From 4ae92161e9f6331470b6373b4443471064c8ab96 Mon Sep 17 00:00:00 2001
From: Stephen Hosom <0xhosom@gmail.com>
Date: Wed, 27 Feb 2019 08:47:53 -0500
Subject: [PATCH 1/4] Support filenamess for SMB files

Hook file_new to observe filenames in SMB traffic and fire into Intel::seen
---
 .../frameworks/intel/seen/smb-filenames.bro   | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 scripts/policy/frameworks/intel/seen/smb-filenames.bro

diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.bro b/scripts/policy/frameworks/intel/seen/smb-filenames.bro
new file mode 100644
index 0000000000..9664ccba5f
--- /dev/null
+++ b/scripts/policy/frameworks/intel/seen/smb-filenames.bro
@@ -0,0 +1,20 @@
+@load base/frameworks/intel
+@load ./where-locations
+
+event file_new(f: fa_file)
+    {
+    if ( f$source != "SMB" )
+        return;
+
+    for ( id in f$conns )
+        {
+        local c = f$conns[id];
+        if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name )
+            {
+            Intel::seen([$indicator=c$smb_state$current_file$name,
+                        $indicator_type=Intel::FILE_NAME,
+                        $f=f,
+                        $where=Files::IN_NAME]);
+            }
+        }
+    }
\ No newline at end of file

From 8ce6d67acc342781a987361a0194a012bc241b64 Mon Sep 17 00:00:00 2001
From: Stephen Hosom <0xhosom@gmail.com>
Date: Wed, 27 Feb 2019 08:53:52 -0500
Subject: [PATCH 2/4] Add SMB::IN_FILE_NAME to Intel::Where enum

This should reduce the ambiguity of where precisely the indicator was
seen so that it isn't confused with the normal File::IN_NAME hit.
---
 scripts/policy/frameworks/intel/seen/smb-filenames.bro   | 2 +-
 scripts/policy/frameworks/intel/seen/where-locations.bro | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.bro b/scripts/policy/frameworks/intel/seen/smb-filenames.bro
index 9664ccba5f..7a18276f49 100644
--- a/scripts/policy/frameworks/intel/seen/smb-filenames.bro
+++ b/scripts/policy/frameworks/intel/seen/smb-filenames.bro
@@ -14,7 +14,7 @@ event file_new(f: fa_file)
             Intel::seen([$indicator=c$smb_state$current_file$name,
                         $indicator_type=Intel::FILE_NAME,
                         $f=f,
-                        $where=Files::IN_NAME]);
+                        $where=SMB::IN_FILE_NAME]);
             }
         }
     }
\ No newline at end of file
diff --git a/scripts/policy/frameworks/intel/seen/where-locations.bro b/scripts/policy/frameworks/intel/seen/where-locations.bro
index 59a89b0eb2..9d30b5ff8f 100644
--- a/scripts/policy/frameworks/intel/seen/where-locations.bro
+++ b/scripts/policy/frameworks/intel/seen/where-locations.bro
@@ -26,5 +26,6 @@ export {
 		SSL::IN_SERVER_NAME,
 		SMTP::IN_HEADER,
 		X509::IN_CERT,
+		SMB::IN_FILE_NAME,
 	};
 }

From 2d3a21968e2e50c7913514ace6d90ab0b69c2f1c Mon Sep 17 00:00:00 2001
From: Stephen Hosom <0xhosom@gmail.com>
Date: Wed, 27 Feb 2019 08:56:28 -0500
Subject: [PATCH 3/4] load smb-filenames in
 scripts/policy/frameworks/intel/seen/__load__.bro

---
 scripts/policy/frameworks/intel/seen/__load__.bro | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/policy/frameworks/intel/seen/__load__.bro b/scripts/policy/frameworks/intel/seen/__load__.bro
index d364e8c587..a01741ea20 100644
--- a/scripts/policy/frameworks/intel/seen/__load__.bro
+++ b/scripts/policy/frameworks/intel/seen/__load__.bro
@@ -9,3 +9,4 @@
 @load ./smtp
 @load ./smtp-url-extraction
 @load ./x509
+@load ./smb-filenames
\ No newline at end of file

From 1d5eac4ee130b1f289fe7661022f27ffd4bfa32e Mon Sep 17 00:00:00 2001
From: Stephen Hosom <0xhosom@gmail.com>
Date: Wed, 27 Feb 2019 09:24:52 -0500
Subject: [PATCH 4/4] Normalize the intel seen filename for smb.

---
 scripts/policy/frameworks/intel/seen/smb-filenames.bro | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.bro b/scripts/policy/frameworks/intel/seen/smb-filenames.bro
index 7a18276f49..17b59c6e7c 100644
--- a/scripts/policy/frameworks/intel/seen/smb-filenames.bro
+++ b/scripts/policy/frameworks/intel/seen/smb-filenames.bro
@@ -11,7 +11,9 @@ event file_new(f: fa_file)
         local c = f$conns[id];
         if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name )
             {
-            Intel::seen([$indicator=c$smb_state$current_file$name,
+            local split_fname = split_string(c$smb_state$current_file$name, /\\/);
+            local fname = split_fname[|split_fname|-1];
+            Intel::seen([$indicator=fname,
                         $indicator_type=Intel::FILE_NAME,
                         $f=f,
                         $where=SMB::IN_FILE_NAME]);