diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index a898ceb88c..b8ebb9677e 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2535,6 +2535,13 @@ export { ## The time when the file was last modified. changed : time &log; } &log; + + ## A set of file names used as named pipes over SMB. This + ## only comes into play as a heuristic to identify named + ## pipes when the drive mapping wasn't seen by Bro. + ## + ## .. bro:see::smb_pipe_connect_heuristic + const SMB::pipe_filenames: set[string] &redef; } module SMB1; diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index 5ec5ded2d8..c0e36624d2 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -160,7 +160,8 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) { # If there is not an endpoint, there isn't much reason to log. # This can happen if the request isn't seen. - if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations) + if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation && + c$dce_rpc$endpoint !in ignored_operations) || (c$dce_rpc?$endpoint && c$dce_rpc?$operation && c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && @@ -195,7 +196,8 @@ event connection_state_remove(c: connection) } } - if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations) + if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation && + c$dce_rpc$endpoint !in ignored_operations) || (c$dce_rpc?$endpoint && c$dce_rpc?$operation && c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] && diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.bro index 86c470024c..b74b75fb37 100644 --- a/scripts/base/protocols/smb/consts.bro +++ b/scripts/base/protocols/smb/consts.bro @@ -10,20 +10,18 @@ export { [0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."], } &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; }; - ## These are files names that are used for special - ## cases by the file system and would not be - ## considered "normal" files. - const pipe_names: set[string] = { - "\\netdfs", - "\\spoolss", - "\\NETLOGON", - "\\winreg", - "\\lsarpc", - "\\samr", - "\\srvsvc", + ## Heuristic detection of named pipes when the pipe + ## mapping isn't seen. This variable is defined in + ## init-bare.bro. + redef SMB::pipe_filenames = { + "spoolss", + "winreg", + "samr", "srvsvc", + "netdfs", + "lsarpc", + "wkssvc", "MsFteWds", - "\\wkssvc", }; ## The UUIDs used by the various RPC endpoints diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro index 0399e92a9a..61a2548f6c 100644 --- a/scripts/policy/protocols/smb/main.bro +++ b/scripts/policy/protocols/smb/main.bro @@ -28,11 +28,6 @@ export { PRINT_WRITE, PRINT_OPEN, PRINT_CLOSE, - - UNKNOWN_READ, - UNKNOWN_WRITE, - UNKNOWN_OPEN, - UNKNOWN_CLOSE, }; ## The file actions which are logged. @@ -43,8 +38,6 @@ export { PRINT_OPEN, PRINT_CLOSE, - - UNKNOWN_OPEN, } &redef; ## The server response statuses which are *not* logged. @@ -225,7 +218,6 @@ function write_file_log(state: State) { local f = state$current_file; if ( f?$name && - f$name !in pipe_names && f$action in logged_file_actions ) { # Everything in this if statement is to avoid overlogging @@ -252,6 +244,12 @@ function write_file_log(state: State) } } +event smb_pipe_connect_heuristic(c: connection) &priority=5 + { + c$smb_state$current_tree$path = ""; + c$smb_state$current_tree$share_type = "PIPE"; + } + event file_state_remove(f: fa_file) &priority=-5 { if ( f$source != "SMB" ) diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro index c1b8ead509..3e7f43cf45 100644 --- a/scripts/policy/protocols/smb/smb1-main.bro +++ b/scripts/policy/protocols/smb/smb1-main.bro @@ -108,11 +108,6 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1:: event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse) &priority=-5 { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } } event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5 @@ -141,12 +136,6 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=-5 { Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree); - - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } } event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5 @@ -192,17 +181,7 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path ) c$smb_state$current_file$path = c$smb_state$current_tree$path; - # We don't even try to log reads and writes to the files log. - #write_file_log(c$smb_state); - } - -event smb1_read_andx_response(c: connection, hdr: SMB1::Header, data_len: count) &priority=5 - { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } + SMB::write_file_log(c$smb_state); } event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=5 @@ -281,11 +260,7 @@ event smb1_session_setup_andx_request(c: connection, hdr: SMB1::Header, request: event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5 { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } + # No behavior yet. } event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count) diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro index 31b3abf0db..041813b99e 100644 --- a/scripts/policy/protocols/smb/smb2-main.bro +++ b/scripts/policy/protocols/smb/smb2-main.bro @@ -101,13 +101,9 @@ event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2:: event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse) &priority=5 { - if ( SMB::write_cmd_log && - c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) - { - Log::write(SMB::CMD_LOG, c$smb_state$current_cmd); - } + # No behavior yet. } - + event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=5 { c$smb_state$current_tree$path = path; @@ -142,7 +138,6 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior c$smb_state$current_file$action = SMB::PRINT_OPEN; break; default: - #c$smb_state$current_file$action = SMB::UNKNOWN_OPEN; c$smb_state$current_file$action = SMB::FILE_OPEN; break; } @@ -150,6 +145,8 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5 { + SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); + c$smb_state$current_file$fid = file_id$persistent+file_id$volatile; c$smb_state$current_file$size = file_size; @@ -188,13 +185,14 @@ event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, o c$smb_state$current_file$action = SMB::PRINT_READ; break; default: - c$smb_state$current_file$action = SMB::FILE_OPEN; + c$smb_state$current_file$action = SMB::FILE_READ; break; } } event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5 { + SMB::write_file_log(c$smb_state); } event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=5 @@ -213,7 +211,6 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, c$smb_state$current_file$action = SMB::PRINT_WRITE; break; default: - #c$smb_state$current_file$action = SMB::UNKNOWN_WRITE; c$smb_state$current_file$action = SMB::FILE_WRITE; break; } @@ -221,6 +218,7 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5 { + SMB::write_file_log(c$smb_state); } event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5 @@ -254,7 +252,9 @@ event smb2_file_delete(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, de if ( ! delete_pending ) { - print "huh..."; + # This is weird beause it would mean that someone didn't + # set the delete bit in a delete request. + return; } switch ( c$smb_state$current_tree$share_type ) @@ -289,7 +289,6 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) c$smb_state$current_file$action = SMB::PRINT_CLOSE; break; default: - #c$smb_state$current_file$action = SMB::UNKNOWN_CLOSE; c$smb_state$current_file$action = SMB::FILE_CLOSE; break; } diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 2ea745d51d..844eca4cd4 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -37,6 +37,9 @@ bro_plugin_bif( smb2_com_write.bif smb2_events.bif + events.bif + consts.bif + types.bif) bro_plugin_pac( smb.pac diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc index da202f5269..d886421906 100644 --- a/src/analyzer/protocol/smb/SMB.cc +++ b/src/analyzer/protocol/smb/SMB.cc @@ -10,7 +10,8 @@ SMB_Analyzer::SMB_Analyzer(Connection *conn) : tcp::TCP_ApplicationAnalyzer("SMB", conn) { chunks=0; - interp=0; + interp = new binpac::SMB::SMB_Conn(this); + need_sync=true; } SMB_Analyzer::~SMB_Analyzer() @@ -54,24 +55,28 @@ bool SMB_Analyzer::HasSMBHeader(int len, const u_char* data) strncmp((const char*) data+4, "\xfeSMB", 4) == 0); } +void SMB_Analyzer::NeedResync() + { + interp->upflow()->flow_buffer()->DiscardData(); + interp->downflow()->flow_buffer()->DiscardData(); + need_sync=true; + } + void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); - // Either instantiate an interpreter or bail. - if ( ! interp ) - { - if ( HasSMBHeader(len, data) ) - interp = new binpac::SMB::SMB_Conn(this); - else - return; - } + // It we need to resync and we don't have an SMB header, bail! + if ( need_sync && ! HasSMBHeader(len, data) ) + return; + else + need_sync=false; try { - // If we get here, it means we have an interpreter. + // If we get here, it means we have an SMB header in the message. interp->NewData(orig, data, data + len); // Let's assume that if there are no binpac exceptions after diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h index 2edeecf506..ea9ec2e6a5 100644 --- a/src/analyzer/protocol/smb/SMB.h +++ b/src/analyzer/protocol/smb/SMB.h @@ -17,10 +17,7 @@ public: void EndpointEOF(bool is_orig) override; bool HasSMBHeader(int len, const u_char* data); - void NeedResync() { - delete interp; - interp = 0; - } + void NeedResync(); static analyzer::Analyzer* Instantiate(Connection* conn) { return new SMB_Analyzer(conn); } @@ -31,6 +28,8 @@ protected: // Count the number of chunks received by the analyzer // but only used to count the first few. uint8 chunks; + + bool need_sync; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/smb/consts.bif b/src/analyzer/protocol/smb/consts.bif new file mode 100644 index 0000000000..321875b43d --- /dev/null +++ b/src/analyzer/protocol/smb/consts.bif @@ -0,0 +1 @@ +const SMB::pipe_filenames: string_set; \ No newline at end of file diff --git a/src/analyzer/protocol/smb/events.bif b/src/analyzer/protocol/smb/events.bif new file mode 100644 index 0000000000..0ecf6e91c7 --- /dev/null +++ b/src/analyzer/protocol/smb/events.bif @@ -0,0 +1,10 @@ +## Generated for :abbr:`SMB (Server Message Block)` connections when a +## named pipe has been detected heuristically. The case when this comes +## up is when the drive mapping isn't seen so the analyzer is not able +## to determine whether to send the data to the files framework or to +## the DCE_RPC analyzer. This heuristic can be tuned by adding or +## removing "named pipe" names from the :bro:see:`SMB::pipe_filenames` +## const. +## +## c: The connection. +event smb_pipe_connect_heuristic%(c: connection%); diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index 5c32f1f17c..bcc910e19a 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -5,7 +5,7 @@ refine connection SMB_Conn += { %member{ map tree_is_pipe_map; - map fid_to_analyzer_map;; + map fid_to_analyzer_map; %} %cleanup{ @@ -20,13 +20,9 @@ refine connection SMB_Conn += { } %} - function get_tree_is_pipe(tree_id: uint16): bool %{ - if ( tree_is_pipe_map.count(tree_id) > 0 ) - return tree_is_pipe_map.at(tree_id); - else - return false; + return ( tree_is_pipe_map.count(tree_id) > 0 ); %} function set_tree_is_pipe(tree_id: uint16, is_pipe: bool): bool diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index e0dffd2484..cdb0f04236 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -9,6 +9,8 @@ #include "smb2_events.bif.h" #include "types.bif.h" +#include "events.bif.h" +#include "consts.bif.h" #include "smb1_com_check_directory.bif.h" #include "smb1_com_close.bif.h" diff --git a/src/analyzer/protocol/smb/smb1-com-close.pac b/src/analyzer/protocol/smb/smb1-com-close.pac index 4aa6c5c3a0..092f8f4020 100644 --- a/src/analyzer/protocol/smb/smb1-com-close.pac +++ b/src/analyzer/protocol/smb/smb1-com-close.pac @@ -8,14 +8,8 @@ refine connection SMB_Conn += { BuildHeaderVal(h), ${val.file_id}); - // This is commented out for the moment because it caused problems - // with extraction because the file kept having the same name due - // to repeatedly having the same file uid. This results in files - // effectively falling of SMB solely by expiration instead of - // manually being closed. - - //file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), - // bro_analyzer()->Conn(), h->is_orig()); + file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index 36a583696e..d71086a44b 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -1,13 +1,27 @@ refine connection SMB_Conn += { function proc_smb1_nt_create_andx_request(header: SMB_Header, val: SMB1_nt_create_andx_request): bool %{ + StringVal *filename = smb_string2stringval(${val.filename}); + if ( ! ${header.is_pipe} && + BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) + { + set_tree_is_pipe(${header.tid}, true); + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); + } + if ( smb1_nt_create_andx_request ) { BifEvent::generate_smb1_nt_create_andx_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), - smb_string2stringval(${val.filename})); + filename); } + else + { + delete filename; + } + return true; %} @@ -26,14 +40,6 @@ refine connection SMB_Conn += { ${val.last_change_time})); } - if ( ${val.end_of_file} > 0 ) - { - //file_mgr->SetSize(${val.end_of_file}, - // bro_analyzer()->GetAnalyzerTag(), - // bro_analyzer()->Conn(), - // header->is_orig()); - } - return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-read-andx.pac b/src/analyzer/protocol/smb/smb1-com-read-andx.pac index 89e367206d..712ad8948b 100644 --- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac @@ -28,7 +28,7 @@ refine connection SMB_Conn += { BuildHeaderVal(h), ${val.data_len}); - if ( ! ${val.is_pipe} && ${val.data_len} > 0 ) + if ( ! ${h.is_pipe} && ${val.data_len} > 0 ) { uint64 offset = read_offsets[${h.mid}]; read_offsets.erase(${h.mid}); @@ -93,8 +93,7 @@ type SMB1_read_andx_response(header: SMB_Header, offset: uint16) = record { andx_command : SMB_andx_command(header, 0, offset+offsetof(andx_command), andx.command); } &let { - is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, false) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, false) &if(header.is_pipe); padding_len : uint8 = (header.unicode == 1) ? 1 : 0; data_len : uint32 = (data_len_high << 16) + data_len_low; diff --git a/src/analyzer/protocol/smb/smb1-com-write-andx.pac b/src/analyzer/protocol/smb/smb1-com-write-andx.pac index 79d36c52b5..8b4eed7056 100644 --- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac @@ -10,7 +10,7 @@ refine connection SMB_Conn += { ${val.write_offset}, ${val.data_len}); - if ( ! ${val.is_pipe} && ${val.data}.length() > 0 ) + if ( ! ${h.is_pipe} && ${val.data}.length() > 0 ) { file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), ${val.write_offset}, @@ -58,8 +58,7 @@ type SMB1_write_andx_request(header: SMB_Header, offset: uint16) = record { andx_command : SMB_andx_command(header, 1, offset+offsetof(andx_command), andx.command); } &let { - is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, true) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, true) &if(header.is_pipe); data_len : uint32 = (data_len_high << 16) + data_len_low; offset_high : uint32 = (word_count == 0x0E) ? offset_high_tmp : 0; diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index b7ad6af140..985e67c068 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -298,7 +298,8 @@ type SMB_Header(is_orig: bool) = record { err_status_type = (flags2 >> 14) & 1; unicode = (flags2 >> 15) & 1; pid = (pid_high * 0x10000) + pid_low; - proc : bool = $context.connection.proc_smb_message(this, is_orig); + is_pipe: bool = $context.connection.get_tree_is_pipe(tid); + proc : bool = $context.connection.proc_smb_message(this, is_orig); } &byteorder=littleendian; # TODO: compute this as diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac index bb3b1bab49..0c90897d84 100644 --- a/src/analyzer/protocol/smb/smb2-com-close.pac +++ b/src/analyzer/protocol/smb/smb2-com-close.pac @@ -10,6 +10,9 @@ refine connection SMB_Conn += { BuildSMB2GUID(${val.file_id})); } + file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); + return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 0072e75adf..5e35d8e975 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -2,12 +2,25 @@ refine connection SMB_Conn += { function proc_smb2_create_request(h: SMB2_Header, val: SMB2_create_request): bool %{ + StringVal *filename = smb2_string2stringval(${val.filename}); + if ( ! ${h.is_pipe} && + BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) + { + set_tree_is_pipe(${h.tree_id}, true); + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); + } + if ( smb2_create_request ) { BifEvent::generate_smb2_create_request(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), - smb2_string2stringval(${val.filename})); + filename); + } + else + { + delete filename; } return true; @@ -29,14 +42,6 @@ refine connection SMB_Conn += { smb2_file_attrs_to_bro(${val.file_attrs})); } - if ( ${val.eof} > 0 ) - { - //file_mgr->SetSize(${val.eof}, - // bro_analyzer()->GetAnalyzerTag(), - // bro_analyzer()->Conn(), - // h->is_orig()); - } - return true; %} }; diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index 1fa409a5f0..cf5d2ae065 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -42,7 +42,7 @@ refine connection SMB_Conn += { uint64 offset = smb2_read_offsets[${h.message_id}]; smb2_read_offsets.erase(${h.message_id}); - if ( ! ${val.is_pipe} && ${val.data_len} > 0 ) + if ( ! ${h.is_pipe} && ${val.data_len} > 0 ) { file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, bro_analyzer()->GetAnalyzerTag(), @@ -83,9 +83,8 @@ type SMB2_read_response(header: SMB2_Header) = record { pad : padding to data_offset - header.head_length; data : bytestring &length=data_len; } &let { - is_pipe : bool = $context.connection.get_tree_is_pipe(header.tree_id); fid : uint64 = $context.connection.get_file_id(header.message_id); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, fid, false) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, fid, false) &if(header.is_pipe); proc: bool = $context.connection.proc_smb2_read_response(header, this); }; diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index f463afc767..177a3a84bd 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -12,7 +12,7 @@ refine connection SMB_Conn += { ${val.data_len}); } - if ( ! ${val.is_pipe} && ${val.data}.length() > 0 ) + if ( ! ${h.is_pipe} && ${val.data}.length() > 0 ) { file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset}, bro_analyzer()->GetAnalyzerTag(), @@ -44,8 +44,7 @@ type SMB2_write_request(header: SMB2_Header) = record { pad : padding to data_offset - header.head_length; data : bytestring &length=data_len; } &let { - is_pipe: bool = $context.connection.get_tree_is_pipe(header.tree_id); - pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(is_pipe); + pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(header.is_pipe); proc : bool = $context.connection.proc_smb2_write_request(header, this); }; diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index 523ab3b890..dd31559126 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -35,10 +35,10 @@ type SMB2_PDU(is_orig: bool) = record { # Status 0 indicates success. In the case of a # request this should just happen to work out due to # how the fields are set. - 0 -> msg : SMB2_Message(header, is_orig); - STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB2_Message(header, is_orig); + 0 -> msg : SMB2_Message(header, is_orig); + STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB2_Message(header, is_orig); STATUS_MORE_PROCESSING_REQUIRED -> more_processing_required : SMB2_Message(header, is_orig); - default -> err : SMB2_error_response(header); + default -> err : SMB2_error_response(header); }; }; @@ -199,6 +199,7 @@ type SMB2_Header(is_orig: bool) = record { related = (flags >> 26) & 1; msigned = (flags >> 27) & 1; dfs = (flags) & 1; + is_pipe: bool = $context.connection.get_tree_is_pipe(tree_id); proc : bool = $context.connection.proc_smb2_message(this, is_orig); } &byteorder=littleendian; diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log index 66e632e0cb..9dc925e4dc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2016-08-16-23-02-30 +#open 2016-10-27-17-16-27 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 T - - - - - -#close 2016-08-16-23-02-30 +1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - +#close 2016-10-27-17-16-27