Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SMB fixes and cleanup.

Browse source 
SMB error handling improved. The analyzer isn't destroyed when a problem
is encoutered anymore.  The flowbuffer in the parser is now flushed and
the analyzer is set to resync against an SMB command.  This was needed
because there is some state about open files that is kept within the
parser itself which was being destroyed and that was causing analysis
after content gaps or parse errors to be faulty.  The new mechanism
doesn't detroy the parser so parsing after gaps is improved.

DCE_RPC handling in SMB is improved in the edge case where a drive
mapping isn't seen. There is a new const named SMB::pipe_filenames
which is used as a heuristic for identifying "files" opened on named
pipe shares.  If the share mapping type isn't known and a filename
in this set is found, the share type will change to "PIPE" by
generating an event named "smb_pipe_connect_heuristic".  Reads and
writes to that file will be sent to the DCE_RPC analyzer instead of
to the files framework.

The concept of "unknown" share types has been removed due to the new
heuristic detection of share types.

Some general clean up of how the SMB cmd log is written and when.
This commit is contained in:
Seth Hall 2016-10-31 13:35:47 -04:00
parent a836ece4e6
commit 4f3fe047f4
24 changed files with 126 additions and 125 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/base/init-bare.bro
View file

@ -2535,6 +2535,13 @@ export {
## The time when the file was last modified.
changed : time &log;
} &log;
## A set of file names used as named pipes over SMB. This
## only comes into play as a heuristic to identify named
## pipes when the drive mapping wasn't seen by Bro.
##
## .. bro:see::smb_pipe_connect_heuristic
const SMB::pipe_filenames: set[string] &redef;
}
module SMB1;

6
scripts/base/protocols/dce-rpc/main.bro
View file

@ -160,7 +160,8 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
{
# If there is not an endpoint, there isn't much reason to log.
# This can happen if the request isn't seen.
if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
c$dce_rpc$endpoint !in ignored_operations)
||
(c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
@ -195,7 +196,8 @@ event connection_state_remove(c: connection)
}
}
if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
if ( (c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
c$dce_rpc$endpoint !in ignored_operations)
||
(c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&

22
scripts/base/protocols/smb/consts.bro
View file

@ -10,20 +10,18 @@ export {
[0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."],
} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; };
## These are files names that are used for special
## cases by the file system and would not be
## considered "normal" files.
const pipe_names: set[string] = {
"\\netdfs",
"\\spoolss",
"\\NETLOGON",
"\\winreg",
"\\lsarpc",
"\\samr",
"\\srvsvc",
## Heuristic detection of named pipes when the pipe
## mapping isn't seen. This variable is defined in
## init-bare.bro.
redef SMB::pipe_filenames = {
"spoolss",
"winreg",
"samr",
"srvsvc",
"netdfs",
"lsarpc",
"wkssvc",
"MsFteWds",
"\\wkssvc",
};
## The UUIDs used by the various RPC endpoints

14
scripts/policy/protocols/smb/main.bro
View file

@ -28,11 +28,6 @@ export {
PRINT_WRITE,
PRINT_OPEN,
PRINT_CLOSE,
UNKNOWN_READ,
UNKNOWN_WRITE,
UNKNOWN_OPEN,
UNKNOWN_CLOSE,
};
## The file actions which are logged.
@ -43,8 +38,6 @@ export {
PRINT_OPEN,
PRINT_CLOSE,
UNKNOWN_OPEN,
} &redef;
## The server response statuses which are *not* logged.
@ -225,7 +218,6 @@ function write_file_log(state: State)
{
local f = state$current_file;
if ( f?$name &&
f$name !in pipe_names &&
f$action in logged_file_actions )
{
# Everything in this if statement is to avoid overlogging
@ -252,6 +244,12 @@ function write_file_log(state: State)
}
}
event smb_pipe_connect_heuristic(c: connection) &priority=5
{
c$smb_state$current_tree$path = "<unknown>";
c$smb_state$current_tree$share_type = "PIPE";
}
event file_state_remove(f: fa_file) &priority=-5
{
if ( f$source != "SMB" )

29
scripts/policy/protocols/smb/smb1-main.bro
View file

@ -108,11 +108,6 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::
event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse) &priority=-5
{
if ( SMB::write_cmd_log &&
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
{
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
}
event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5
@ -141,12 +136,6 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service:
event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=-5
{
Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree);
if ( SMB::write_cmd_log &&
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
{
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
}
event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5
@ -192,17 +181,7 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o
if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path )
c$smb_state$current_file$path = c$smb_state$current_tree$path;
# We don't even try to log reads and writes to the files log.
#write_file_log(c$smb_state);
}
event smb1_read_andx_response(c: connection, hdr: SMB1::Header, data_len: count) &priority=5
{
if ( SMB::write_cmd_log &&
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
{
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
SMB::write_file_log(c$smb_state);
}
event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=5
@ -281,11 +260,7 @@ event smb1_session_setup_andx_request(c: connection, hdr: SMB1::Header, request:
event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5
{
if ( SMB::write_cmd_log &&
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
{
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
# No behavior yet.
}
event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)

21
scripts/policy/protocols/smb/smb2-main.bro
View file

@ -101,13 +101,9 @@ event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::
event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse) &priority=5
{
if ( SMB::write_cmd_log &&
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
{
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
}
# No behavior yet.
}
event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=5
{
c$smb_state$current_tree$path = path;
@ -142,7 +138,6 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior
c$smb_state$current_file$action = SMB::PRINT_OPEN;
break;
default:
#c$smb_state$current_file$action = SMB::UNKNOWN_OPEN;
c$smb_state$current_file$action = SMB::FILE_OPEN;
break;
}
@ -150,6 +145,8 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior
event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
{
SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
c$smb_state$current_file$fid = file_id$persistent+file_id$volatile;
c$smb_state$current_file$size = file_size;
@ -188,13 +185,14 @@ event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, o
c$smb_state$current_file$action = SMB::PRINT_READ;
break;
default:
c$smb_state$current_file$action = SMB::FILE_OPEN;
c$smb_state$current_file$action = SMB::FILE_READ;
break;
}
}
event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5
{
SMB::write_file_log(c$smb_state);
}
event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=5
@ -213,7 +211,6 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
c$smb_state$current_file$action = SMB::PRINT_WRITE;
break;
default:
#c$smb_state$current_file$action = SMB::UNKNOWN_WRITE;
c$smb_state$current_file$action = SMB::FILE_WRITE;
break;
}
@ -221,6 +218,7 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5
{
SMB::write_file_log(c$smb_state);
}
event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5
@ -254,7 +252,9 @@ event smb2_file_delete(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, de
if ( ! delete_pending )
{
print "huh...";
# This is weird beause it would mean that someone didn't
# set the delete bit in a delete request.
return;
}
switch ( c$smb_state$current_tree$share_type )
@ -289,7 +289,6 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
c$smb_state$current_file$action = SMB::PRINT_CLOSE;
break;
default:
#c$smb_state$current_file$action = SMB::UNKNOWN_CLOSE;
c$smb_state$current_file$action = SMB::FILE_CLOSE;
break;
}

3
src/analyzer/protocol/smb/CMakeLists.txt
View file

@ -37,6 +37,9 @@ bro_plugin_bif(
smb2_com_write.bif
smb2_events.bif
events.bif
consts.bif
types.bif)
bro_plugin_pac(
smb.pac

25
src/analyzer/protocol/smb/SMB.cc
View file

@ -10,7 +10,8 @@ SMB_Analyzer::SMB_Analyzer(Connection *conn)
: tcp::TCP_ApplicationAnalyzer("SMB", conn)
{
chunks=0;
interp=0;
interp = new binpac::SMB::SMB_Conn(this);
need_sync=true;
}
SMB_Analyzer::~SMB_Analyzer()
@ -54,24 +55,28 @@ bool SMB_Analyzer::HasSMBHeader(int len, const u_char* data)
strncmp((const char*) data+4, "\xfeSMB", 4) == 0);
}
void SMB_Analyzer::NeedResync()
{
interp->upflow()->flow_buffer()->DiscardData();
interp->downflow()->flow_buffer()->DiscardData();
need_sync=true;
}
void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP());
// Either instantiate an interpreter or bail.
if ( ! interp )
{
if ( HasSMBHeader(len, data) )
interp = new binpac::SMB::SMB_Conn(this);
else
return;
}
// It we need to resync and we don't have an SMB header, bail!
if ( need_sync && ! HasSMBHeader(len, data) )
return;
else
need_sync=false;
try
{
// If we get here, it means we have an interpreter.
// If we get here, it means we have an SMB header in the message.
interp->NewData(orig, data, data + len);
// Let's assume that if there are no binpac exceptions after

7
src/analyzer/protocol/smb/SMB.h
View file

@ -17,10 +17,7 @@ public:
void EndpointEOF(bool is_orig) override;
bool HasSMBHeader(int len, const u_char* data);
void NeedResync() {
delete interp;
interp = 0;
}
void NeedResync();
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new SMB_Analyzer(conn); }
@ -31,6 +28,8 @@ protected:
// Count the number of chunks received by the analyzer
// but only used to count the first few.
uint8 chunks;
bool need_sync;
};
} } // namespace analyzer::*

1
src/analyzer/protocol/smb/consts.bif Normal file
View file

@ -0,0 +1 @@
const SMB::pipe_filenames: string_set;

10
src/analyzer/protocol/smb/events.bif Normal file
View file

@ -0,0 +1,10 @@
## Generated for :abbr:`SMB (Server Message Block)` connections when a
## named pipe has been detected heuristically. The case when this comes
## up is when the drive mapping isn't seen so the analyzer is not able
## to determine whether to send the data to the files framework or to
## the DCE_RPC analyzer. This heuristic can be tuned by adding or
## removing "named pipe" names from the :bro:see:`SMB::pipe_filenames`
## const.
##
## c: The connection.
event smb_pipe_connect_heuristic%(c: connection%);

8
src/analyzer/protocol/smb/smb-pipe.pac
View file

@ -5,7 +5,7 @@
refine connection SMB_Conn += {
%member{
map<uint16,bool> tree_is_pipe_map;
map<uint64,analyzer::dce_rpc::DCE_RPC_Analyzer*> fid_to_analyzer_map;;
map<uint64,analyzer::dce_rpc::DCE_RPC_Analyzer*> fid_to_analyzer_map;
%}
%cleanup{
@ -20,13 +20,9 @@ refine connection SMB_Conn += {
}
%}
function get_tree_is_pipe(tree_id: uint16): bool
%{
if ( tree_is_pipe_map.count(tree_id) > 0 )
return tree_is_pipe_map.at(tree_id);
else
return false;
return ( tree_is_pipe_map.count(tree_id) > 0 );
%}
function set_tree_is_pipe(tree_id: uint16, is_pipe: bool): bool

2
src/analyzer/protocol/smb/smb.pac
View file

@ -9,6 +9,8 @@
#include "smb2_events.bif.h"
#include "types.bif.h"
#include "events.bif.h"
#include "consts.bif.h"
#include "smb1_com_check_directory.bif.h"
#include "smb1_com_close.bif.h"

10
src/analyzer/protocol/smb/smb1-com-close.pac
View file

@ -8,14 +8,8 @@ refine connection SMB_Conn += {
BuildHeaderVal(h),
${val.file_id});
// This is commented out for the moment because it caused problems
// with extraction because the file kept having the same name due
// to repeatedly having the same file uid. This results in files
// effectively falling of SMB solely by expiration instead of
// manually being closed.
//file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
// bro_analyzer()->Conn(), h->is_orig());
file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig());
return true;
%}

24
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -1,13 +1,27 @@
refine connection SMB_Conn += {
function proc_smb1_nt_create_andx_request(header: SMB_Header, val: SMB1_nt_create_andx_request): bool
%{
StringVal *filename = smb_string2stringval(${val.filename});
if ( ! ${header.is_pipe} &&
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
set_tree_is_pipe(${header.tid}, true);
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}
if ( smb1_nt_create_andx_request )
{
BifEvent::generate_smb1_nt_create_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
smb_string2stringval(${val.filename}));
filename);
}
else
{
delete filename;
}
return true;
%}
@ -26,14 +40,6 @@ refine connection SMB_Conn += {
${val.last_change_time}));
}
if ( ${val.end_of_file} > 0 )
{
//file_mgr->SetSize(${val.end_of_file},
// bro_analyzer()->GetAnalyzerTag(),
// bro_analyzer()->Conn(),
// header->is_orig());
}
return true;
%}

5
src/analyzer/protocol/smb/smb1-com-read-andx.pac
View file

@ -28,7 +28,7 @@ refine connection SMB_Conn += {
BuildHeaderVal(h),
${val.data_len});
if ( ! ${val.is_pipe} && ${val.data_len} > 0 )
if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
{
uint64 offset = read_offsets[${h.mid}];
read_offsets.erase(${h.mid});
@ -93,8 +93,7 @@ type SMB1_read_andx_response(header: SMB_Header, offset: uint16) = record {
andx_command : SMB_andx_command(header, 0, offset+offsetof(andx_command), andx.command);
} &let {
is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, false) &if(is_pipe);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, false) &if(header.is_pipe);
padding_len : uint8 = (header.unicode == 1) ? 1 : 0;
data_len : uint32 = (data_len_high << 16) + data_len_low;

5
src/analyzer/protocol/smb/smb1-com-write-andx.pac
View file

@ -10,7 +10,7 @@ refine connection SMB_Conn += {
${val.write_offset},
${val.data_len});
if ( ! ${val.is_pipe} && ${val.data}.length() > 0 )
if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
{
file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
${val.write_offset},
@ -58,8 +58,7 @@ type SMB1_write_andx_request(header: SMB_Header, offset: uint16) = record {
andx_command : SMB_andx_command(header, 1, offset+offsetof(andx_command), andx.command);
} &let {
is_pipe : bool = $context.connection.get_tree_is_pipe(header.tid);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, true) &if(is_pipe);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, 0, true) &if(header.is_pipe);
data_len : uint32 = (data_len_high << 16) + data_len_low;
offset_high : uint32 = (word_count == 0x0E) ? offset_high_tmp : 0;

3
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -298,7 +298,8 @@ type SMB_Header(is_orig: bool) = record {
err_status_type = (flags2 >> 14) & 1;
unicode = (flags2 >> 15) & 1;
pid = (pid_high * 0x10000) + pid_low;
proc : bool = $context.connection.proc_smb_message(this, is_orig);
is_pipe: bool = $context.connection.get_tree_is_pipe(tid);
proc : bool = $context.connection.proc_smb_message(this, is_orig);
} &byteorder=littleendian;
# TODO: compute this as

3
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -10,6 +10,9 @@ refine connection SMB_Conn += {
BuildSMB2GUID(${val.file_id}));
}
file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig());
return true;
%}

23
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -2,12 +2,25 @@ refine connection SMB_Conn += {
function proc_smb2_create_request(h: SMB2_Header, val: SMB2_create_request): bool
%{
StringVal *filename = smb2_string2stringval(${val.filename});
if ( ! ${h.is_pipe} &&
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
set_tree_is_pipe(${h.tree_id}, true);
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}
if ( smb2_create_request )
{
BifEvent::generate_smb2_create_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
smb2_string2stringval(${val.filename}));
filename);
}
else
{
delete filename;
}
return true;
@ -29,14 +42,6 @@ refine connection SMB_Conn += {
smb2_file_attrs_to_bro(${val.file_attrs}));
}
if ( ${val.eof} > 0 )
{
//file_mgr->SetSize(${val.eof},
// bro_analyzer()->GetAnalyzerTag(),
// bro_analyzer()->Conn(),
// h->is_orig());
}
return true;
%}
};

5
src/analyzer/protocol/smb/smb2-com-read.pac
View file

@ -42,7 +42,7 @@ refine connection SMB_Conn += {
uint64 offset = smb2_read_offsets[${h.message_id}];
smb2_read_offsets.erase(${h.message_id});
if ( ! ${val.is_pipe} && ${val.data_len} > 0 )
if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
{
file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
bro_analyzer()->GetAnalyzerTag(),
@ -83,9 +83,8 @@ type SMB2_read_response(header: SMB2_Header) = record {
pad : padding to data_offset - header.head_length;
data : bytestring &length=data_len;
} &let {
is_pipe : bool = $context.connection.get_tree_is_pipe(header.tree_id);
fid : uint64 = $context.connection.get_file_id(header.message_id);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, fid, false) &if(is_pipe);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, fid, false) &if(header.is_pipe);
proc: bool = $context.connection.proc_smb2_read_response(header, this);
};

5
src/analyzer/protocol/smb/smb2-com-write.pac
View file

@ -12,7 +12,7 @@ refine connection SMB_Conn += {
${val.data_len});
}
if ( ! ${val.is_pipe} && ${val.data}.length() > 0 )
if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
{
file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset},
bro_analyzer()->GetAnalyzerTag(),
@ -44,8 +44,7 @@ type SMB2_write_request(header: SMB2_Header) = record {
pad : padding to data_offset - header.head_length;
data : bytestring &length=data_len;
} &let {
is_pipe: bool = $context.connection.get_tree_is_pipe(header.tree_id);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(is_pipe);
pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(header.is_pipe);
proc : bool = $context.connection.proc_smb2_write_request(header, this);
};

7
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -35,10 +35,10 @@ type SMB2_PDU(is_orig: bool) = record {
# Status 0 indicates success. In the case of a
# request this should just happen to work out due to
# how the fields are set.
0 -> msg : SMB2_Message(header, is_orig);
STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB2_Message(header, is_orig);
0 -> msg : SMB2_Message(header, is_orig);
STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB2_Message(header, is_orig);
STATUS_MORE_PROCESSING_REQUIRED -> more_processing_required : SMB2_Message(header, is_orig);
default -> err : SMB2_error_response(header);
default -> err : SMB2_error_response(header);
};
};
@ -199,6 +199,7 @@ type SMB2_Header(is_orig: bool) = record {
related = (flags >> 26) & 1;
msigned = (flags >> 27) & 1;
dfs = (flags) & 1;
is_pipe: bool = $context.connection.get_tree_is_pipe(tree_id);
proc : bool = $context.connection.proc_smb2_message(this, is_orig);
} &byteorder=littleendian;

6
testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path files
#open 2016-08-16-23-02-30
#open 2016-10-27-17-16-27
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string
1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 T - - - - -
#close 2016-08-16-23-02-30
1323202695.515890 Fg6wjp3BAYahIGAEf7 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - -
#close 2016-10-27-17-16-27