Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Move some of the last DCE_RPC scripts out of SMB scripts.

Browse source
This commit is contained in:
Seth Hall 2016-04-03 15:48:47 -04:00
parent 143eee5d8d
commit 68d0f697eb
3 changed files with 15 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/dce-rpc/__load__.bro
View file

@ -1,2 +1,4 @@
@load ./consts @load ./consts
@load ./main @load ./main
@load ./endpoint-atsvc

26
scripts/base/protocols/smb/pipe.bro → scripts/base/protocols/dce-rpc/endpoint-atsvc.bro
View file

@ -1,4 +1,4 @@
module SMB; module DCE_RPC;
export { export {
redef enum Log::ID += { redef enum Log::ID += {
@ -16,16 +16,16 @@ export {
}; };
} }
redef record SMB::State += { redef record DCE_RPC::State += {
pipe_atsvc: ATSvcInfo &optional; endpoint_atsvc: ATSvcInfo &optional;
}; };
event bro_init() &priority=5 event bro_init() &priority=5
{ {
Log::create_stream(ATSVC_LOG, [$columns=ATSvcInfo]); Log::create_stream(ATSVC_LOG, [$columns=ATSvcInfo, $path="dce_rpc_atsvc"]);
} }
event smb_atsvc_job_add(c: connection, server: string, job: string) &priority=5 event atsvc_job_add(c: connection, server: string, job: string) &priority=5
{ {
local info = ATSvcInfo($ts=network_time(), local info = ATSvcInfo($ts=network_time(),
$uid = c$uid, $uid = c$uid,
@ -33,20 +33,20 @@ event smb_atsvc_job_add(c: connection, server: string, job: string) &priority=5
$command = "Add job", $command = "Add job",
$arg = job, $arg = job,
$server = server); $server = server);
c$smb_state$pipe_atsvc = info; c$dce_rpc_state$endpoint_atsvc = info;
} }
event smb_atsvc_job_id(c: connection, id: count, status: count) &priority=5 event atsvc_job_id(c: connection, id: count, status: count) &priority=5
{ {
if ( c$smb_state?$pipe_atsvc ) if ( c$dce_rpc_state?$endpoint_atsvc )
c$smb_state$pipe_atsvc$result = (status==0) ? "success" : "failed"; c$dce_rpc_state$endpoint_atsvc$result = (status==0) ? "success" : "failed";
} }
event smb_atsvc_job_id(c: connection, id: count, status: count) &priority=-5 event atsvc_job_id(c: connection, id: count, status: count) &priority=-5
{ {
if ( c$smb_state?$pipe_atsvc ) if ( c$dce_rpc_state?$endpoint_atsvc )
{ {
Log::write(ATSVC_LOG, c$smb_state$pipe_atsvc); Log::write(ATSVC_LOG, c$dce_rpc_state$endpoint_atsvc);
delete c$smb_state$pipe_atsvc; delete c$dce_rpc_state$endpoint_atsvc;
} }
} }

1
scripts/base/protocols/smb/__load__.bro
View file

@ -2,7 +2,6 @@
@load ./const-dos-error @load ./const-dos-error
@load ./const-nt-status @load ./const-nt-status
@load ./main @load ./main
@load ./pipe
@load ./smb1-main @load ./smb1-main
@load ./smb2-main @load ./smb2-main
@load ./files @load ./files