From f2c3a9495d616659097bc980324d5ef6582cb21a Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Wed, 17 May 2017 11:10:49 +0200 Subject: [PATCH 01/11] add SMB_Parameters.Words to smb1_transaction2_request event expose the fields contained in SMB_Parameters.Words of the SMB_COM_TRANSACTION2 (0x32) message to the script language. See MS-CIFS section 2.2.46.1. --- scripts/base/init-bare.bro | 27 +++++++++++++++++++ scripts/policy/protocols/smb/smb1-main.bro | 2 +- .../protocol/smb/smb1-com-transaction2.pac | 15 ++++++++++- .../protocol/smb/smb1_com_transaction2.bif | 8 +++--- 4 files changed, 46 insertions(+), 6 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f2ea2ed29a..e63f9f7853 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2834,6 +2834,33 @@ export { security_blob : string &optional; }; + type SMB1::Trans2_Args: record { + ## Total parameter count + total_param_count: count; + ## Total data count + total_data_count: count; + ## Max parameter count + max_param_count: count; + ## Max data count + max_data_count: count; + ## Max setup count + max_setup_count: count; + ## Flags + flags: count; + ## Timeout + trans_timeout: count; + ## Parameter count + param_count: count; + ## Parameter offset + param_offset: count; + ## Data count + data_count: count; + ## Data offset + data_offset: count; + ## Setup count + setup_count: count; + }; + type SMB1::Find_First2_Request_Args: record { ## File attributes to apply as a constraint to the search search_attrs : count; diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro index 853d83b01f..db817ca4a3 100644 --- a/scripts/policy/protocols/smb/smb1-main.bro +++ b/scripts/policy/protocols/smb/smb1-main.bro @@ -82,7 +82,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5 } -event smb1_transaction2_request(c: connection, hdr: SMB1::Header, sub_cmd: count) +event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count) { c$smb_state$current_cmd$sub_command = SMB1::trans2_sub_commands[sub_cmd]; } diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac index 1025e89dc2..a089c0324f 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac @@ -22,8 +22,21 @@ refine connection SMB_Conn += { function proc_smb1_transaction2_request(header: SMB_Header, val: SMB1_transaction2_request): bool %{ + RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args); + args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); + args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); + args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT)); + args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT)); + args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT)); + args->Assign(5, new Val(${val.flags}, TYPE_COUNT)); + args->Assign(6, new Val(${val.timeout}, TYPE_COUNT)); + args->Assign(7, new Val(${val.param_count}, TYPE_COUNT)); + args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT)); + args->Assign(9, new Val(${val.data_count}, TYPE_COUNT)); + args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT)); + args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT)); if ( smb1_transaction2_request ) - BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd}); + BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd}); return true; %} diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif index 0daf5fcdd9..3e8c934db2 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif @@ -17,7 +17,7 @@ ## ## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request ## smb1_trans2_get_dfs_referral_request smb1_transaction_request -event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%); +event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` ## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin @@ -91,7 +91,7 @@ event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, fi # event smb1_trans2_get_dfs_referral_response%(c: connection, hdr: SMB1::Header, ??? %); -### Types - +## Types type SMB1::Find_First2_Request_Args: record; -type SMB1::Find_First2_Response_Args: record; \ No newline at end of file +type SMB1::Find_First2_Response_Args: record; +type SMB1::Trans2_Args: record; From bd72710e3b7de4aa24b9eea82e050961373cc57f Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Fri, 26 May 2017 15:18:59 +0200 Subject: [PATCH 02/11] add parameters and data to smb1_transaction_request/response messages expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section 2.2.4.33.1. These fields are exposed to the script level as Bro strings. Note that this commit also expose a new event smb1_transaction_response. --- scripts/policy/protocols/smb/smb1-main.bro | 2 +- .../protocol/smb/smb1-com-transaction.pac | 84 ++++++++++++++++++- .../protocol/smb/smb1_com_transaction.bif | 24 +++++- 3 files changed, 104 insertions(+), 6 deletions(-) diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro index db817ca4a3..6b23fe91db 100644 --- a/scripts/policy/protocols/smb/smb1-main.bro +++ b/scripts/policy/protocols/smb/smb1-main.bro @@ -263,7 +263,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons # No behavior yet. } -event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count) +event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string) { c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd]; } diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index d199b9062c..725399b1bb 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -31,18 +31,96 @@ refine connection SMB_Conn += { function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool %{ + StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *payload_str = nullptr; + SMB1_transaction_data *payload = nullptr; + + if ( !parameters ) + { + parameters = new StringVal(""); + } + + if ( ${val.data_count > 0} ) + { + payload = ${val.data}; + } + + if ( payload ) + { + switch ( payload->trans_type() ) + { + case SMB_PIPE: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data()); + break; + case SMB_UNKNOWN: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data()); + break; + default: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data()); + break; + } + } + + if ( !payload_str ) + { + payload_str = new StringVal(""); + } + if ( smb1_transaction_request ) BifEvent::generate_smb1_transaction_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), smb_string2stringval(${val.name}), - ${val.sub_cmd}); + ${val.sub_cmd}, + parameters, + payload_str); return true; %} function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool %{ + StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *payload_str = nullptr; + SMB1_transaction_data *payload = nullptr; + + if ( !parameters ) + { + parameters = new StringVal(""); + } + + if ( ${val.data_count > 0} ) + { + payload = ${val.data[0]}; + } + + if ( payload ) + { + switch ( payload->trans_type() ) + { + case SMB_PIPE: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data()); + break; + case SMB_UNKNOWN: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data()); + break; + default: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data()); + break; + } + } + + if ( !payload_str ) + { + payload_str = new StringVal(""); + } + + if ( smb1_transaction_response ) + BifEvent::generate_smb1_transaction_response(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + parameters, + payload_str); return true; %} }; @@ -54,8 +132,8 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub # SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count); # SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count); SMB_PIPE -> pipe_data : bytestring &restofdata; - SMB_UNKNOWN -> unknown : bytestring &restofdata &transient; - default -> data : bytestring &restofdata &transient; + SMB_UNKNOWN -> unknown : bytestring &restofdata; + default -> data : bytestring &restofdata; } &let { pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE); }; diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif index 8811cc3e92..0c411b55c3 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif @@ -3,7 +3,7 @@ ## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, ## which are interprocess communication endpoints within the CIFS file system. ## -## For more information, see MS-CIFS:2.2.4.33 +## For more information, see MS-CIFS:2.2.4.33.1 ## ## c: The connection. ## @@ -14,5 +14,25 @@ ## ## sub_cmd: The sub command, some may be parsed and have their own events. ## +## parameters: content of the SMB_Data.Trans_Parameters field +## +## data: content of the SMB_Data.Trans_Data field +## ## .. bro:see:: smb1_message smb1_transaction2_request -event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%); +event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *transaction*. This command serves as the transport for the +## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, +## which are interprocess communication endpoints within the CIFS file system. +## +## For more information, see MS-CIFS:2.2.4.33.2 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. +## +## parameters: content of the SMB_Data.Trans_Parameters field +## +## data: content of the SMB_Data.Trans_Data field +event smb1_transaction_response%(c: connection, hdr: SMB1::Header, parameters: string, data: string%); From 046c7bc48189b60f54d17ebd2df2dd6b303a6c85 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Thu, 1 Jun 2017 09:18:55 +0200 Subject: [PATCH 03/11] add smb1_transaction_secondary_request event expose SMB_COM_TRANSACTION_SECONDARY (0x26) message to script language. See MS-CIFS section 2.2.4.34.1. --- scripts/base/init-bare.bro | 19 ++++++ src/analyzer/protocol/smb/CMakeLists.txt | 1 + src/analyzer/protocol/smb/smb.pac | 1 + .../smb/smb1-com-transaction-secondary.pac | 65 +++++++++++++++++++ src/analyzer/protocol/smb/smb1-protocol.pac | 2 +- .../smb/smb1_com_transaction_secondary.bif | 19 ++++++ 6 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index e63f9f7853..b92ac9a5e4 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2861,6 +2861,25 @@ export { setup_count: count; }; + type SMB1::Trans_Sec_Args: record { + ## Total parameter count + total_param_count: count; + ## Total data count + total_data_count: count; + ## Parameter count + param_count: count; + ## Parameter offset + param_offset: count; + ## Parameter displacement + param_displacement: count; + ## Data count + data_count: count; + ## Data offset + data_offset: count; + ## Data displacement + data_displacement: count; + }; + type SMB1::Find_First2_Request_Args: record { ## File attributes to apply as a constraint to the search search_attrs : count; diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index bf44501b96..6b594d5367 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -18,6 +18,7 @@ bro_plugin_bif( smb1_com_read_andx.bif smb1_com_session_setup_andx.bif smb1_com_transaction.bif + smb1_com_transaction_secondary.bif smb1_com_transaction2.bif smb1_com_tree_connect_andx.bif smb1_com_tree_disconnect.bif diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index 156037f614..c747d87e92 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -24,6 +24,7 @@ #include "smb1_com_read_andx.bif.h" #include "smb1_com_session_setup_andx.bif.h" #include "smb1_com_transaction.bif.h" +#include "smb1_com_transaction_secondary.bif.h" #include "smb1_com_transaction2.bif.h" #include "smb1_com_tree_connect_andx.bif.h" #include "smb1_com_tree_disconnect.bif.h" diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac index bcd9ba91bb..a9ccddea73 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac @@ -1,3 +1,66 @@ +refine connection SMB_Conn += { + + function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool + %{ + RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args); + args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); + args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); + args->Assign(2, new Val(${val.param_count}, TYPE_COUNT)); + args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT)); + args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT)); + args->Assign(5, new Val(${val.data_count}, TYPE_COUNT)); + args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT)); + args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT)); + + StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *payload_str = nullptr; + SMB1_transaction_data *payload = nullptr; + + if ( !parameters ) + { + parameters = new StringVal(""); + } + + if ( ${val.data_count > 0} ) + { + payload = ${val.data}; + } + + if ( payload ) + { + switch ( payload->trans_type() ) + { + case SMB_PIPE: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data()); + break; + case SMB_UNKNOWN: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data()); + break; + default: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data()); + break; + } + } + + if ( !payload_str ) + { + payload_str = new StringVal(""); + } + + if ( smb1_transaction_secondary_request ) + { + BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + args, + parameters, + payload_str); + } + + return true; + %} +}; + type SMB1_transaction_secondary_request(header: SMB_Header) = record { word_count : uint8; total_param_count : uint16; @@ -14,4 +77,6 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record { parameters : bytestring &length = param_count; pad2 : padding to data_offset - SMB_Header_length; data : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN, false); +} &let { + proc : bool = $context.connection.proc_smb1_transaction_secondary_request(header, this); }; diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index 4b38feefcb..92a448ea8e 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -170,7 +170,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_ # #SMB_COM_QUERY_INFORMATION2 -> query_information2 : SMB_query_information2_request(header); SMB_COM_LOCKING_ANDX -> locking_andx : SMB1_locking_andx_request(header, offset); SMB_COM_TRANSACTION -> transaction : SMB1_transaction_request(header); -# SMB_COM_TRANSACTION_SECONDARY -> transaction_secondary : SMB1_transaction_secondary_request(header); + SMB_COM_TRANSACTION_SECONDARY -> transaction_secondary : SMB1_transaction_secondary_request(header); # #SMB_COM_IOCTL -> ioctl : SMB_ioctl_request(header); # #SMB_COM_IOCTL_SECONDARY -> ioctl_secondary : SMB_ioctl_secondary_request(header); # #SMB_COM_COPY -> copy : SMB_copy_request(header); diff --git a/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif new file mode 100644 index 0000000000..ee658d4b76 --- /dev/null +++ b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif @@ -0,0 +1,19 @@ +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *transaction_secondary*. This command +## serves as an additional request data container for the +## Transaction Subprotocol Commands (carried by *transaction* requests). +## +## For more information, see MS-CIFS:2.2.4.34 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. +## +## parameters: the SMB_Data.Trans_Parameters field content +## +## data: the SMB_Data.Trans_Data field content +## +event smb1_transaction_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string%); + +## Types +type SMB1::Trans_Sec_Args: record; From bbe89a79a47e6508a00c11d77d5ea5441723ee37 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Fri, 2 Jun 2017 17:27:11 +0200 Subject: [PATCH 04/11] add smb1_transaction2_secondary_request event parse and expose SMB_COM_TRANSACTION2_SECONDARY (0x33) message to script level. See MS-CIFS section 2.2.4.47.1. --- scripts/base/init-bare.bro | 21 +++++++ src/analyzer/protocol/smb/CMakeLists.txt | 2 + src/analyzer/protocol/smb/smb.pac | 2 + .../smb/smb1-com-transaction2-secondary.pac | 62 +++++++++++++++++++ src/analyzer/protocol/smb/smb1-protocol.pac | 2 +- .../smb/smb1_com_transaction2_secondary.bif | 19 ++++++ 6 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac create mode 100644 src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b92ac9a5e4..592c89116e 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2880,6 +2880,27 @@ export { data_displacement: count; }; + type SMB1::Trans2_Sec_Args: record { + ## Total parameter count + total_param_count: count; + ## Total data count + total_data_count: count; + ## Parameter count + param_count: count; + ## Parameter offset + param_offset: count; + ## Parameter displacement + param_displacement: count; + ## Data count + data_count: count; + ## Data offset + data_offset: count; + ## Data displacement + data_displacement: count; + ## File ID + FID: count; + }; + type SMB1::Find_First2_Request_Args: record { ## File attributes to apply as a constraint to the search search_attrs : count; diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 6b594d5367..cc5d690dfd 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -20,6 +20,7 @@ bro_plugin_bif( smb1_com_transaction.bif smb1_com_transaction_secondary.bif smb1_com_transaction2.bif + smb1_com_transaction2_secondary.bif smb1_com_tree_connect_andx.bif smb1_com_tree_disconnect.bif smb1_com_write_andx.bif @@ -66,6 +67,7 @@ bro_plugin_pac( smb1-com-transaction-secondary.pac smb1-com-transaction.pac smb1-com-transaction2.pac + smb1-com-transaction2-secondary.pac smb1-com-tree-connect-andx.pac smb1-com-tree-disconnect.pac smb1-com-write-andx.pac diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index c747d87e92..a21101faaa 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -26,6 +26,7 @@ #include "smb1_com_transaction.bif.h" #include "smb1_com_transaction_secondary.bif.h" #include "smb1_com_transaction2.bif.h" +#include "smb1_com_transaction2_secondary.bif.h" #include "smb1_com_tree_connect_andx.bif.h" #include "smb1_com_tree_disconnect.bif.h" #include "smb1_com_write_andx.bif.h" @@ -75,6 +76,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) { %include smb1-com-transaction-secondary.pac %include smb1-com-transaction.pac %include smb1-com-transaction2.pac +%include smb1-com-transaction2-secondary.pac %include smb1-com-tree-connect-andx.pac %include smb1-com-tree-disconnect.pac %include smb1-com-write-andx.pac diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac new file mode 100644 index 0000000000..f2ae2e8e99 --- /dev/null +++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac @@ -0,0 +1,62 @@ +refine connection SMB_Conn += { + + function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool + %{ + RecordVal *args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args); + args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); + args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); + args->Assign(2, new Val(${val.param_count}, TYPE_COUNT)); + args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT)); + args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT)); + args->Assign(5, new Val(${val.data_count}, TYPE_COUNT)); + args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT)); + args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT)); + args->Assign(8, new Val(${val.FID}, TYPE_COUNT)); + + StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *payload = new StringVal(${val.data_count}, (const char*)${val.data}.data()); + + if ( !parameters ) + { + parameters = new StringVal(""); + } + + if ( !payload ) + { + payload = new StringVal(""); + } + + if ( smb1_transaction2_secondary_request ) + { + BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + args, + parameters, + payload); + } + + return true; + %} +}; + +type SMB1_transaction2_secondary_request(header: SMB_Header) = record { + word_count : uint8; + total_param_count : uint16; + total_data_count : uint16; + param_count : uint16; + param_offset : uint16; + param_displacement : uint16; + data_count : uint16; + data_offset : uint16; + data_displacement : uint16; + FID : uint16; + + byte_count : uint16; + pad1 : padding to (param_offset - SMB_Header_length); + parameters : bytestring &length = param_count; + pad2 : padding to (data_offset - SMB_Header_length); + data : bytestring &length=data_count; +} &let { + proc : bool = $context.connection.proc_smb1_transaction2_secondary_request(header, this); +}; diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index 92a448ea8e..75db898f73 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -179,7 +179,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_ # #SMB_COM_WRITE_AND_CLOSE -> write_and_close : SMB_write_and_close_request(header); # #SMB_COM_NEW_FILE_SIZE -> new_file_size : SMB_new_file_size_request(header); # #SMB_COM_CLOSE_AND_TREE_DISC -> close_and_tree_disc : SMB_close_and_tree_disc_request(header); -# #SMB_COM_TRANSACTION2_SECONDARY -> transaction2_secondary : SMB1_transaction2_secondary_request(header); + SMB_COM_TRANSACTION2_SECONDARY -> transaction2_secondary : SMB1_transaction2_secondary_request(header); # #SMB_COM_FIND_CLOSE2 -> find_close2 : SMB_find_close2_request(header); # #SMB_COM_FIND_NOTIFY_CLOSE -> find_notify_close : SMB_find_notify_close_request(header); # #SMB_COM_TREE_CONNECT -> tree_connect : SMB_tree_connect_request(header); diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif new file mode 100644 index 0000000000..81aef809aa --- /dev/null +++ b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif @@ -0,0 +1,19 @@ +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *transaction2 secondary*. +## +## For more information, see MS-CIFS:2.2.4.47.1 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` +## version 1 message. +## +## args: arguments of the message (SMB_Parameters.Words) +## +## parameters: content of the SMB_Data.Trans_Parameters field +## +## data: content of the SMB_Data.Trans_Data field +event smb1_transaction2_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string%); + +## Types +type SMB1::Trans2_Sec_Args: record; From f7a8726ffc357b4a8b34ae37e059ac2088d89482 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Fri, 12 Jan 2018 15:29:17 +0100 Subject: [PATCH 05/11] fix smb1_com_transaction* messages --- .../smb/smb1-com-transaction-secondary.pac | 27 ++++------ .../protocol/smb/smb1-com-transaction.pac | 50 ++++++++----------- .../smb/smb1-com-transaction2-secondary.pac | 27 ++++------ .../protocol/smb/smb1-com-transaction2.pac | 29 ++++++----- 4 files changed, 60 insertions(+), 73 deletions(-) diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac index a9ccddea73..d6010d3972 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac @@ -2,6 +2,9 @@ refine connection SMB_Conn += { function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool %{ + if ( ! smb1_transaction_secondary_request ) + return false; + RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args); args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); @@ -12,16 +15,11 @@ refine connection SMB_Conn += { args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT)); args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT)); - StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data()); StringVal *payload_str = nullptr; SMB1_transaction_data *payload = nullptr; - if ( !parameters ) - { - parameters = new StringVal(""); - } - - if ( ${val.data_count > 0} ) + if ( ${val.data_count} > 0 ) { payload = ${val.data}; } @@ -47,15 +45,12 @@ refine connection SMB_Conn += { payload_str = new StringVal(""); } - if ( smb1_transaction_secondary_request ) - { - BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header), - args, - parameters, - payload_str); - } + BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + args, + parameters, + payload_str); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index 725399b1bb..7f3c409a95 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -31,16 +31,14 @@ refine connection SMB_Conn += { function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool %{ - StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + if ( ! smb1_transaction_request ) + return false; + + StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data()); StringVal *payload_str = nullptr; SMB1_transaction_data *payload = nullptr; - if ( !parameters ) - { - parameters = new StringVal(""); - } - - if ( ${val.data_count > 0} ) + if ( ${val.data_count} > 0 ) { payload = ${val.data}; } @@ -66,30 +64,27 @@ refine connection SMB_Conn += { payload_str = new StringVal(""); } - if ( smb1_transaction_request ) - BifEvent::generate_smb1_transaction_request(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header), - smb_string2stringval(${val.name}), - ${val.sub_cmd}, - parameters, - payload_str); + BifEvent::generate_smb1_transaction_request(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + smb_string2stringval(${val.name}), + ${val.sub_cmd}, + parameters, + payload_str); return true; %} function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool %{ - StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + if ( !smb1_transaction_response ) + return false; + + StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data()); StringVal *payload_str = nullptr; SMB1_transaction_data *payload = nullptr; - if ( !parameters ) - { - parameters = new StringVal(""); - } - - if ( ${val.data_count > 0} ) + if ( ${val.data_count} > 0 ) { payload = ${val.data[0]}; } @@ -115,12 +110,11 @@ refine connection SMB_Conn += { payload_str = new StringVal(""); } - if ( smb1_transaction_response ) - BifEvent::generate_smb1_transaction_response(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header), - parameters, - payload_str); + BifEvent::generate_smb1_transaction_response(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + parameters, + payload_str); return true; %} }; diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac index f2ae2e8e99..e608da4e4f 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac @@ -2,6 +2,9 @@ refine connection SMB_Conn += { function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool %{ + if ( !smb1_transaction2_secondary_request ) + return false; + RecordVal *args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args); args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); @@ -13,28 +16,20 @@ refine connection SMB_Conn += { args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT)); args->Assign(8, new Val(${val.FID}, TYPE_COUNT)); - StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); - StringVal *payload = new StringVal(${val.data_count}, (const char*)${val.data}.data()); - - if ( !parameters ) - { - parameters = new StringVal(""); - } + StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data()); + StringVal *payload = new StringVal(${val.data}.length(), (const char*)${val.data}.data()); if ( !payload ) { payload = new StringVal(""); } - if ( smb1_transaction2_secondary_request ) - { - BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(header), - args, - parameters, - payload); - } + BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + args, + parameters, + payload); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac index a089c0324f..5e77489d10 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac @@ -22,21 +22,24 @@ refine connection SMB_Conn += { function proc_smb1_transaction2_request(header: SMB_Header, val: SMB1_transaction2_request): bool %{ - RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args); - args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); - args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); - args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT)); - args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT)); - args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT)); - args->Assign(5, new Val(${val.flags}, TYPE_COUNT)); - args->Assign(6, new Val(${val.timeout}, TYPE_COUNT)); - args->Assign(7, new Val(${val.param_count}, TYPE_COUNT)); - args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT)); - args->Assign(9, new Val(${val.data_count}, TYPE_COUNT)); - args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT)); - args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT)); if ( smb1_transaction2_request ) + { + RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args); + args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT)); + args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT)); + args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT)); + args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT)); + args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT)); + args->Assign(5, new Val(${val.flags}, TYPE_COUNT)); + args->Assign(6, new Val(${val.timeout}, TYPE_COUNT)); + args->Assign(7, new Val(${val.param_count}, TYPE_COUNT)); + args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT)); + args->Assign(9, new Val(${val.data_count}, TYPE_COUNT)); + args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT)); + args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT)); + BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd}); + } return true; %} From 00be145b1b05ba14d132736642d0ec362a3ba489 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Fri, 12 Jan 2018 15:30:03 +0100 Subject: [PATCH 06/11] fix setup field handling in smb1_com_transaction_request messages This field is an array of 16 bit words and was parsed as an array of 32 bit words. Moreover, one can not assume the format is going to be a 16 bits opcode followed by a 16 bit file ID, the content of the setup field is different according to its first 16 bits word that defines the subcommand code. See MS-CIFS section 2.2.4.33.1 : Setup (variable): An array of two-byte words that provides transaction context to the server. The size and content of the array are specific to individual subcommands. --- src/analyzer/protocol/smb/smb1-com-transaction.pac | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index 7f3c409a95..eed584dfff 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -132,11 +132,6 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE); }; -type SMB1_transaction_setup = record { - op_code : uint16; - file_id : uint16; -} - type SMB1_transaction_request(header: SMB_Header) = record { word_count : uint8; total_param_count : uint16; @@ -155,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record { setup_count : uint8; reserved3 : uint8; # word_count 16 is a different dialect that behaves a bit differently. - setup : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count]; + setup : uint16[setup_count]; byte_count : uint16; name : SMB_string(header.unicode, offsetof(name)); @@ -164,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record { pad2 : padding to data_offset - SMB_Header_length; data : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe); } &let { - sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0; + sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0; transtype : int = determine_transaction_type(header, name); is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid))); From 6d497ea8b05d712f5c35f403f9854ea0e4310c82 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Fri, 12 Jan 2018 15:35:44 +0100 Subject: [PATCH 07/11] add test for smb1_com_transaction_request event changes --- .../.stdout | 1 + .../Traces/smb/smb1_transaction_request.pcap | Bin 0 -> 1731 bytes .../protocols/smb/smb1-transaction-request.test | 12 ++++++++++++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout create mode 100644 testing/btest/Traces/smb/smb1_transaction_request.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout new file mode 100644 index 0000000000..b9d6e354ee --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout @@ -0,0 +1 @@ +smb1_transaction_request hdr: [command=37, status=0, flags=0, flags2=0, tid=31335, pid=1, uid=11132, mid=2], name: \\PIPE\lsarpc, sub_cmd: 2600, params: some_params, data: some_data diff --git a/testing/btest/Traces/smb/smb1_transaction_request.pcap b/testing/btest/Traces/smb/smb1_transaction_request.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e234ec4e76f2ce3c8b2e3b7db28c5d4429e42c05 GIT binary patch literal 1731 zcmb7DT}V?=9RJ_D8P=TnK{0}8V47e}9m7BhEYn&wyR?;I%XXcXqn5TAMrEvsP^^b2 zk)EQDL0zziK%)mkum|bIhk}UMz_g+Vi5gf2b^HI%ans!^!4CWn=bn$>{e7JCcKq3W z5sZ**stO?B$FaU6O*6BrpbE!Sum8UM79WZaQJ)QU0Hw68X2tx)vBw}_iIWLoG>IaK zR@fHjC@P{<;{p{w&#@TFX2d|07v~9qkc836M0DiQ7ThfO3KZpVGk|DR-w~fsnJIHV z0;1WZJS+V8%K7~4F+l*~sdTE2E~wh0QN>X#Rw#Uc#{kMzw`*sJMi%OpHgZn{$N{mz zW8LqvR@f@-%uez0B7L0^rLm7>#D}{YBW#G~kn$9zJ%`i35;4I&oTSpB+=@*zl=5X! zEQ(^8z+(VyDf+#J8a9*aIQ@J8gB`sv?w|z$DslQxA_9IzIeWAJjqpm%wnA-i)0%6_ zx?&IB2RC?d<6bs$gOhFu6TP;^oOxyr%xsWl=He)Q*Uj)85vg>UJ>i-C`mM=~qhMw( zyhGS}NOYJ+781F%anWWKe9&&PFRUaVMHYS+fh32+yARd5QD$S{OlwDX*y^xVq>YXE zb})JY3IM#`MrVV4pVukXZUpR@8Mph*5WziEy6i%+8J3+(lieV09+oUa6Hjm82%tVC zqu0PD7CQkhm5E>=8Un0OajUXbf?E!@$jErB%>f=#(Toquw}C(Ij2`$fhBHOse7_0| zCGH34#$QtD!U^zj=BqW~a1;zDl3@I|ld5xUsO`8aW-jSk&Ri0+>jXeMo~6>6+Z6l6 z%x%?}JB6F)$lR83_FG$uMkL+blNZv=&0?7{`3H)`%y0NybR=5HOkB-PoINGNL!>~Z zGjU+S#9WPu90g4r>tXBz#J-pf)4L@5TobHJUjY*w#5o_{TPRW061=#QQ>ycx4$GlV zKR~!6*mk^A4#`1!Iqa)d?vlxHrE5{R&hXOMXJ+_7y5Z46jL Date: Thu, 18 Jan 2018 11:54:08 +0100 Subject: [PATCH 08/11] add test for smb1_com_transaction_secondary_request event changes --- .../.stdout | 1 + .../smb/smb1_transaction_secondary_request.pcap | Bin 0 -> 1740 bytes .../smb/smb1-transaction-secondary-request.test | 12 ++++++++++++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout create mode 100644 testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout new file mode 100644 index 0000000000..10cad0c702 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout @@ -0,0 +1 @@ +smb1_transaction_secondary_request hdr: [command=38, status=0, flags=0, flags2=0, tid=45374, pid=1, uid=57674, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=52, param_displacement=9, data_count=9, data_offset=66, data_displacement=11], params: some_params, data: some_data diff --git a/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap new file mode 100644 index 0000000000000000000000000000000000000000..4236b140d5d5504d03137fa20b3c01cbb25e8a05 GIT binary patch literal 1740 zcmbVMUr1AN6#nkrjLkVy8#IDwU`;VubB#$tVVaeiGTcJaMO$hpWy)5~h`=5kKGuWu z(1Sz;HP}OiL=TH71BpUGBZBY`^cp<`l7X#re!p$GU3{<$=Wy=t&$sV<-?>|O`|Q37 zJu*)!1t|3LU?|x2Zp;7=)g15ty!x@2SWIv>pb4ntWA)qCZoGaBg+h%bm1G9RtJ)B= zNR+RHQb!vc^1j3pDAj~PC@)7CfsvGCEIFH4zD9?YU|BqV$PcLc)Mw^1_vJtMD1;XE zme}xVN%EQBZ^Qt>b7;EiPIq;ZxiF`6R}#f)!|GkS1{_HF+8V-KSvhTdSUnXeg4*u4 zoocf=9W^c?=Mw#JMox_om6lQ#;?c!CA)q5uE`#Y#3w`lW!*MOx^O@`i%5w7mXv6z%tPa}BrWmFbkh2DP^6 zndLxb`}diLvg zo@Ww;JaaNN;3hX6;mXQQZhU0Z<`jbHH@VU~nUA7?-pk<)MIt9oH~9#wbKr9CP&8t5 zJDfSSp1vKjUO^cU2y`~LyIKRy-p0M4B*ggUF=3R>aA>>>TXqQV_T){#G98}sS`#yG zK2QZ5&$cnH6AS;6f|eB(I;Npucb1#SQ3GFS@O+3E*E-zra~C{IyGqPkH)m=#u~Nn6 zER0BVcAhbV2aH2w&VV#$tuD_Ti9+T~92EQyb5~bInV)1=LR{`^GjVTqo6%2qIW*#S zSu8?aPp-HtRdjfj#hsMmI=N4)ihu7sHKj8VlHEplimN7Iz6b15r5qH&_!;S@w#nX+A! WxhX^0z?4mJQ#PW3D*D6Sgw$VP-|jj9 literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test new file mode 100644 index 0000000000..03bddf7bf5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test @@ -0,0 +1,12 @@ +#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_secondary_request.pcap %INPUT +#@TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb +@load policy/protocols/smb + +# Check that smb1_transaction_secondary requests are parsed correctly + +event smb1_transaction_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string) +{ + print fmt("smb1_transaction_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data); +} From 4807b7d8479ecaf7a4366af7f6dc112070a908c3 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Thu, 18 Jan 2018 15:20:47 +0100 Subject: [PATCH 09/11] add test for smb1_com_transaction2_request event changes --- .../.stdout | 1 + .../Traces/smb/smb1_transaction2_request.pcap | Bin 0 -> 1568 bytes .../protocols/smb/smb1-transaction2-request.test | 12 ++++++++++++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout create mode 100644 testing/btest/Traces/smb/smb1_transaction2_request.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout new file mode 100644 index 0000000000..a31a286d1f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout @@ -0,0 +1 @@ +smb1_transaction2_request hdr: [command=50, status=0, flags=0, flags2=0, tid=47242, pid=1, uid=2017, mid=2], args: [total_param_count=13, total_data_count=0, max_param_count=0, max_data_count=0, max_setup_count=0, flags=0, trans_timeout=0, param_count=13, param_offset=69, data_count=0, data_offset=0, setup_count=1], sub_cmd: 5 diff --git a/testing/btest/Traces/smb/smb1_transaction2_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_request.pcap new file mode 100644 index 0000000000000000000000000000000000000000..564579597ee6b17ce0967c2b74641841c3a011d5 GIT binary patch literal 1568 zcmbVMUr19?9RAMT%r$2->CbwQE?BUjmX4ty7*?!WrEF~>=pLpd=tBigQ;2Gip+yh% z*h>}$>0pF{ln;hcphZu)2qLBEJs%25A=mGB&hBu#`CtcrhjY(8=eysZb8h)x!$e4Tv|*mrntAk54d?*!gBUtXyxBL#r6{83N(9^D@ssEMVUpS0b?L(8zPRr5ROOAW zbayCvfpQ=kZ4NYf&qM>kaV0|{EgWy-EQv{hzzAV0f-dRjagbfxB&Khp>} zk&`h*q2x7zZ^arcOhcd|$F0Uwjd0t=_BLW%>+vDND)>Sj`nYZL;Y?CEgB;GolnN)H zJJCm<djMQJSbJtT-LRbxfPX8bkZI!lesM+yEM0< zz}!Jvyv*hf@*fBAa$G8}DjQqG)>12$w Date: Thu, 18 Jan 2018 17:46:51 +0100 Subject: [PATCH 10/11] add test for smb1_com_transaction2_secondary_request event changes --- .../.stdout | 1 + .../smb/smb1_transaction2_secondary_request.pcap | Bin 0 -> 1789 bytes .../smb/smb1-transaction2-secondary-request.test | 12 ++++++++++++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout create mode 100644 testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout new file mode 100644 index 0000000000..7be34af9ea --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout @@ -0,0 +1 @@ +smb1_transaction2_secondary_request hdr: [command=51, status=0, flags=0, flags2=0, tid=29550, pid=1, uid=25541, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=54, param_displacement=9, data_count=9, data_offset=68, data_displacement=11, FID=65535], params: some_params, data: some_data diff --git a/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap new file mode 100644 index 0000000000000000000000000000000000000000..923b9e0bbc191ea370128dd25277070fd54d6e43 GIT binary patch literal 1789 zcmbVMT}V@57=F*$R<1St>1H?4ffh)_oO2imhF1QpoSoW2uthtyg$8PPH2cTASO#7s z-gp<*O$~O@kA#5|s3bukC3Kb9O<-LJg)$>Mz3=z!tnHk{?>Xl?&v~Ec`Q9x| zKN%Cj3VLW7fPfdVH__JUodT%Dn)3Cpsg=dlVv5!Rr~@daZ8clguf2Q-0;ZT=5GHjL zS(ISM21mJ$C{_4?lE2Tf7|K4xK$MBggg{8bWO`x9ZT*Owg=k4K`S~<}Xw}|RKZRfa zqaOj$mgFJ{29|k0POlx>5uVb->QshRqk$DiaY^uC3||8%(?Y?6-Bh_~$qiCZ1lSH@ zb69E$N?uR7kIA_UKdj4X5~4IAkPsClXRZ)Sh~}4zlF77#w?FT*!#%u7X+jxJhzzCp zuPCl$avGh(h-cd$wA8RW*@d@X3}Er07S>vNAi$~xVB>o~G)_%CzIykaFryVnP%+>h zJuox+G>qpV1Yz8GgjFF3&>mC2dlBvoqu$a@zvTvmi%Vu64k3M5HvKJmQ|E ze;7RDDCpS-JVO{ah_p(Ti%8}MC+*ZA3T+Nw=7~NOHoV>qvZAUDC+k8;v!%T=*43v< zevdb=w&Lud^#YUtL?SJLX5Z0BKtALKT$mWo>KxFIdnirbbtf#$yRv-mYysRnF1u25 zt0Ala>a#Qk(UiOpVD_8{7HUI)o!Q?KmI?gKC@qUjV!o-3G>aFDbcXP(koDnkT z)&MuBCFX=a{3NBxoOW)`dX>Q(j)LaAdci1E6RTcU8W+xriA%gT6Sw!g6WZ`yN|U&) z2`dw~-XQJ>ZeAmC?+>%jda`Zw=Zo8^=80=#oI>2v2EZcqPMdZ$3kziRpw4 w8~8K^iD3nGX$YO6-2rxRpdohr9mY!2@E=<3>WH7YsB|kGH2>@>rt~Pk0Ytv_Z~y=R literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test new file mode 100644 index 0000000000..48c7f8c197 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test @@ -0,0 +1,12 @@ +#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_secondary_request.pcap %INPUT +#@TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb +@load policy/protocols/smb + +# Check that smb1_transaction2_secondary requests are parsed correctly + +event smb1_transaction2_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string) +{ + print fmt("smb1_transaction2_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data); +} From 015eec8c71a0dc422a2e981d0d90a2d94b1600d1 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Fri, 19 Jan 2018 17:06:37 +0100 Subject: [PATCH 11/11] add test for smb1_com_transaction_response event changes --- .../.stdout | 1 + .../Traces/smb/smb1_transaction_response.pcap | Bin 0 -> 1748 bytes .../protocols/smb/smb1-transaction-response.test | 12 ++++++++++++ 3 files changed, 13 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout create mode 100644 testing/btest/Traces/smb/smb1_transaction_response.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout new file mode 100644 index 0000000000..f4d00733bf --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout @@ -0,0 +1 @@ +smb1_transaction_response hdr: [command=37, status=0, flags=128, flags2=0, tid=41669, pid=1, uid=17768, mid=2], params: some_params, data: some_data diff --git a/testing/btest/Traces/smb/smb1_transaction_response.pcap b/testing/btest/Traces/smb/smb1_transaction_response.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c28689b76cc478bb2051fdf4d40efdbc31d4ea94 GIT binary patch literal 1748 zcmbVNT}TvB6h1RM{tT;TKJ81}L?#lp>auJgMQgQfTe%JGhF}Xh{(zg=%8sQJ(V_$v z^kC$pLd;VEocoy%r*+>#YXaVZe^jN1TejcC*16t!GbZ7igo2v7oIB&M8d zQtCYQUMA-}emEzmO^9lLAqg>b#UeyEqWRSFOlCB|>Azi*;64sg*ic6NMGU3npD3nD8T-1P&Hi-oef4Y&E~|Vj%2^C_&jxa zZ3*uVS}#BaKs??Yj(AVT!|IVrz>0}cTVDieTti{=F6A#~-tDz`w}6XhRM+&o|g_bD*?KKA~=YK06R=>eos9_wVpN&8SnS_AVyixg^I}X*3Fq&Ty$-EUBj0azmcktzq_7EoBTKo`BDjhcwyQ|_1O6VcL`}+R);B8) VWhWfKDH&fF_PQcfe0Vn@_XoA~=Dh#_ literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test new file mode 100644 index 0000000000..ef00ed3772 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test @@ -0,0 +1,12 @@ +#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_response.pcap %INPUT +#@TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb +@load policy/protocols/smb + +# Check that smb1_transaction_response requests are parsed correctly + +event smb1_transaction_response(c: connection, hdr: SMB1::Header, parameters: string, data: string) +{ + print fmt("smb1_transaction_response hdr: %s, params: %s, data: %s", hdr, parameters, data); +}