Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state()

Browse source 
This is similar to what the external corelight/zeek-smb-clear-state script
does, but leverages the smb2_discarded_messages_state() event instead of
regularly checking on the state of SMB connections.

The pcap was created using the dperson/samba container image and mounting
a share with Linux's CIFS filesystem, then copying the content of a
directory with 100 files. The test uses a BPF filter to imitate mostly
"half-duplex" traffic.
This commit is contained in:
Arne Welzel 2023-04-25 17:19:14 +02:00
parent 5caab1a667
commit 3ac877e20d
8 changed files with 89 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/frameworks/notice/weird.zeek
View file

@ -210,6 +210,7 @@ export {
["spontaneous_FIN"] = ACTION_IGNORE,
["spontaneous_RST"] = ACTION_IGNORE,
["SMB_parsing_error"] = ACTION_LOG,
["SMB_discarded_messages_state"] = ACTION_LOG,
["no_smb_session_using_parsesambamsg"] = ACTION_LOG,
["smb_andx_command_failed_to_parse"] = ACTION_LOG,
["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN,