From 462316acdf47e16c338ecafae0e1ce27e60c16be Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 3 Mar 2016 16:33:29 -0500 Subject: [PATCH] Prevent some extra smb logging of cmd messages. --- scripts/base/protocols/smb/smb1-main.bro | 16 +++++++++++----- scripts/base/protocols/smb/smb2-main.bro | 3 ++- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/scripts/base/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro index a21f9c24f1..b0d7ef58b5 100644 --- a/scripts/base/protocols/smb/smb1-main.bro +++ b/scripts/base/protocols/smb/smb1-main.bro @@ -107,7 +107,8 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1:: event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse) &priority=-5 { - if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) + if ( SMB::write_cmd_log && + c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) { Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); } @@ -136,7 +137,8 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: { Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree); - if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) + if ( SMB::write_cmd_log && + c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) { Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); } @@ -146,6 +148,7 @@ event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string { local tmp_file: SMB::FileInfo = [$ts=network_time(), $uid=c$uid, $id=c$id]; c$smb_state$current_cmd$referenced_file = tmp_file; + c$smb_state$current_cmd$referenced_file$name = name; c$smb_state$current_cmd$referenced_file$action = SMB::FILE_OPEN; c$smb_state$current_file = c$smb_state$current_cmd$referenced_file; @@ -190,7 +193,8 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o event smb1_read_andx_response(c: connection, hdr: SMB1::Header, data_len: count) &priority=5 { - if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) + if ( SMB::write_cmd_log && + c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) { Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); } @@ -267,7 +271,8 @@ event smb1_trans2_find_first2_request(c: connection, hdr: SMB1::Header, args: SM event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5 { - if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) + if ( SMB::write_cmd_log && + c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) { Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); } @@ -284,7 +289,8 @@ event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool) { # This is for deferred commands only. # The more specific messages won't fire for errors - if ( ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) && + if ( SMB::write_cmd_log && + ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) && ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds ) ) { Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); diff --git a/scripts/base/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.bro index 60c3edf425..615c7c44b0 100644 --- a/scripts/base/protocols/smb/smb2-main.bro +++ b/scripts/base/protocols/smb/smb2-main.bro @@ -87,7 +87,8 @@ event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2:: event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse) &priority=5 { - if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) + if ( SMB::write_cmd_log && + c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) { Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); }