diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d9397c1eda..1f15a3fe81 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2519,10 +2519,18 @@ module SMB; export { ## MAC times for a file. + ## + ## For more information, see MS-SMB2:2.2.16 + ## + ## .. bro:see:: smb1_nt_create_andx_response smb2_create_response type SMB::MACTimes: record { + ## The time when data was last written to the file. modified : time &log; + ## The time when the file was last accessed. accessed : time &log; + ## The time the file was created. created : time &log; + ## The time when the file was last modified. changed : time &log; } &log; } @@ -2531,22 +2539,33 @@ module SMB1; export { ## An SMB1 header. - ## - ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx - ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx - ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot - ## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction - ## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect - ## smb_com_write_andx smb_error smb_get_dfs_referral smb_message + ## + ## .. bro:see:: smb1_message smb1_empty_response smb1_error + ## smb1_check_directory_request smb1_check_directory_response + ## smb1_close_request smb1_create_directory_request + ## smb1_create_directory_response smb1_echo_request + ## smb1_echo_response smb1_negotiate_request + ## smb1_negotiate_response smb1_nt_cancel_request + ## smb1_nt_create_andx_request smb1_nt_create_andx_response + ## smb1_open_andx_request smb1_open_andx_response + ## smb1_query_information_request smb1_read_andx_request + ## smb1_read_andx_response smb1_session_setup_andx_request + ## smb1_session_setup_andx_response smb1_transaction_request + ## smb1_transaction2_request smb1_trans2_find_first2_request + ## smb1_trans2_query_path_info_request + ## smb1_trans2_get_dfs_referral_request + ## smb1_tree_connect_andx_request smb1_tree_connect_andx_response + ## smb1_tree_disconnect smb1_write_andx_request + ## smb1_write_andx_response type SMB1::Header : record { - command: count; ##< The command number - status: count; ##< The status code. - flags: count; ##< Flag set 1. - flags2: count; ##< Flag set 2. - tid: count; ##< Tree ID. - pid: count; ##< Process ID. - uid: count; ##< User ID. - mid: count; ##< Multiplex ID. + command : count; ##< The command number + status : count; ##< The status code + flags : count; ##< Flag set 1 + flags2 : count; ##< Flag set 2 + tid : count; ##< Tree ID + pid : count; ##< Process ID + uid : count; ##< User ID + mid : count; ##< Multiplex ID }; type SMB1::NegotiateRawMode: record { @@ -2808,76 +2827,190 @@ export { module SMB2; export { + ## An SMB2 header. + ## + ## For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2 + ## + ## .. bro:see:: smb2_message smb2_close_request smb2_close_response + ## smb2_create_request smb2_create_response smb2_negotiate_request + ## smb2_negotiate_response smb2_read_request + ## smb2_session_setup_request smb2_session_setup_response + ## smb2_set_info_request smb2_file_rename smb2_file_delete + ## smb2_tree_connect_request smb2_tree_connect_response + ## smb2_write_request type SMB2::Header: record { - credit_charge: count; - status: count; - command: count; - credits: count; - flags: count; - message_id: count; - process_id: count; - tree_id: count; - session_id: count; - signature: string; + ## The number of credits that this request consumes + credit_charge : count; + ## In a request, this is an indication to the server about the client's channel + ## change. In a response, this is the status field + status : count; + ## The command code of the packet + command : count; + ## The number of credits the client is requesting, or the number of credits + ## granted to the client in a response. + credits : count; + ## A flags field, which indicates how to process the operation (e.g. asynchronously) + flags : count; + ## A value that uniquely identifies the message request/response pair across all + ## messages that are sent on the same transport protocol connection + message_id : count; + ## A value that uniquely identifies the process that generated the event. + process_id : count; + ## A value that uniquely identifies the tree connect for the command. + tree_id : count; + ## A value that uniquely identifies the established session for the command. + session_id : count; + ## The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the ``flags`` + ## field. + signature : string; }; + ## An SMB2 globally unique identifier which identifies a file. + ## + ## For more information, see MS-SMB2:2.2.14.1 + ## + ## .. bro:see:: smb2_close_request smb2_create_response smb2_read_request + ## smb2_file_rename smb2_file_delete smb2_write_request type SMB2::GUID: record { + ## A file handle that remains persistent when reconnected after a disconnect persistent: count; + ## A file handle that can be changed when reconnected after a disconnect volatile: count; }; + ## A series of boolean flags describing basic and extended file attributes for SMB2. + ## + ## For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6 + ## + ## .. bro:see:: smb2_create_response type SMB2::FileAttrs: record { + ## The file is read only. Applications can read the file but cannot + ## write to it or delete it. read_only: bool; + ## The file is hidden. It is not to be included in an ordinary directory listing. hidden: bool; + ## The file is part of or is used exclusively by the operating system. system: bool; + ## The file is a directory. directory: bool; + ## The file has not been archived since it was last modified. Applications use + ## this attribute to mark files for backup or removal. archive: bool; + ## The file has no other attributes set. This attribute is valid only if used alone. normal: bool; + ## The file is temporary. This is a hint to the cache manager that it does not need + ## to flush the file to backing storage. temporary: bool; + ## A file that is a sparse file. sparse_file: bool; + ## A file or directory that has an associated reparse point. reparse_point: bool; + ## The file or directory is compressed. For a file, this means that all of the data + ## in the file is compressed. For a directory, this means that compression is the + ## default for newly created files and subdirectories. compressed: bool; + ## The data in this file is not available immediately. This attribute indicates that + ## the file data is physically moved to offline storage. This attribute is used by + ## Remote Storage, which is hierarchical storage management software. offline: bool; + ## A file or directory that is not indexed by the content indexing service. not_content_indexed: bool; + ## A file or directory that is encrypted. For a file, all data streams in the file + ## are encrypted. For a directory, encryption is the default for newly created files + ## and subdirectories. encrypted: bool; + ## A file or directory that is configured with integrity support. For a file, all + ## data streams in the file have integrity support. For a directory, integrity support + ## is the default for newly created files and subdirectories, unless the caller + ## specifies otherwise. integrity_stream: bool; + ## A file or directory that is configured to be excluded from the data integrity scan. no_scrub_data: bool; }; + ## The response to an SMB2 *close* request, which is used by the client to close an instance + ## of a file that was opened previously. + ## + ## For more information, see MS-SMB2:2.2.16 + ## + ## .. bro:see:: smb2_close_response type SMB2::CloseResponse: record { + ## The size, in bytes of the data that is allocated to the file. alloc_size : count; + ## The size, in bytes, of the file. eof : count; + ## The creation, last access, last write, and change times. times : SMB::MACTimes; + ## The attributes of the file. attrs : SMB2::FileAttrs; }; + ## The response to an SMB2 *negotiate* request, which is used by tghe client to notify the server + ## what dialects of the SMB2 protocol the client understands. + ## + ## For more information, see MS-SMB2:2.2.4 + ## + ## .. bro:see:: smb2_negotiate_response type SMB2::NegotiateResponse: record { + ## The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 + ## NEGOTIATE Request. dialect_revision : count; + ## The security mode field specifies whether SMB signing is enabled, required at the server, or both. security_mode : count; + ## A globally unique identifier that is generate by the server to uniquely identify the server. server_guid : string; + ## The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed. system_time : time; + ## The SMB2 server start time. server_start_time : time; }; + ## The request sent by the client to request a new authenticated session + ## within a new or existing SMB 2 Protocol transport connection to the server. + ## + ## For more information, see MS-SMB2:2.2.5 + ## + ## .. bro:see:: smb2_session_setup_request type SMB2::SessionSetupRequest: record { + ## The security mode field specifies whether SMB signing is enabled or required at the client. security_mode: count; }; + ## A flags field that indicates additional information about the session that's sent in the + ## *session_setup* response. + ## + ## For more information, see MS-SMB2:2.2.6 + ## + ## .. bro:see:: smb2_session_setup_response type SMB2::SessionSetupFlags: record { + ## If set, the client has been authenticated as a guest user. guest: bool; + ## If set, the client has been authenticated as an anonymous user. anonymous: bool; + ## If set, the server requires encryption of messages on this session. encrypt: bool; }; + ## The response to an SMB2 *session_setup* request, which is sent by the client to request a + ## new authenticated session within a new or existing SMB 2 Protocol transport connection + ## to the server. + ## + ## For more information, see MS-SMB2:2.2.6 + ## + ## .. bro:see:: smb2_session_setup_response type SMB2::SessionSetupResponse: record { + ## Additional information about the session flags: SMB2::SessionSetupFlags; }; - type SMB2::SetInfoRequest: record { - eof: count; - }; - + ## The response to an SMB2 *tree_connect* request, which is sent by the client to request + ## access to a particular share on the server. + ## + ## For more information, see MS-SMB2:2.2.9 + ## + ## .. bro:see:: smb2_tree_connect_response type SMB2::TreeConnectResponse: record { + ## The type of share being accessed. Physical disk, named pipe, or printer. share_type: count; }; } diff --git a/src/analyzer/protocol/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif index 7d4274c1df..b2a5ef1c4d 100644 --- a/src/analyzer/protocol/dce-rpc/events.bif +++ b/src/analyzer/protocol/dce-rpc/events.bif @@ -1,11 +1,12 @@ -## Generated for every DCE-RPC message. +## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message. ## ## c: The connection. ## ## is_orig: True if the message was sent by the originator of the TCP connection. ## -## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the -## DCE-RPC was not transported over a pipe. +## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was +## not transported over a pipe. ## ## ptype_id: Numeric representation of the procedure type of the message. ## @@ -14,14 +15,15 @@ ## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType%); -## Generated for every DCE-RPC bind request message. Since RPC offers the ability -## for a client to request connections to multiple endpoints, this event can occur +## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message. +## Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur ## multiple times for a single RPC message. ## ## c: The connection. ## -## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the -## DCE-RPC was not transported over a pipe. +## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was +## not transported over a pipe. ## ## uuid: The string interpretted uuid of the endpoint being requested. ## @@ -32,24 +34,26 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count ## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response event dce_rpc_bind%(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count%); -## Generated for every DCE-RPC bind request ack message. +## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message. ## ## c: The connection. ## -## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the -## DCE-RPC was not transported over a pipe. +## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was +## not transported over a pipe. ## ## sec_addr: Secondary address for the ack. ## ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%); -## Generated for every DCE-RPC request message. +## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message. ## ## c: The connection. ## -## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the -## DCE-RPC was not transported over a pipe. +## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was +## not transported over a pipe. ## ## opnum: Number of the RPC operation. ## @@ -58,12 +62,13 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%); ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%); -## Generated for every DCE-RPC response message. +## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message. ## ## c: The connection. ## -## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the -## DCE-RPC was not transported over a pipe. +## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was +## not transported over a pipe. ## ## opnum: Number of the RPC operation. ## @@ -71,4 +76,3 @@ event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count% ## ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request event dce_rpc_response%(c: connection, fid: count, opnum: count, stub_len: count%); - diff --git a/src/analyzer/protocol/ntlm/events.bif b/src/analyzer/protocol/ntlm/events.bif index 4c99fc561e..a36d653968 100644 --- a/src/analyzer/protocol/ntlm/events.bif +++ b/src/analyzer/protocol/ntlm/events.bif @@ -1,23 +1,26 @@ -## Generated for NTLM messages of type *negotiate*. +## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*. ## ## c: The connection. ## -## negotiate: The parsed data of the NTLM message. See init-bare for more details. +## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## +## .. bro:see:: ntlm_challenge ntlm_authenticate event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%); -## Generated for NTLM messages of type *challenge*. +## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*. ## ## c: The connection. ## -## negotiate: The parsed data of the NTLM message. See init-bare for more details. +## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## +## .. bro:see:: ntlm_negotiate ntlm_authenticate event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%); -## Generated for NTLM messages of type *authenticate*. +## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*. ## ## c: The connection. ## -## request: The parsed data of the NTLM message. See init-bare for more details. +## request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## +## .. bro:see:: ntlm_negotiate ntlm_challenge event ntlm_authenticate%(c: connection, request: NTLM::Authenticate%); diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif index 72c57aff74..fc42aac6a6 100644 --- a/src/analyzer/protocol/rpc/events.bif +++ b/src/analyzer/protocol/rpc/events.bif @@ -351,10 +351,10 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## ## r: The RPC connection. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply +## .. bro:see:: pm_request_set pm_request_unset pm_request_getport +## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set +## pm_attempt_unset pm_attempt_getport pm_attempt_dump +## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -376,10 +376,10 @@ event pm_request_null%(r: connection%); ## reply. If no reply was seen, this will be false once the request ## times out. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call -## rpc_dialogue rpc_reply +## .. bro:see:: pm_request_null pm_request_unset pm_request_getport +## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set +## pm_attempt_unset pm_attempt_getport pm_attempt_dump +## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -401,10 +401,10 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## reply. If no reply was seen, this will be false once the request ## times out. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call -## rpc_dialogue rpc_reply +## .. bro:see:: pm_request_null pm_request_set pm_request_getport +## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set +## pm_attempt_unset pm_attempt_getport pm_attempt_dump +## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -424,10 +424,10 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## p: The port returned by the server. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set +## pm_attempt_unset pm_attempt_getport pm_attempt_dump +## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -445,9 +445,10 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## ## m: The mappings returned by the server. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_callit pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_attempt_getport +## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -468,9 +469,10 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## p: The port value returned by the call. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_attempt_getport +## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -490,9 +492,10 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_request_callit +## pm_attempt_set pm_attempt_unset pm_attempt_getport +## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -514,9 +517,10 @@ event pm_attempt_null%(r: connection, status: rpc_status%); ## ## m: The argument to the original request. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_request_callit +## pm_attempt_null pm_attempt_unset pm_attempt_getport +## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -538,9 +542,10 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## ## m: The argument to the original request. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_request_callit +## pm_attempt_null pm_attempt_set pm_attempt_getport +## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -562,10 +567,10 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## ## pr: The argument to the original request. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_request_callit +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump +## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -584,9 +589,10 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_request_callit +## pm_attempt_null pm_attempt_set pm_attempt_unset +## pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -608,9 +614,10 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); ## ## call: The argument to the original request. ## -## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_request_callit +## pm_attempt_null pm_attempt_set pm_attempt_unset +## pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -632,10 +639,11 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ ## ## bad_p: The invalid port value. ## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set -## pm_request_unset rpc_call rpc_dialogue rpc_reply +## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## pm_request_getport pm_request_dump pm_request_callit +## pm_attempt_null pm_attempt_set pm_attempt_unset +## pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call +## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -669,7 +677,7 @@ event pm_bad_port%(r: connection, bad_p: count%); ## ## reply_len: The size of the *reply_body* PDU. ## -## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol diff --git a/src/analyzer/protocol/smb/smb1_com_check_directory.bif b/src/analyzer/protocol/smb/smb1_com_check_directory.bif index b5b311a34c..15feb3ad59 100644 --- a/src/analyzer/protocol/smb/smb1_com_check_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_check_directory.bif @@ -1,15 +1,27 @@ -## Generated for SMB/CIFS requests of type *check directory*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *check directory*. This is used by the client to verify that +## a specified path resolves to a valid directory on the server. +## +## For more information, see MS-CIFS:2.2.4.17 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## directory_name: The directory name to check for existence. +## +## .. bro:see:: smb1_message smb1_check_directory_response event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); -## Generated for SMB/CIFS responses of type *check directory*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *check directory*. This is the server response to the +## *check directory* request. +## +## For more information, see MS-CIFS:2.2.4.17 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. +## +## .. bro:see:: smb1_message smb1_check_directory_request event smb1_check_directory_response%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_close.bif b/src/analyzer/protocol/smb/smb1_com_close.bif index 9ffb614cc1..37958e1d19 100644 --- a/src/analyzer/protocol/smb/smb1_com_close.bif +++ b/src/analyzer/protocol/smb/smb1_com_close.bif @@ -1,13 +1,15 @@ -## Generated for SMB/CIFS request messages of type *close*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *close*. This is used by the client to close an instance of an object +## associated with a valid file ID. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.5 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## file_id: The file identifier being closed. +## +## .. bro:see:: smb1_message event smb1_close_request%(c: connection, hdr: SMB1::Header, file_id: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_create_directory.bif b/src/analyzer/protocol/smb/smb1_com_create_directory.bif index a445090dec..f5e29b467b 100644 --- a/src/analyzer/protocol/smb/smb1_com_create_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_create_directory.bif @@ -1,19 +1,29 @@ -## Generated for SMB/CIFS requests of type *create directory*. This is also -## a deprecated command which has been replaced by the trans2_create_directory -## subcommand. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *create directory*. This is a deprecated command which +## has been replaced by the *trans2_create_directory* subcommand. This is used by the client to +## create a new directory on the server, relative to a connected share. +## +## For more information, see MS-CIFS:2.2.4.1 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## directory_name: The name of the directory to create. +## +## .. bro:see:: smb1_message smb1_create_directory_response smb1_transaction2_request event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); -## Generated for SMB/CIFS responses of type *create directory*. This is also -## a deprecated command which has been replaced by the trans2_create_directory -## subcommand. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *create directory*. This is a deprecated command which +## has been replaced by the *trans2_create_directory* subcommand. This is the server response +## to the *create directory* request. +## +## For more information, see MS-CIFS:2.2.4.1 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. +## +## .. bro:see:: smb1_message smb1_create_directory_request smb1_transaction2_request event smb1_create_directory_response%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_echo.bif b/src/analyzer/protocol/smb/smb1_com_echo.bif index 4d3249ec2f..5b255af371 100644 --- a/src/analyzer/protocol/smb/smb1_com_echo.bif +++ b/src/analyzer/protocol/smb/smb1_com_echo.bif @@ -1,21 +1,32 @@ -## Generated for SMB/CIFS requests of type *echo*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *echo*. This is sent by the client to test the transport layer +## connection with the server. +## +## For more information, see MS-CIFS:2.2.4.39 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## echo_count: The number of times the server should echo the data back. ## ## data: The data for the server to echo. +## +## .. bro:see:: smb1_message smb1_echo_response event smb1_echo_request%(c: connection, echo_count: count, data: string%); -## Generated for SMB/CIFS responses of type *negotiate*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *echo*. This is the server response to the *echo* request. +## +## For more information, see MS-CIFS:2.2.4.39 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## seq_num: The sequence number of this echo reply. ## ## data: The data echoed back from the client. +## +## .. bro:see:: smb1_message smb1_echo_request event smb1_echo_response%(c: connection, seq_num: count, data: string%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif index c1aac83795..88b5016328 100644 --- a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif @@ -1,11 +1,15 @@ -## Generated for SMB/CIFS messages of type *logoff andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *logoff andx*. This is used by the client to logoff the user +## connection represented by UID in the SMB Header. The server releases all locks and closes +## all files currently open by this user, disconnects all tree connects, cancels any outstanding +## requests for this UID, and invalidates the UID. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.54 ## ## c: The connection. ## -## is_orig: Indicates which host sent the logoff message.. +## is_orig: Indicates which host sent the logoff message. +## +## .. bro:see:: smb1_message event smb1_logoff_andx%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb1_com_negotiate.bif b/src/analyzer/protocol/smb/smb1_com_negotiate.bif index 08c6d4b7b2..fdb2201c1f 100644 --- a/src/analyzer/protocol/smb/smb1_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb1_com_negotiate.bif @@ -1,19 +1,32 @@ -## Generated for SMB/CIFS messages of type *negotiate*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB +## connection between the client and the server. A *negotiate* exchange MUST be completed +## before any other SMB messages are sent to the server. +## +## For more information, see MS-CIFS:2.2.4.52 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## dialects: The SMB dialects supported by the client. +## +## .. bro:see:: smb1_message smb1_negotiate_response event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string_vec%); -## Generated for SMB/CIFS responses of type *negotiate*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *negotiate*. This is the server response to the *negotiate* +## request. +## +## For more information, see MS-CIFS:2.2.4.52 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## response: A record structure containing more information from the response. +## +## .. bro:see:: smb1_message smb1_negotiate_request event smb1_negotiate_response%(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif index 51533d513f..f04fc839ec 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif @@ -1,6 +1,12 @@ -## Generated for SMB/CIFS requests of type *nt cancel*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *nt cancel*. This is sent by the client to request that a currently +## pending request be cancelled. +## +## For more information, see MS-CIFS:2.2.4.65 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. +## +## .. bro:see:: smb1_message event smb1_nt_cancel_request%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif index 3124098534..f8008e878b 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif @@ -1,23 +1,36 @@ -## Generated for SMB/CIFS requests of type *nt create andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *nt create andx*. This is sent by the client to create and open +## a new file, or to open an existing file, or to open and truncate an existing file to zero +## length, or to create a directory, or to create a connection to a named pipe. +## +## For more information, see MS-CIFS:2.2.4.64 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## name: The ``name`` attribute specified in the message. +## +## .. bro:see:: smb1_message smb1_nt_create_andx_response event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: string%); -## Generated for SMB/CIFS responses of type *nt create andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *nt create andx*. This is the server response to the +## *nt create andx* request. +## +## For more information, see MS-CIFS:2.2.4.64 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## file_id: The SMB2 GUID for the file. ## ## file_size: Size of the file. ## ## times: Timestamps associated with the file in question. +## +## .. bro:see:: smb1_message smb1_nt_create_andx_request event smb1_nt_create_andx_response%(c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes%); diff --git a/src/analyzer/protocol/smb/smb1_com_open_andx.bif b/src/analyzer/protocol/smb/smb1_com_open_andx.bif index 3df6da6a65..1ce418e33a 100644 --- a/src/analyzer/protocol/smb/smb1_com_open_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_open_andx.bif @@ -1,12 +1,12 @@ -## Generated for SMB/CIFS request messages of type *open andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *open andx*. This is sent by the client to create and open a new +## file or open an existing regular file and chain additional messages along with the request. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.41 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## flags: Flags requesting attribute data and locking. ## @@ -21,18 +21,21 @@ ## open_mode: The way a file s ## ## length: The number of bytes being requested. +## +## .. bro:see:: smb1_message smb1_open_andx_response event smb1_open_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%); -## Generated for SMB/CIFS response messages of type *open andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *open andx*. This is the server response to the *open andx* request. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.41 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## data_len: The length of data from the requested file. +## +## .. bro:see:: smb1_message smb1_open_andx_request event smb1_open_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_query_information.bif b/src/analyzer/protocol/smb/smb1_com_query_information.bif index e85a524b94..64a5150dc9 100644 --- a/src/analyzer/protocol/smb/smb1_com_query_information.bif +++ b/src/analyzer/protocol/smb/smb1_com_query_information.bif @@ -1,9 +1,16 @@ -## Generated for SMB/CIFS request messages of type *query information*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *query information*. This is a deprecated command which +## has been replaced by the *trans2_query_path_information* subcommand. This is used by the +## client to obtain attribute information about a file. +## +## For more information, see MS-CIFS:2.2.4.9 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## filename: The filename that the client is querying. +## +## .. bro:see:: smb1_message smb1_transaction2_request event smb1_query_information_request%(c: connection, hdr: SMB1::Header, filename: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_read_andx.bif b/src/analyzer/protocol/smb/smb1_com_read_andx.bif index f0589a754e..73cacf0a65 100644 --- a/src/analyzer/protocol/smb/smb1_com_read_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_read_andx.bif @@ -1,30 +1,34 @@ -## Generated for SMB/CIFS request messages of type *read andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *read andx*. This is sent by the client to read bytes from a regular +## file, a named pipe, or a directly accessible device such as a serial port (COM) or printer +## port (LPT). ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.42 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## file_id: The file identifier being written to. ## ## offset: The byte offset the requested read begins at. ## ## length: The number of bytes being requested. +## +## .. bro:see:: smb1_message smb1_read_andx_response event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%); -## Generated for SMB/CIFS response messages of type *read andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *read andx*. This is the server response to the *read andx* request. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.42 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## data_len: The length of data from the requested file. +## +## .. bro:see:: smb1_message smb1_read_andx_request event smb1_read_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif index a59a4c6af9..7971a4977c 100644 --- a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif @@ -1,29 +1,29 @@ -## Generated for SMB/CIFS requests of type *setup andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *setup andx*. This is sent by the client to configure an SMB session. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.53 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## request: The parsed request data of the SMB message. See init-bare for more details. ## +## .. bro:see:: smb1_message smb1_session_setup_andx_response event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest%); -## Generated for SMB/CIFS responses of type *setup andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *setup andx*. This is the server response to the *setup andx* request. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.53 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## response: The parsed response data of the SMB message. See init-bare for more details. ## +## .. bro:see:: smb1_message smb1_session_setup_andx_request event smb1_session_setup_andx_response%(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif index 77cb9c0aeb..8811cc3e92 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif @@ -1,11 +1,18 @@ -## Generated for SMB/CIFS requests of type *transaction*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *transaction*. This command serves as the transport for the +## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, +## which are interprocess communication endpoints within the CIFS file system. +## +## For more information, see MS-CIFS:2.2.4.33 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## name: A name string that MAY identify the resource (a specific Mailslot or Named Pipe) ## against which the operation is performed. ## ## sub_cmd: The sub command, some may be parsed and have their own events. +## +## .. bro:see:: smb1_message smb1_transaction2_request event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif index 43ad09f311..0daf5fcdd9 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif @@ -1,73 +1,93 @@ ### Requests - - -## Generated for SMB/CIFS requests of type *transaction2*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *transaction2*. This command serves as the transport for the +## Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes, +## which are interprocess communication endpoints within the CIFS file system. Compared to the +## Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended +## Attribute key/value pairs, make use of long file names (longer than the original 8.3 format +## names), and perform directory searches, among other tasks. +## +## For more information, see MS-CIFS:2.2.4.46 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## sub_cmd: The sub command, some are parsed and have their own events. +## +## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request +## smb1_trans2_get_dfs_referral_request smb1_transaction_request event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%); -## Generated for SMB/CIFS transaction2 requests of type *find first2*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin +## a search for file(s) within a directory or for a directory +## +## For more information, see MS-CIFS:2.2.6.2 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## args: A record data structure with arguments given to the command. +## +## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request +## smb1_trans2_get_dfs_referral_request event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args%); -# TODO - Implementation -# event smb1_trans2_fs_info_request%(c: connection, hdr: SMB1::Header, ??? %); - -## Generated for SMB/CIFS transaction2 requests of type *query path info*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 *transaction2* requests of subtype *query path info*. This transaction is used to +## get information about a specific file or directory. +## +## For more information, see MS-CIFS:2.2.6.6 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## file_name: File name the request is in reference to. +## +## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## smb1_trans2_get_dfs_referral_request event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, file_name: string%); -# TODO - Implementation -# event smb1_trans2_query_file_info_request%(c: connection, hdr: SMB1::Header, file_id: count, information_level: count%); - -# TODO - Implementation -# event smb1_trans2_set_file_info_request(c: connection, hdr: SMB1::Header, ??? %); - -## Generated for SMB/CIFS transaction2 requests of type *get DFS referral*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 *transaction2* requests of subtype *get DFS referral*. This transaction is used +## to request a referral for a disk object in DFS. +## +## For more information, see MS-CIFS:2.2.6.16 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## file_name: File name the request is in reference to. +## +## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## smb1_trans2_query_path_info_request event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, file_name: string%); - -### Responses +# TODO - This is implemented, but not being generated right now +# event smb1_transaction2_response%(c: connection, hdr: SMB1::Header, sub_cmd: count%); # TODO - Implementation -event smb1_transaction2_response%(c: connection, hdr: SMB1::Header, sub_cmd: count%); -# TODO - Implementation +# event smb1_trans2_fs_info_request%(c: connection, hdr: SMB1::Header, ??? %); + +# event smb1_trans2_query_file_info_request%(c: connection, hdr: SMB1::Header, file_id: count, information_level: count%); + +# event smb1_trans2_set_file_info_request(c: connection, hdr: SMB1::Header, ??? %); + # event smb1_trans2_find_first2_response%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Response_Args%); -# TODO - Implementation # event smb1_trans2_fs_info_response%(c: connection, hdr: SMB1::Header, ??? %); -# TODO - Implementation # event smb1_trans2_query_path_info_response%(c: connection, hdr: SMB1::Header, ??? %); -# TODO - Implementation # event smb1_trans2_query_file_info_response%(c: connection, hdr: SMB1::Header, ??? %); -# TODO - Implementation # event smb1_trans2_set_file_info_response%(c: connection, hdr: SMB1::Header, ??? %); -# TODO - Implementation # event smb1_trans2_get_dfs_referral_response%(c: connection, hdr: SMB1::Header, ??? %); diff --git a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif index 0457eefc63..16aeb2bbb6 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif @@ -1,30 +1,34 @@ -## Generated for SMB/CIFS requests of type *tree connect andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *tree connect andx*. This is sent by the client to establish a +## connection to a server share. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.55 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## path: The ``path`` attribute specified in the message. ## ## service: The ``service`` attribute specified in the message. +## +## .. bro:see:: smb1_message smb1_tree_connect_andx_response event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: string, service: string%); -## Generated for SMB/CIFS responses of type *tree connect andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *tree connect andx*. This is the server reply to the *tree connect andx* +## request. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.55 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## service: The ``service`` attribute specified in the message. ## ## native_file_system: The file system of the remote server as indicate by the server. +## +## .. bro:see:: smb1_message smb1_tree_connect_andx_request event smb1_tree_connect_andx_response%(c: connection, hdr: SMB1::Header, service: string, native_file_system: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif index 481ed018b6..493ee66238 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif @@ -1,13 +1,15 @@ -## Generated for SMB/CIFS messages of type *tree disconnect*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *tree disconnect*. This is sent by the client to logically disconnect +## client access to a server resource. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.51 ## ## c: The connection. ## -## hdr: A record representing the SMB1 header. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## is_orig: True if the message was from the originator. +## +## .. bro:see:: smb1_message event smb1_tree_disconnect%(c: connection, hdr: SMB1::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb1_com_write_andx.bif b/src/analyzer/protocol/smb/smb1_com_write_andx.bif index 35886596f4..d30c8af2ba 100644 --- a/src/analyzer/protocol/smb/smb1_com_write_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_write_andx.bif @@ -1,27 +1,32 @@ -## Generated for SMB/CIFS request messages of type *write andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *write andx*. This is sent by the client to write bytes to a +## regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM) +## or printer port (LPT). ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.43 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## offset: The byte offset into the referenced file data is being written. ## ## data: The data being written. +## +## .. bro:see:: smb1_message smb1_write_andx_response event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count%); -## Generated for SMB/CIFS response messages of type *write andx*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 responses of type *write andx*. This is the server response to the *write andx* +## request. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## For more information, see MS-CIFS:2.2.4.43 ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## written_bytes: The number of bytes the server reported having actually written. +## +## .. bro:see:: smb1_message smb1_write_andx_request event smb1_write_andx_response%(c: connection, hdr: SMB1::Header, written_bytes: count%); diff --git a/src/analyzer/protocol/smb/smb1_events.bif b/src/analyzer/protocol/smb/smb1_events.bif index ad942c86ee..4746af34a4 100644 --- a/src/analyzer/protocol/smb/smb1_events.bif +++ b/src/analyzer/protocol/smb/smb1_events.bif @@ -1,32 +1,42 @@ -## Generated for all SMB/CIFS messages. +## Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1 +## messages. ## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for more information about the +## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's +## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses +## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on +## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445. ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. +## +## .. bro:see:: smb2_message event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%); -## Generated when there is an SMB response with no message body. +## Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body. ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message. +## +## .. bro:see:: smb1_message event smb1_empty_response%(c: connection, hdr: SMB1::Header%); -## Generated for SMB/CIFS messages that indicate an error. This event is -## triggered by an SMB header including a status that signals an error. +## Generated for :abbr:`SMB (Server Message Block)` version 1 messages +## that indicate an error. This event is triggered by an :abbr:`SMB (Server Message Block)` header +## including a status that signals an error. ## ## c: The connection. ## -## hdr: The parsed header of the SMB message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message. ## ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. +## +## .. bro:see:: smb1_message event smb1_error%(c: connection, hdr: SMB1::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb2_com_close.bif b/src/analyzer/protocol/smb/smb2_com_close.bif index 85b0ec53a1..5ac4afa1db 100644 --- a/src/analyzer/protocol/smb/smb2_com_close.bif +++ b/src/analyzer/protocol/smb/smb2_com_close.bif @@ -1,19 +1,31 @@ -## Generated for SMB2 request messages of type *close*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *close*. This is used by the client to close an instance of a +## file that was opened previously with a successful SMB2 CREATE Request. +## +## For more information, see MS-SMB2:2.2.15 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_name: The SMB2 GUID of the file being closed. +## +## .. bro:see:: smb2_message smb2_close_response event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID%); -## Generated for SMB2 response messages of type *close*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *close*. This is sent by the server to indicate that an SMB2 CLOSE +## request was processed successfully. +## +## For more information, see MS-SMB2:2.2.16 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: A record of attributes returned from the server from the close. +## +## .. bro:see:: smb2_message smb2_close_request event smb2_close_response%(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse%); diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif index aae5a23c01..dea5b118ca 100644 --- a/src/analyzer/protocol/smb/smb2_com_create.bif +++ b/src/analyzer/protocol/smb/smb2_com_create.bif @@ -1,17 +1,27 @@ -## Generated for SMB2 request messages of type *create*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *create*. This is sent by the client to request either creation +## of or access to a file. +## +## For more information, see MS-SMB2:2.2.13 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_name: The name of the file being requested. +## +## .. bro:see:: smb2_message smb2_create_response event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%); -## Generated for SMB2 response messages of type *create*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *create*. This is sent by the server to notify the client of +## the status of its SMB2 CREATE request. +## +## For more information, see MS-SMB2:2.2.14 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: The SMB2 GUID for the file. ## @@ -20,4 +30,6 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%) ## times: Timestamps associated with the file in question. ## ## attrs: File attributes. +## +## .. bro:see:: smb2_message smb2_create_request event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); diff --git a/src/analyzer/protocol/smb/smb2_com_ioctl.bif b/src/analyzer/protocol/smb/smb2_com_ioctl.bif index 222a4a41e0..996cee9ad8 100644 --- a/src/analyzer/protocol/smb/smb2_com_ioctl.bif +++ b/src/analyzer/protocol/smb/smb2_com_ioctl.bif @@ -1 +1 @@ -# Emoty. +# Empty. diff --git a/src/analyzer/protocol/smb/smb2_com_negotiate.bif b/src/analyzer/protocol/smb/smb2_com_negotiate.bif index 370491f5ec..80c7c1aea5 100644 --- a/src/analyzer/protocol/smb/smb2_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb2_com_negotiate.bif @@ -1,19 +1,31 @@ -## Generated for SMB2 messages of type *negotiate*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *negotiate*. This is used by the client to notify the server what +## dialects of the SMB2 Protocol the client understands. +## +## For more information, see MS-SMB2:2.2.3 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## dialects: A vector of the client's supported dialects. +## +## .. bro:see:: smb2_message smb2_negotiate_response event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_vec%); -## Generated for SMB2 messages of type *negotiate response*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *negotiate*. This is sent by the server to notify the client of +## the preferred common dialect. +## +## For more information, see MS-SMB2:2.2.4 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: The negotiate response data structure. +## +## .. bro:see:: smb2_message smb2_negotiate_request event smb2_negotiate_response%(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_read.bif b/src/analyzer/protocol/smb/smb2_com_read.bif index d219063df4..4ccc8d7788 100644 --- a/src/analyzer/protocol/smb/smb2_com_read.bif +++ b/src/analyzer/protocol/smb/smb2_com_read.bif @@ -1,12 +1,18 @@ -## Generated for SMB2 request messages of type *read*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *read*. This is sent by the client to request a read operation on +## the specified file. +## +## For more information, see MS-SMB2:2.2.19 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: The GUID being used for the file. ## ## offset: How far into the file this read should be taking place. ## ## length: The number of bytes of the file being read. +## +## .. bro:see:: smb2_message event smb2_read_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_com_session_setup.bif b/src/analyzer/protocol/smb/smb2_com_session_setup.bif index f49e47ff0b..99430d5ac9 100644 --- a/src/analyzer/protocol/smb/smb2_com_session_setup.bif +++ b/src/analyzer/protocol/smb/smb2_com_session_setup.bif @@ -1,19 +1,32 @@ -## Generated for SMB2 request messages of type *session_setup*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *session_setup*. This is sent by the client to request a new +## authenticated session within a new or existing SMB 2 Protocol transport connection to the +## server. +## +## For more information, see MS-SMB2:2.2.5 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## request: A record containing more information related to the request. +## +## .. bro:see:: smb2_message smb2_session_setup_response event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest%); -## Generated for SMB2 response messages of type *session_setup*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *session_setup*. This is sent by the server in response to a +## *session_setup* request. +## +## For more information, see MS-SMB2:2.2.6 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: A record containing more information related to the response. +## +## .. bro:see:: smb2_message smb2_session_setup_request event smb2_session_setup_response%(c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif index 4ad99303a1..6fd232ed7d 100644 --- a/src/analyzer/protocol/smb/smb2_com_set_info.bif +++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif @@ -1,31 +1,46 @@ -## Generated for SMB2 request messages of type *set_info*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *rename* subtype. +## +## For more information, see MS-SMB2:2.2.39 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. -## -## request: A record containing more information related to the request. -event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%); - -type SMB2::SetInfoRequest: record; - -## Generated for SMB2 SetInfo File request messages of the rename subtype. -## -## c: The connection. -## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: A GUID to identify the file. ## ## dst_filename: The filename to rename the file into. +## +## .. bro:see:: smb2_message smb2_set_info_request smb2_file_delete event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%); -## Generated for SMB2 SetInfo File request messages of the disposition (delete) subtype. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *delete* subtype. +## +## For more information, see MS-SMB2:2.2.39 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## delete_pending: A boolean value to indicate that a file should be deleted ## when it's closed if set to T. -event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); \ No newline at end of file +## +## .. bro:see:: smb2_message smb2_set_info_request smb2_file_rename +event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); + +# TODO - Not implemented + +# Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +# version 2 requests of type *set_info*. +# +# c: The connection. +# +# hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +# +# request: A record containing more information related to the request. +# +# .. bro:see:: smb2_message smb2_file_rename smb2_file_delete +# event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%); +# +# type SMB2::SetInfoRequest: record; diff --git a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif index 90501e341a..78978f3971 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif @@ -1,19 +1,31 @@ -## Generated for SMB2 request messages of type *tree_connect*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *tree_connect*. This is sent by a client to request access to a +## particular share on the server. +## +## For more information, see MS-SMB2:2.2.9 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## path: Path of the requested tree. +## +## .. bro:see:: smb2_message smb2_tree_connect_response event smb2_tree_connect_request%(c: connection, hdr: SMB2::Header, path: string%); -## Generated for SMB2 response messages of type *tree_connect*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 responses of type *tree_connect*. This is sent by the server when a *tree_connect* +## request is successfully processed by the server. +## +## For more information, see MS-SMB2:2.2.10 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## response: A record with more information related to the response. +## +## .. bro:see:: smb2_message smb2_tree_connect_request event smb2_tree_connect_response%(c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse%); type SMB2::TreeConnectResponse: record; diff --git a/src/analyzer/protocol/smb/smb2_com_write.bif b/src/analyzer/protocol/smb/smb2_com_write.bif index 729ad55805..90efce049c 100644 --- a/src/analyzer/protocol/smb/smb2_com_write.bif +++ b/src/analyzer/protocol/smb/smb2_com_write.bif @@ -1,12 +1,18 @@ -## Generated for SMB2 request messages of type *write*. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *write*. This is sent by the client to write data to the file or +## named pipe on the server. +## +## For more information, see MS-SMB2:2.2.21 ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## file_id: The GUID being used for the file. ## ## offset: How far into the file this write should be taking place. ## ## length: The number of bytes of the file being written. +## +## .. bro:see:: smb2_message event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_events.bif b/src/analyzer/protocol/smb/smb2_events.bif index edfd226a8d..a8a2c439fc 100644 --- a/src/analyzer/protocol/smb/smb2_events.bif +++ b/src/analyzer/protocol/smb/smb2_events.bif @@ -1,12 +1,17 @@ -## Generated for all SMB2 messages. +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 messages. +## +## See `Wikipedia `__ for more information about the +## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's +## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses +## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on +## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445. ## ## c: The connection. ## -## hdr: The parsed header of the SMB2 message. +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## ## is_orig: True if the message came from the originator side. +## +## .. bro:see:: smb1_message event smb2_message%(c: connection, hdr: SMB2::Header, is_orig: bool%); - - - - diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 9ce7fb27dd..fe304ba872 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -238,6 +238,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ current_plugin->SetDynamic(true); current_plugin->DoConfigure(); + DBG_LOG(DBG_PLUGINS, " InitialzingComponents"); current_plugin->InitializeComponents(); if ( current_plugin->APIVersion() != BRO_PLUGIN_API_VERSION )