Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

More smb_files.log improvements.

Browse source 
- Actually get the path into the smb_files.log now.
 - When a share root is having the "create" message used on it,
   instead of giving a null file name, now give a special
   indicator of "<share_root>".
 - Update test baselines.
This commit is contained in:
Seth Hall 2016-03-09 04:49:48 -05:00
parent ba144252cb
commit 9c6402bd91
3 changed files with 20 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/smb/smb2-main.bro
View file

@ -31,9 +31,12 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
if ( mid !in smb_state$pending_cmds )
{
local tmp_cmd: SMB::CmdInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB2", $command = SMB2::commands[hdr$command]];
local tmp_cmd = SMB::CmdInfo($ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB2", $command = SMB2::commands[hdr$command]);
local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id);
if ( smb_state$current_tree?$path )
tmp_file$path = smb_state$current_tree$path;
local tmp_file: SMB::FileInfo = [$ts=network_time(), $uid=c$uid, $id=c$id];
tmp_cmd$referenced_file = tmp_file;
tmp_cmd$referenced_tree = smb_state$current_tree;
@ -96,7 +99,7 @@ event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::
event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=5
{
local tmp_tree: SMB::TreeInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, $path=path];
local tmp_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id, $path=path);
c$smb_state$current_cmd$referenced_tree = tmp_tree;
}
@ -115,7 +118,10 @@ event smb2_tree_connect_response(c: connection, hdr: SMB2::Header, response: SMB
event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=5
{
local tmp_file: SMB::FileInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, $name=name];
if ( name == "")
name = "<share_root>";
local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id, $name=name);
switch ( c$smb_state$current_cmd$referenced_tree$share_type )
{

6
testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log
View file

@ -3,11 +3,11 @@
#empty_field (empty)
#unset_field -
#path smb_files
#open 2016-03-09-08-45-09
#open 2016-03-09-09-45-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size times.modified times.accessed times.created times.changed
#types time string addr port addr port string enum string string count time time time time
1403194573.483536 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::UNKNOWN_OPEN - (empty) 0 1403193605.830790 1403193605.830790 1403193211.405449 1403193605.830790
1403194573.483536 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::UNKNOWN_OPEN - <share_root> 0 1403193605.830790 1403193605.830790 1403193211.405449 1403193605.830790
1403194573.484701 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::UNKNOWN_OPEN - Test 0 1403193632.973276 1403193632.973276 1403193604.628965 1403193632.973276
1403194574.150293 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::UNKNOWN_OPEN - Test\\2009-12 Payroll.xlsx 25940 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276
1403194574.232191 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 FyxE5A19VJyangfN54 SMB::UNKNOWN_OPEN - Test\\2009-12 Payroll.xlsx 25940 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276
#close 2016-03-09-08-45-09
#close 2016-03-09-09-45-49

10
testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log
View file

@ -3,12 +3,12 @@
#empty_field (empty)
#unset_field -
#path smb_files
#open 2016-03-07-20-31-34
#open 2016-03-09-09-45-59
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size times.modified times.accessed times.created times.changed
#types time string addr port addr port string enum string string count time time time time
1323202695.377459 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - (empty) 8192 1323202604.512058 1323202604.512058 1322343963.945297 1323202604.512058
1323202695.377459 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - <share_root> 8192 1323202604.512058 1323202604.512058 1322343963.945297 1323202604.512058
1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - WP_SMBPlugin.pdf 0 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034
1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 FUU9mc3Ub5uZdcqg1d SMB::FILE_CLOSE \\\\10.0.0.12\\smb2 WP_SMBPlugin.pdf 0 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034
1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - (empty) 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_CLOSE \\\\10.0.0.12\\smb2 (empty) 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
#close 2016-03-07-20-31-34
1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - <share_root> 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_CLOSE \\\\10.0.0.12\\smb2 <share_root> 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
#close 2016-03-09-09-45-59