Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'smb2_write_response' of https://github.com/mauropalumbo75/zeek

Browse source 
* 'smb2_write_response' of https://github.com/mauropalumbo75/zeek:
  smb2_write_response event added

Fixed the unit test to ignore bad checksums in the pcap
This commit is contained in:
Jon Siwek 2019-04-12 10:12:31 -07:00
commit 8a2371c7ea
7 changed files with 45 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-212 | 2019-04-12 10:12:31 -0700
* smb2_write_response event added (Mauro Palumbo)
2.6-210 | 2019-04-10 09:54:27 -0700 2.6-210 | 2019-04-10 09:54:27 -0700
* Add options to tune BinPAC flowbuffer policy (Jon Siwek, Corelight) * Add options to tune BinPAC flowbuffer policy (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.6-210 2.6-212

2
doc

@ -1 +1 @@
Subproject commit 97af751958172622862bf0da694d6386967d5d24 Subproject commit e9f6728f13165148ca8ffe0b373148ff78b10c6a

9
src/analyzer/protocol/smb/smb2-com-write.pac
View file

@ -24,6 +24,15 @@ refine connection SMB_Conn += {
function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool
%{ %{
if ( smb2_write_response )
{
BifEvent::generate_smb2_write_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
${val.write_count});
}
return true; return true;
%} %}

15
src/analyzer/protocol/smb/smb2_com_write.bif
View file

@ -16,3 +16,18 @@
## ##
## .. bro:see:: smb2_message ## .. bro:see:: smb2_message
event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%);
## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
## version 2 requests of type *write*. This is sent by the server in response to a write request or
## named pipe on the server.
##
## For more information, see MS-SMB2:2.2.22
##
## c: The connection.
##
## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
##
## length: The number of bytes of the file being written.
##
## .. bro:see:: smb2_message
event smb2_write_response%(c: connection, hdr: SMB2::Header, length: count%);

2
testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout Normal file
View file

@ -0,0 +1,2 @@
smb2_write_response 169.254.128.18 -> 169.254.128.15:445, length: 7000
[credit_charge=1, status=0, command=9, credits=1, flags=1, message_id=1238, process_id=65279, tree_id=1394175098, session_id=1008934080, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]

13
testing/btest/scripts/base/protocols/smb/smb2-write-response.test Normal file
View file

@ -0,0 +1,13 @@
# @TEST-EXEC: bro -C -r $TRACES/smb/smb2readwrite.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/smb
# A test for write response.
event smb2_write_response(c: connection, hdr: SMB2::Header, length: count)
{
print fmt("smb2_write_response %s -> %s:%d, length: %d", c$id$orig_h, c$id$resp_h, c$id$resp_p, length);
print (hdr);
}