Merge branch 'master' of https://github.com/hosom/zeek

* 'master' of https://github.com/hosom/zeek: Normalize the intel seen filename for smb. load smb-filenames in scripts/policy/frameworks/intel/seen/__load__.bro Add SMB::IN_FILE_NAME to Intel::Where enum Support filenamess for SMB files I added a test case
2025-10-02 06:38:20 +00:00 · 2019-03-25 16:43:10 -07:00 · 2019-03-25 16:43:10 -07:00 · 8b29df96cc
commit 8b29df96cc
parent fe2f465023 1d5eac4ee1
10 changed files with 66 additions and 2 deletions
--- a/scripts/policy/frameworks/intel/seen/load.bro
+++ b/scripts/policy/frameworks/intel/seen/load.bro
@ -6,6 +6,7 @@
@load ./http-url
@load ./pubkey-hashes
@load ./ssl
+@load ./smb-filenames
@load ./smtp
@load ./smtp-url-extraction
@load ./x509
--- a/scripts/policy/frameworks/intel/seen/smb-filenames.bro
+++ b/scripts/policy/frameworks/intel/seen/smb-filenames.bro
@ -0,0 +1,23 @@
+@load base/protocols/smb
+@load base/frameworks/intel
+@load ./where-locations
+
+event file_new(f: fa_file)
+    {
+    if ( f$source != "SMB" )
+        return;
+
+    for ( id in f$conns )
+        {
+        local c = f$conns[id];
+        if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name )
+            {
+            local split_fname = split_string(c$smb_state$current_file$name, /\\/);
+            local fname = split_fname[|split_fname|-1];
+            Intel::seen([$indicator=fname,
+                        $indicator_type=Intel::FILE_NAME,
+                        $f=f,
+                        $where=SMB::IN_FILE_NAME]);
+            }
+        }
+    }
--- a/scripts/policy/frameworks/intel/seen/where-locations.bro
+++ b/scripts/policy/frameworks/intel/seen/where-locations.bro
@ -26,5 +26,6 @@ export {
 		SSL::IN_SERVER_NAME,
 		SMTP::IN_HEADER,
 		X509::IN_CERT,
+		SMB::IN_FILE_NAME,
 	};
 }