjmK}k5gqF)YKi8ewG^y||=6_yBj7mpI6|uq4m=W=JY5U)r zokuOs)h8Ohi*)?+p=&{@e3U{*U^MBv$E>^e63rVFe2eJomNA+cpi<&VoMvm z6M1gObAinJXWP>wu+U3!5+S!}sts<%f>Mt0wFcI{>}wTzUz?xnbF4dvzIG*PB(psc zja-W6Yo++;eMMjE21ynwshng)#B*7mCI&uGm)F28m_^YTc?8kGXKY|Ycqq%x1+|`* z>|6)*&b98K%e$Z}J6BWYe@L%#sOnq`M2+Dg=n|#sgO|oxTJrS-7y-Y9k$9Yd)ouj% zu)+c8=KiOavf_q%E*w);^%j!q*-|1+$Gl=VI(dXao}>qPVHtwFf}0k!g|u&5PH zusSry8};}$z<$lw1Why&Zmj*DhnoHWY}i)2+5NxOyZ@qMpJU@Zcd7+ShcT~&ZS_$_ z_wNSr`#jl5RAHOX(={!+&k2}i?avz5N*ce18lNVOlg_iox~8RhRIB)rqQ-W7$BwMJ z&iL*mactk`_7{l?W00ojP*a26xhz6UFcrLNvt6KHQBzJlls;A2Ji z$i(l)qIRKo=qNjKOax2>Oax2>Oax2>Oax2>Oax2>Oax2>Oax2> zOax2>Oax2>Oax2>Oax2>Oa$sgfK~(_eZvMlahZ*B%&L33Cyf_8=ST~lGhE(nweFNA zpA=wd26375mJMiymvRi3sh;-C#Tl0igxv?xMRi@V1u}_VS0v3ktTtTG zy`447ku*ETLLro6%=tG@2L_D;l1a-@i0$T|xx8-| zae&fRQV^!f8VYl&YM3QTB?YhCHYtgNS_BorwZim%6i%hcT5q^;KA0EIi}X0ZUF36Y zUXBarSG|u?At=p9UW+#v20{&Cn~jUh3&XT4=Q5*&fl$X4ZI&nyio&!hHN;FPkH#Dw z2sIj`L?^&F4AmZwOYc1}P}__7=7nh!Vk|$b{d~D!B7pW&CJ078f~CsVOO=5>pUqa6#<6Vt?HOis9!$*z7*f% zbRDfuymni#6Lg;z>)J!R5tirPn!Sc%aeLbOGZoi@3I-abR!-PMdZfFYolk8XhMwae zr5E@J@cfdAW4EKc!1HNKtB{IoLE)v9+Ar5I_2aRvb|)1#e-vV-zdV=**~q&9_a_zL z^MP9V%6L#w2L15q0O*7J)q3Cnqa1T6`866?F!=W*A4a!*hUkgpA$%?9GVOO_7)S4g zhBM&@aZlcr^tcb@`%t<^`?X)A=g*DrxQXQd+O?eIi)%qSsF8n5hy(aBx1^Ig(tDEp zOx*bvjR3W=lma<(y6r%@f)2AJ_n>P*ZK0pxF(N;77Jd--q(+mUi`#U1MWHX`LVoSE zAF5F9w5rYrsQlWspb=lbHo5zya*HwxzjGEihioBv&6bTNy5LmkTF~ThX(DoO*Y1(u zWx|8-0Qyva^t&NZes@@sYlpkQ4!_|c?c^xrMfn4x_B!^Xd_gn6s^M!vBN#{Yh}a^m zWX#DyO^;Iaw(&3tH(`a6U(h;s1jdsq{4E9dWVm54evP|e5SHJe@gyR4_{H0ENzeUs zz~tZl)grFl=ZlkB6)`ET+DYr^}I}k2+3AUl7SaxA~;uRWG5OtpI^|b|Y_gmlE znS@ka3#y65Uq%P9HO6yw8+xh(jHpiQ@AxT5fCYUBdn6&=+#CwaY}@ z@k1+|#NLH?xZjJv5`8sxE&gWMzl!!mwGRz{qG%FnL}@!}I68gYNip98^rMKXN}nT8 z=uWY~Na2#)`}R6!INeZ8ycSEF7&KnEC7`g7)k-+s@TuZRAyq4#JZ7iTwmNP&-O!oF z2mU7d@j;*v#|M{r)VP&dC!B6j)i6ub@OlW9V(ke-oJTOumn55AMw@*^TQ4fku-t?= z|MMDgmPdZ1;mDJQICo*3lO>!#a(QXl@pji@6T=P&g*?;PNB>?)+` zvv zV2N2;%2A0mRj) z@eC|3W%(llCVJ8t#4HKKWiD?ZLj^=tjddV)n41iTP#wxK-+I;7(G22xJ&1t}1o0e! zm`yva0p^PSgD#T8Rt5N%B8b#ir9umk94|=YATh2IVWCA6oT zXQxB|E+eqV=cvx2Io;s{2mne8unuHAXSi3+!{+;UTwXXGxbH8_DB)hYFQUw6^shJU z2#6h7CE6=Tn$Ca0a4t224e<-TA*!=n-d*YO3=!HI88L*areQ;nO5bd3YGjBf*$}yU z@OGu6Au7la!&=qpN(NdNOL9{FEm8j=gceNyzG~XhQNCClg^(J66LrW zcM*$2Ii`_2<>^j_o?asvx&jS-h7DcEysRn`gHbxy((9NZAzN&IGUiMNjQIYO3@d@{Fz)5)%mlpegrvw zEJ_B~k9pOG^JjOGS4^I#_ln&vm$!Nwc|~3GXR4T(^Jk&?G;{teG@oY9pK)7*hsZoe z=uF&?PtEzW_6&?Ue`d~~8O@)m_MzcnsaD-+6wzRh;r!WH9-Y!Zmx%gIsNUvt)MV29 zS-}&c<`S<1xS}^3Z%~f;%A08&$0L$&;_||IoparpSHgLn(~2VnnromWk4Q+vPd+r9 f*XhBZ2le#hgPKg2cXw+ZHP$hIrmEqM%