From 3e1133f3cf03c90783b55be6eae3b29c0c3b0442 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 3 Oct 2016 17:22:05 -0500 Subject: [PATCH] Add descriptions for what the SMB1 events do, and references to the specification. --- scripts/base/init-bare.bro | 8 +++++ .../protocol/smb/smb1_com_check_directory.bif | 10 ++++-- src/analyzer/protocol/smb/smb1_com_close.bif | 5 ++- .../smb/smb1_com_create_directory.bif | 14 +++++--- src/analyzer/protocol/smb/smb1_com_echo.bif | 9 +++-- .../protocol/smb/smb1_com_logoff_andx.bif | 7 +++- .../protocol/smb/smb1_com_negotiate.bif | 11 ++++-- .../protocol/smb/smb1_com_nt_cancel.bif | 5 ++- .../protocol/smb/smb1_com_nt_create_andx.bif | 11 ++++-- .../protocol/smb/smb1_com_open_andx.bif | 9 +++-- .../smb/smb1_com_query_information.bif | 8 +++-- .../protocol/smb/smb1_com_read_andx.bif | 10 ++++-- .../smb/smb1_com_session_setup_andx.bif | 8 +++-- .../protocol/smb/smb1_com_transaction.bif | 8 +++-- .../protocol/smb/smb1_com_transaction2.bif | 36 ++++++++++++++----- .../smb/smb1_com_tree_connect_andx.bif | 10 ++++-- .../protocol/smb/smb1_com_tree_disconnect.bif | 5 ++- .../protocol/smb/smb1_com_write_andx.bif | 11 ++++-- 18 files changed, 147 insertions(+), 38 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index ac560aa11d..1f15a3fe81 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2519,10 +2519,18 @@ module SMB; export { ## MAC times for a file. + ## + ## For more information, see MS-SMB2:2.2.16 + ## + ## .. bro:see:: smb1_nt_create_andx_response smb2_create_response type SMB::MACTimes: record { + ## The time when data was last written to the file. modified : time &log; + ## The time when the file was last accessed. accessed : time &log; + ## The time the file was created. created : time &log; + ## The time when the file was last modified. changed : time &log; } &log; } diff --git a/src/analyzer/protocol/smb/smb1_com_check_directory.bif b/src/analyzer/protocol/smb/smb1_com_check_directory.bif index 6ef32b3a4a..15feb3ad59 100644 --- a/src/analyzer/protocol/smb/smb1_com_check_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_check_directory.bif @@ -1,5 +1,8 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *check directory*. +## version 1 requests of type *check directory*. This is used by the client to verify that +## a specified path resolves to a valid directory on the server. +## +## For more information, see MS-CIFS:2.2.4.17 ## ## c: The connection. ## @@ -11,7 +14,10 @@ event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *check directory*. +## version 1 responses of type *check directory*. This is the server response to the +## *check directory* request. +## +## For more information, see MS-CIFS:2.2.4.17 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_close.bif b/src/analyzer/protocol/smb/smb1_com_close.bif index 795864268b..37958e1d19 100644 --- a/src/analyzer/protocol/smb/smb1_com_close.bif +++ b/src/analyzer/protocol/smb/smb1_com_close.bif @@ -1,5 +1,8 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *close*. +## version 1 requests of type *close*. This is used by the client to close an instance of an object +## associated with a valid file ID. +## +## For more information, see MS-CIFS:2.2.4.5 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_create_directory.bif b/src/analyzer/protocol/smb/smb1_com_create_directory.bif index 1a06f45ab8..f5e29b467b 100644 --- a/src/analyzer/protocol/smb/smb1_com_create_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_create_directory.bif @@ -1,6 +1,9 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *create directory*. This is also a deprecated command which -## has been replaced by the trans2_create_directory subcommand. +## version 1 requests of type *create directory*. This is a deprecated command which +## has been replaced by the *trans2_create_directory* subcommand. This is used by the client to +## create a new directory on the server, relative to a connected share. +## +## For more information, see MS-CIFS:2.2.4.1 ## ## c: The connection. ## @@ -12,8 +15,11 @@ event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *create directory*. This is also a deprecated command which -## has been replaced by the trans2_create_directory subcommand. +## version 1 responses of type *create directory*. This is a deprecated command which +## has been replaced by the *trans2_create_directory* subcommand. This is the server response +## to the *create directory* request. +## +## For more information, see MS-CIFS:2.2.4.1 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_echo.bif b/src/analyzer/protocol/smb/smb1_com_echo.bif index a811b4a01b..5b255af371 100644 --- a/src/analyzer/protocol/smb/smb1_com_echo.bif +++ b/src/analyzer/protocol/smb/smb1_com_echo.bif @@ -1,5 +1,8 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *echo*. +## version 1 requests of type *echo*. This is sent by the client to test the transport layer +## connection with the server. +## +## For more information, see MS-CIFS:2.2.4.39 ## ## c: The connection. ## @@ -13,7 +16,9 @@ event smb1_echo_request%(c: connection, echo_count: count, data: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *echo*. +## version 1 responses of type *echo*. This is the server response to the *echo* request. +## +## For more information, see MS-CIFS:2.2.4.39 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif index 5992fecd12..88b5016328 100644 --- a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif @@ -1,5 +1,10 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *logoff andx*. +## version 1 requests of type *logoff andx*. This is used by the client to logoff the user +## connection represented by UID in the SMB Header. The server releases all locks and closes +## all files currently open by this user, disconnects all tree connects, cancels any outstanding +## requests for this UID, and invalidates the UID. +## +## For more information, see MS-CIFS:2.2.4.54 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_negotiate.bif b/src/analyzer/protocol/smb/smb1_com_negotiate.bif index 89f94167fe..fdb2201c1f 100644 --- a/src/analyzer/protocol/smb/smb1_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb1_com_negotiate.bif @@ -1,5 +1,9 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *negotiate*. +## version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB +## connection between the client and the server. A *negotiate* exchange MUST be completed +## before any other SMB messages are sent to the server. +## +## For more information, see MS-CIFS:2.2.4.52 ## ## c: The connection. ## @@ -11,7 +15,10 @@ event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string_vec%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *negotiate*. +## version 1 responses of type *negotiate*. This is the server response to the *negotiate* +## request. +## +## For more information, see MS-CIFS:2.2.4.52 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif index 212bb473a4..f04fc839ec 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif @@ -1,5 +1,8 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *nt cancel*. +## version 1 requests of type *nt cancel*. This is sent by the client to request that a currently +## pending request be cancelled. +## +## For more information, see MS-CIFS:2.2.4.65 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif index c0b65c1191..f8008e878b 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif @@ -1,5 +1,9 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *nt create andx*. +## version 1 requests of type *nt create andx*. This is sent by the client to create and open +## a new file, or to open an existing file, or to open and truncate an existing file to zero +## length, or to create a directory, or to create a connection to a named pipe. +## +## For more information, see MS-CIFS:2.2.4.64 ## ## c: The connection. ## @@ -11,7 +15,10 @@ event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *nt create andx*. +## version 1 responses of type *nt create andx*. This is the server response to the +## *nt create andx* request. +## +## For more information, see MS-CIFS:2.2.4.64 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_open_andx.bif b/src/analyzer/protocol/smb/smb1_com_open_andx.bif index 0ac164fbeb..1ce418e33a 100644 --- a/src/analyzer/protocol/smb/smb1_com_open_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_open_andx.bif @@ -1,5 +1,8 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *open andx*. +## version 1 requests of type *open andx*. This is sent by the client to create and open a new +## file or open an existing regular file and chain additional messages along with the request. +## +## For more information, see MS-CIFS:2.2.4.41 ## ## c: The connection. ## @@ -23,7 +26,9 @@ event smb1_open_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *open andx*. +## version 1 responses of type *open andx*. This is the server response to the *open andx* request. +## +## For more information, see MS-CIFS:2.2.4.41 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_query_information.bif b/src/analyzer/protocol/smb/smb1_com_query_information.bif index 5877f4ea5b..64a5150dc9 100644 --- a/src/analyzer/protocol/smb/smb1_com_query_information.bif +++ b/src/analyzer/protocol/smb/smb1_com_query_information.bif @@ -1,5 +1,9 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *query information*. +## version 1 requests of type *query information*. This is a deprecated command which +## has been replaced by the *trans2_query_path_information* subcommand. This is used by the +## client to obtain attribute information about a file. +## +## For more information, see MS-CIFS:2.2.4.9 ## ## c: The connection. ## @@ -7,6 +11,6 @@ ## ## filename: The filename that the client is querying. ## -## .. bro:see:: smb1_message +## .. bro:see:: smb1_message smb1_transaction2_request event smb1_query_information_request%(c: connection, hdr: SMB1::Header, filename: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_read_andx.bif b/src/analyzer/protocol/smb/smb1_com_read_andx.bif index 2b1a561c0f..73cacf0a65 100644 --- a/src/analyzer/protocol/smb/smb1_com_read_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_read_andx.bif @@ -1,5 +1,9 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *read andx*. +## version 1 requests of type *read andx*. This is sent by the client to read bytes from a regular +## file, a named pipe, or a directly accessible device such as a serial port (COM) or printer +## port (LPT). +## +## For more information, see MS-CIFS:2.2.4.42 ## ## c: The connection. ## @@ -15,7 +19,9 @@ event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *read andx*. +## version 1 responses of type *read andx*. This is the server response to the *read andx* request. +## +## For more information, see MS-CIFS:2.2.4.42 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif index 70cd1c98ed..7971a4977c 100644 --- a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif @@ -1,5 +1,7 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *setup andx*. +## version 1 requests of type *setup andx*. This is sent by the client to configure an SMB session. +## +## For more information, see MS-CIFS:2.2.4.53 ## ## c: The connection. ## @@ -11,7 +13,9 @@ event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *setup andx*. +## version 1 responses of type *setup andx*. This is the server response to the *setup andx* request. +## +## For more information, see MS-CIFS:2.2.4.53 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif index 68d7c2b0f8..8811cc3e92 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif @@ -1,5 +1,9 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *transaction*. +## version 1 requests of type *transaction*. This command serves as the transport for the +## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, +## which are interprocess communication endpoints within the CIFS file system. +## +## For more information, see MS-CIFS:2.2.4.33 ## ## c: The connection. ## @@ -10,5 +14,5 @@ ## ## sub_cmd: The sub command, some may be parsed and have their own events. ## -## .. bro:see:: smb1_message +## .. bro:see:: smb1_message smb1_transaction2_request event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif index a7ebcd7c0a..0daf5fcdd9 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif @@ -1,6 +1,13 @@ ### Requests ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *transaction2*. +## version 1 requests of type *transaction2*. This command serves as the transport for the +## Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes, +## which are interprocess communication endpoints within the CIFS file system. Compared to the +## Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended +## Attribute key/value pairs, make use of long file names (longer than the original 8.3 format +## names), and perform directory searches, among other tasks. +## +## For more information, see MS-CIFS:2.2.4.46 ## ## c: The connection. ## @@ -8,11 +15,15 @@ ## ## sub_cmd: The sub command, some are parsed and have their own events. ## -## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request smb1_trans2_get_dfs_referral_request +## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request +## smb1_trans2_get_dfs_referral_request smb1_transaction_request event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *find first2*. +## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin +## a search for file(s) within a directory or for a directory +## +## For more information, see MS-CIFS:2.2.6.2 ## ## c: The connection. ## @@ -20,11 +31,15 @@ event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: coun ## ## args: A record data structure with arguments given to the command. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request smb1_trans2_get_dfs_referral_request +## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request +## smb1_trans2_get_dfs_referral_request event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *query path info*. +## version 1 *transaction2* requests of subtype *query path info*. This transaction is used to +## get information about a specific file or directory. +## +## For more information, see MS-CIFS:2.2.6.6 ## ## c: The connection. ## @@ -32,11 +47,15 @@ event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: S ## ## file_name: File name the request is in reference to. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request smb1_trans2_get_dfs_referral_request +## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## smb1_trans2_get_dfs_referral_request event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, file_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *get DFS referral*. +## version 1 *transaction2* requests of subtype *get DFS referral*. This transaction is used +## to request a referral for a disk object in DFS. +## +## For more information, see MS-CIFS:2.2.6.16 ## ## c: The connection. ## @@ -44,7 +63,8 @@ event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, fil ## ## file_name: File name the request is in reference to. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request smb1_trans2_query_path_info_request +## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## smb1_trans2_query_path_info_request event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, file_name: string%); # TODO - This is implemented, but not being generated right now diff --git a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif index 32691d101d..16aeb2bbb6 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif @@ -1,5 +1,8 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *tree connect andx*. +## version 1 requests of type *tree connect andx*. This is sent by the client to establish a +## connection to a server share. +## +## For more information, see MS-CIFS:2.2.4.55 ## ## c: The connection. ## @@ -13,7 +16,10 @@ event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: string, service: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *tree connect andx*. +## version 1 responses of type *tree connect andx*. This is the server reply to the *tree connect andx* +## request. +## +## For more information, see MS-CIFS:2.2.4.55 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif index 9ff62bc77d..493ee66238 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif @@ -1,5 +1,8 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *tree disconnect*. +## version 1 requests of type *tree disconnect*. This is sent by the client to logically disconnect +## client access to a server resource. +## +## For more information, see MS-CIFS:2.2.4.51 ## ## c: The connection. ## diff --git a/src/analyzer/protocol/smb/smb1_com_write_andx.bif b/src/analyzer/protocol/smb/smb1_com_write_andx.bif index 05bbcd5988..d30c8af2ba 100644 --- a/src/analyzer/protocol/smb/smb1_com_write_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_write_andx.bif @@ -1,5 +1,9 @@ ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 requests of type *write andx*. +## version 1 requests of type *write andx*. This is sent by the client to write bytes to a +## regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM) +## or printer port (LPT). +## +## For more information, see MS-CIFS:2.2.4.43 ## ## c: The connection. ## @@ -13,7 +17,10 @@ event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` -## version 1 responses of type *write andx*. +## version 1 responses of type *write andx*. This is the server response to the *write andx* +## request. +## +## For more information, see MS-CIFS:2.2.4.43 ## ## c: The connection. ##