Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

clean up, test and pcap for transform_header added

Browse source
This commit is contained in:
mauro 2019-02-21 12:01:02 +01:00
parent f1cdae2829
commit a346b01a85
10 changed files with 76 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/analyzer/protocol/smb/smb2-com-transform-header.pac
View file

@ -4,8 +4,6 @@ refine connection SMB_Conn += {
%{
RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header);
//r->Assign(0, uint8s_to_stringval(${hdr.signature}));
//r->Assign(1, uint8s_to_stringval(${hdr.nonce}));
r->Assign(0, bytestring_to_val(${hdr.signature}));
r->Assign(1, bytestring_to_val(${hdr.nonce}));
r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size}));
@ -30,8 +28,6 @@ refine connection SMB_Conn += {
type SMB2_transform_header = record {
signature : bytestring &length = 16;
nonce : bytestring &length = 16;
#signature : uint8[16];
#nonce : uint8[16];
orig_msg_size : uint32;
reserved : uint16;
flags : uint16;

2
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -281,7 +281,7 @@ type SMB2_error_response(header: SMB2_Header) = record {
type SMB2_logoff_request(header: SMB2_Header) = record {
structure_size : uint16;
reserved : uint16;
};
};
type SMB2_logoff_response(header: SMB2_Header) = record {
structure_size : uint16;

2
src/analyzer/protocol/smb/smb2_com_transform_header.bif
View file

@ -6,7 +6,7 @@
##
## c: The connection.
##
## hdr: The parsed transformed header message, which is starting with \xfd534d42 and different from SMB1 and SMB2 headers.
## hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers.
##
## .. bro:see:: smb2_message
event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%);

1
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro

1
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro

3
testing/btest/Baseline/plugins.hooks/output
View file

@ -658,6 +658,7 @@
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1
@ -1553,6 +1554,7 @@
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro)
@ -2447,6 +2449,7 @@
0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_read.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_session_setup.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_set_info.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_transform_header.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_write.bif.bro

44
testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout Normal file
View file

@ -0,0 +1,44 @@
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=v\x17k\x19V\xed,\x9cZ\xcf\x00\xa3\x0c\x04\x85\xbc, nonce=:\xaa\x96\x8f\x18\xaea\xe6\xe7o\x1f\x00\x00\x00\x00\x00, orig_msg_size=146, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xec\xbf\xd2v\x00\xd6["R\xf6?\xc8\xf95\xd6\xe7, nonce=]\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=136, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9ah^\xb0y\xca\xcc\xc00\xb7\x0f\x0e.6\xd8l, nonce=\x91yv\x16z\xfa\x18V<\xd4\xbd\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa4\x8a\xcf\xab\xe3\x97\x1fy\xb1??\x12\xed\x01U\xa8, nonce=^\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xafq\xe0B3?a(J\xa9\x94\xd7\x98\x83\xeb\xca, nonce=\xe9of$\xde\s\xa4\x9e\x96\x8e\x00\x00\x00\x00\x00, orig_msg_size=121, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc3w\x8c\xc7\x9e\xe9\x98@:\x13\xa2\x1d\xcfz\xaa\xcb, nonce=_\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=720, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x18\x8d9\xce\xa4\xb1\xe3\xf6@\xaf\xf5\xd0\xb1V\x98R, nonce=\xc0\xbdfU\x16\xdb\xb4\xb4\x99P\x7f\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9c\xd4:\x8b\xbe\xecS\xe4\x013\x18t\x7fb\x90\xaf, nonce=`\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=92, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=T\x80\xd9\x08\xf7>\xe9\xde8;\xa0\x89\x9a\x0f}[, nonce=\x11\xde\xf2n\x84P\x0b,+\x1f\xce\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xcfX\xd9\x1f\xa4\x11\x06\xbd\x89\xa7blz5[\xa3, nonce=a\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=80, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x8f\xa7u\xda\x0c\xe8f=)o\x13\xa8\xab\xa8"\xf6, nonce=Eq!\xd9D\xdc1B\x01J\x80\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=8l\xb2\xecl\xa8\x1f~e\xf4\xbfB\x08\x0e\x83\x0f, nonce=b\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=100, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=+\xed\xaf_\xdc\x12\xc4\xb1\x0f\xfa\xf2\xc2\xdfs\xe5w, nonce=\xff\xbe\xf8\xe1\xce~2\xf3\xd0\x1d5\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6d~\xf8\xd2\xffs\xc9/\xad\x17jz\x008\xd1, nonce=c\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6F\x1b\x19\x07\xa7\xf0\xc9E\xbd\xd2a\xdb\xb6\x1b\xc8, nonce=G\x10mh\x09\xb5\x1b\xed\x9d\x03\x0f\x00\x00\x00\x00\x00, orig_msg_size=158, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0e\xf8\xbb\xfbB'\x83\x9b\xa3\x98\xa5K\xa4,pO, nonce=d\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6\xdc\x0e\x9c\x06\xd2V\xf5\xf5za\xd3[\xfb\xde|, nonce=\xa2\x15\x19\xce~\xee \x16\x15\x9a\xe8\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xfc\xfbM9\xa6\xfb\xb8\xcc"\xd8\xc3S\xbcX#\x16, nonce=e\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xbe\x85\xe3\xdeX\xda\x89\x87\x8e\xd6\x0aq\x7f\xf7\xff\xb5, nonce=\x9a\xae\x1f\x88M\x09W#\x18\x1a\x9d\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x83ime\x91/8f\x13\x9f\x16Qa\xd3\x00\x8a, nonce=f\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x91\x8d[\x18\x9d*\x97\xc2\x0bK\xdb\x94dbB\xae, nonce=\x97\x9f\xd7\xc4,?u\xf1\xcf\x1f\x0f\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=R\x96KU\x95\xfc\x05\x17\xe5\xbd\xed\x16\x12}\x8e\x81, nonce=g\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf4RBG}\xd0i\x0f\xcbdP\xe7n\xd9\xc0W, nonce="\xda\xcdU@;<\x09\x0a\x14\xa0\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=t\xb9p\xb1\xec\xbfm%\xfc\x8d\x0e\xacR\xe1/J, nonce=h\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x98\xbc\xb1|\x9d,EK%\x9b\x0d\xec\xcdF\xde\xcb, nonce=\xd8\xa5V:\xeaQM:\xe9V\xca\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf2\x8f\xc9U\x8c)\x12\xb8\xcc<\xb9\xa6Ni\xe9\xcf, nonce=i\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=UY\x80\xef\xe4Jw,\xb95E!\xa1I\x9fM, nonce=\xf0\xe60Q\xc4\x15\xaf\xab\x8a)\xe9\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=y-8dk\x8dKH\xf3\xdd\xb3\xbf%n\xfa3, nonce=j\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0by\xe8l\x11\xdbm\x90K\xcc\x11wd\xdb\xd8\xe6, nonce=\xd2V"\xa9C\xac0\x15\xf2Pe\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xef%\xd6\x89\x095\xba\xc8P\xd2\x85\xb0\x00\xd2\x07?, nonce=k\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xdeR\xf3J\xde\x13n5\x86P]\x13\xb8\x02|\xcd, nonce=u\x81\xc63\x06\x1f\xda\xd1\x03\xaa!\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=_\xaarMl\x89l$\x7f\xe9\xfb\x11E\xa6\xb5F, nonce=l\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xee\x9aE\xbc%\xe9\xee\xc0)\x1f\x85\x86\xf5\xb16\xaa, nonce=\x9f_\xed\xaa\xd53\xd4y\xe3\xbc\xdb\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=N\x9d.\xf1\x01\xe0\xa82\xa4\x8dg\x8ek\xbb\x9d., nonce=m\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x098_IU\x1d\xc1\x14?\xebwC\x1aje\xbc, nonce=\xf51\xbb\x95\xc6\x98B\xf9\x82\xab\x8a\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6!\x0c\xe0\xe35\xfd\x0e\x82\xd3\x0a\xfbE\xaa\x85\x06, nonce=n\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=m\x98z\x98Hq\x12L\x85v\x17\xec\xa4\xb7A\x95, nonce=\x04\xa7}z\xb4&\xf7B\xaa\x983\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd8\xcf>8!\xcfZ6\x04@\x9f\x86a\xfe\xee\xda, nonce=o\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=9\x00\xe0\x00\xb8%\xddH\xbf\xa9M\xf1\xed\x0c\xf0\xa5, nonce=I\xf8\x1a_\xf1\x1e0\xca\x0a\x8eU\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=E|\xeb$V\xf4p,\xa8c\xe6\x1d\xd1a\xb2\xfb, nonce=p\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=350, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd2U\xd6\xcf!\x94f\xf8&`J\xd4I(\xa7\x0e, nonce=\x06\x1e\x18+ C\xa1P\xb7\x86f\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=4\xb6\xb2|\x02$\x8bF\xf0\x16\x97\xc3s\xd7(F, nonce=q\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=1\x9d\xe63DL\x16\xc2\x8bt\x15\xe8\xb4\xf2\xfa\x90, nonce=}\x09FCI\xf9\x09&\x8aEf\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x82\xef\x1e_\xee{\xc2\xack\x05\xbe\x82\x93<\x18\xe7, nonce=r\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]

11
testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path smb_mapping
#open 2019-02-21-09-15-32
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p path service native_file_system share_type
#types time string addr port addr port string string string string
1495015336.544229 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\WS2016\\encrypted - - DISK
1495015336.569009 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\10.160.65.202\\IPC$ - - PIPE
#close 2019-02-21-09-15-32

BIN
testing/btest/Traces/smb/smb3.pcap Normal file
View file

Binary file not shown.

14
testing/btest/scripts/base/protocols/smb/smb3.test Normal file
View file

@ -0,0 +1,14 @@
# @TEST-EXEC: bro -r $TRACES/smb/smb3.pcap %INPUT
# @TEST-EXEC: btest-diff smb_mapping.log
# @TEST-EXEC: test ! -f dpd.log
# @TEST-EXEC: test ! -f weird.log
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/smb
# Add a test for SMB2 transform header.
event smb2_transform_header(c: connection, hdr: SMB2::Transform_header)
{
print fmt("smb2_transform_header %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, hdr);
}