diff --git a/NEWS b/NEWS index 5b08e81d69..ee26a55cba 100644 --- a/NEWS +++ b/NEWS @@ -140,6 +140,9 @@ Deprecated Functionality - Various methods of ``Tag`` classes are deprecated with the warning message advising what new method to use instead. +- The ``utf16_bytestring_to_utf8_val()`` function is deprecated, use + ``utf16_to_utf8_val()`` instead. + Zeek 3.1.0 ========== diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac index a8cc0f8f02..97c012814c 100644 --- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac +++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac @@ -45,19 +45,19 @@ refine connection NTLM_Conn += { case 0: return result; case 1: - result->Assign(0, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data})); + result->Assign(0, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data})); break; case 2: - result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data})); + result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data})); break; case 3: - result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data})); + result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data})); break; case 4: - result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data})); + result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data})); break; case 5: - result->Assign(4, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); + result->Assign(4, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); break; case 6: result->Assign(5, val_mgr->Bool(${val.pairs[i].constrained_auth})); @@ -69,7 +69,7 @@ refine connection NTLM_Conn += { result->Assign(7, val_mgr->Count(${val.pairs[i].single_host.machine_id})); break; case 9: - result->Assign(8, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data})); + result->Assign(8, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data})); break; } } @@ -114,10 +114,10 @@ refine connection NTLM_Conn += { result->Assign(0, build_negotiate_flag_record(${val.flags})); if ( ${val}->has_domain_name() ) - result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); + result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); if ( ${val}->has_workstation() ) - result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); + result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); if ( ${val}->has_version() ) result->Assign(3, build_version_record(${val.version})); @@ -138,7 +138,7 @@ refine connection NTLM_Conn += { result->Assign(0, build_negotiate_flag_record(${val.flags})); if ( ${val}->has_target_name() ) - result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data})); + result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data})); if ( ${val}->has_version() ) result->Assign(2, build_version_record(${val.version})); @@ -162,13 +162,13 @@ refine connection NTLM_Conn += { result->Assign(0, build_negotiate_flag_record(${val.flags})); if ( ${val}->has_domain_name() > 0 ) - result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); + result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); if ( ${val}->has_user_name() > 0 ) - result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data})); + result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data})); if ( ${val}->has_workstation() > 0 ) - result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); + result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); if ( ${val}->has_encrypted_session_key() > 0 ) result->Assign(4, to_stringval(${val.encrypted_session_key.string.data})); diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index a66de5d8ef..b80129bfc2 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -81,18 +81,18 @@ refine flow RDP_Flow += { ccd->Assign(5, val_mgr->Count(${ccore.sas_sequence})); ccd->Assign(6, val_mgr->Count(${ccore.keyboard_layout})); ccd->Assign(7, val_mgr->Count(${ccore.client_build})); - ccd->Assign(8, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name})); + ccd->Assign(8, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name})); ccd->Assign(9, val_mgr->Count(${ccore.keyboard_type})); ccd->Assign(10, val_mgr->Count(${ccore.keyboard_sub})); ccd->Assign(11, val_mgr->Count(${ccore.keyboard_function_key})); - ccd->Assign(12, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name})); + ccd->Assign(12, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name})); ccd->Assign(13, val_mgr->Count(${ccore.post_beta2_color_depth})); ccd->Assign(14, val_mgr->Count(${ccore.client_product_id})); ccd->Assign(15, val_mgr->Count(${ccore.serial_number})); ccd->Assign(16, val_mgr->Count(${ccore.high_color_depth})); ccd->Assign(17, val_mgr->Count(${ccore.supported_color_depths})); ccd->Assign(18, std::move(ec_flags)); - ccd->Assign(19, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id})); + ccd->Assign(19, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id})); BifEvent::enqueue_rdp_client_core_data(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), diff --git a/src/analyzer/protocol/smb/smb-strings.pac b/src/analyzer/protocol/smb/smb-strings.pac index 5d025f162a..2c7988b37c 100644 --- a/src/analyzer/protocol/smb/smb-strings.pac +++ b/src/analyzer/protocol/smb/smb-strings.pac @@ -1,7 +1,61 @@ +%extern{ +#include "binpac_bro.h" +%} + +%code{ +IntrusivePtr binpac::SMB::SMB_Conn::uint8s_to_stringval(std::vector* data) + { + int length = data->size(); + auto buf = std::make_unique(length); + + for ( int i = 0; i < length; ++i) + buf[i] = (*data)[i]; + + const bytestring bs = bytestring(buf.get(), length); + return utf16_to_utf8_val(bro_analyzer()->Conn(), bs); + } + +IntrusivePtr binpac::SMB::SMB_Conn::extract_string(SMB_string* s) + { + if ( s->unicode() == false ) + { + int length = s->a()->size(); + auto buf = std::make_unique(length); + + for ( int i = 0; i < length; i++) + { + unsigned char t = (*(s->a()))[i]; + buf[i] = t; + } + + if ( length > 0 && buf[length-1] == 0x00 ) + length--; + + return make_intrusive(length, buf.get()); + } + else + return uint8s_to_stringval(s->u()->s()); + } + +IntrusivePtr binpac::SMB::SMB_Conn::smb_string2stringval(SMB_string* s) + { + return extract_string(s); + } + +IntrusivePtr binpac::SMB::SMB_Conn::smb2_string2stringval(SMB2_string* s) + { + return uint8s_to_stringval(s->s()); + } +%} refine connection SMB_Conn += { %member{ - SMB_unicode_string *me; + IntrusivePtr uint8s_to_stringval(std::vector* data); + IntrusivePtr extract_string(SMB_string* s); + IntrusivePtr smb_string2stringval(SMB_string* s); + IntrusivePtr smb2_string2stringval(SMB2_string* s); + + SMB_unicode_string* me; %} %init{ @@ -23,52 +77,6 @@ refine connection SMB_Conn += { else return 0xFF; %} - - function uint8s_to_stringval(data: uint8[]): StringVal - %{ - int length = data->size(); - auto buf = std::make_unique(length); - - for ( int i = 0; i < length; ++i) - buf[i] = (*data)[i]; - - const bytestring bs = bytestring(buf.get(), length); - return utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), bs); - %} - - function extract_string(s: SMB_string) : StringVal - %{ - if ( s->unicode() == false ) - { - int length = s->a()->size(); - auto buf = std::make_unique(length); - - for ( int i = 0; i < length; i++) - { - unsigned char t = (*(s->a()))[i]; - buf[i] = t; - } - - if ( length > 0 && buf[length-1] == 0x00 ) - length--; - - return new StringVal(length, buf.get()); - } - else - { - return uint8s_to_stringval(s->u()->s()); - } - %} - - function smb_string2stringval(s: SMB_string) : StringVal - %{ - return extract_string(s); - %} - - function smb2_string2stringval(s: SMB2_string) : StringVal - %{ - return uint8s_to_stringval(s->s()); - %} }; type SMB_ascii_string = uint8[] &until($element == 0x00); diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac index 52654c7a2b..a7ec9508eb 100644 --- a/src/analyzer/protocol/smb/smb-time.pac +++ b/src/analyzer/protocol/smb/smb-time.pac @@ -1,28 +1,22 @@ -function SMB_BuildMACTimes(modify: uint64, access: uint64, create: uint64, change: uint64): BroVal - %{ - RecordVal* r = new RecordVal(BifType::Record::SMB::MACTimes); +%header{ +IntrusivePtr filetime2brotime(uint64_t ts); +IntrusivePtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz); - r->Assign(0, filetime2brotime(modify)); - r->Assign(1, filetime2brotime(access)); - r->Assign(2, filetime2brotime(create)); - r->Assign(3, filetime2brotime(change)); +IntrusivePtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, + uint64_t create, uint64_t change); +%} - return r; - %} - -function filetime2brotime(ts: uint64): Val - %{ +%code{ +IntrusivePtr filetime2brotime(uint64_t ts) + { // Bro can't support times back to the 1600's // so we subtract a lot of seconds. double secs = (ts / 10000000.0L) - 11644473600.0L; + return make_intrusive(secs, TYPE_TIME); + } - Val* bro_ts = new Val(secs, TYPE_TIME); - - return bro_ts; - %} - -function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val - %{ +IntrusivePtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz) + { tm lTime; lTime.tm_sec = ${t.two_seconds} * 2; lTime.tm_min = ${t.minutes}; @@ -30,11 +24,22 @@ function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val lTime.tm_mday = ${d.day}; lTime.tm_mon = ${d.month}; lTime.tm_year = 1980 + ${d.year}; - lTime.tm_isdst = -1; + lTime.tm_isdst = -1; double lResult = mktime(&lTime); - return new Val(lResult + tz, TYPE_TIME); - %} + return make_intrusive(lResult + tz, TYPE_TIME); + } +IntrusivePtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, + uint64_t create, uint64_t change) + { + auto r = make_intrusive(BifType::Record::SMB::MACTimes); + r->Assign(0, filetime2brotime(modify)); + r->Assign(1, filetime2brotime(access)); + r->Assign(2, filetime2brotime(create)); + r->Assign(3, filetime2brotime(change)); + return r; + } +%} type SMB_timestamp32 = uint32; type SMB_timestamp = uint64; diff --git a/src/analyzer/protocol/smb/smb1-com-check-directory.pac b/src/analyzer/protocol/smb/smb1-com-check-directory.pac index 53b5ff9f0d..8643192a59 100644 --- a/src/analyzer/protocol/smb/smb1-com-check-directory.pac +++ b/src/analyzer/protocol/smb/smb1-com-check-directory.pac @@ -6,7 +6,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb1_check_directory_request(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), - {AdoptRef{}, smb_string2stringval(${val.directory_name})}); + smb_string2stringval(${val.directory_name})); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-create-directory.pac b/src/analyzer/protocol/smb/smb1-com-create-directory.pac index e1dd85f55a..adc84619a8 100644 --- a/src/analyzer/protocol/smb/smb1-com-create-directory.pac +++ b/src/analyzer/protocol/smb/smb1-com-create-directory.pac @@ -5,7 +5,7 @@ refine connection SMB_Conn += { if ( smb1_create_directory_request ) BifEvent::enqueue_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), - {AdoptRef{}, smb_string2stringval(${val.directory_name})}); + smb_string2stringval(${val.directory_name})); return true; %} function proc_smb1_create_directory_response(header: SMB_Header, val: SMB1_create_directory_response): bool diff --git a/src/analyzer/protocol/smb/smb1-com-negotiate.pac b/src/analyzer/protocol/smb/smb1-com-negotiate.pac index 62842b33c3..73ee56693f 100644 --- a/src/analyzer/protocol/smb/smb1-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb1-com-negotiate.pac @@ -19,8 +19,8 @@ refine connection SMB_Conn += { for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i ) { - StringVal* dia = smb_string2stringval((*${val.dialects})[i]->name()); - dialects->Assign(i, dia); + auto dia = smb_string2stringval((*${val.dialects})[i]->name()); + dialects->Assign(i, std::move(dia)); } BifEvent::enqueue_smb1_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(), @@ -37,57 +37,55 @@ refine connection SMB_Conn += { { auto response = make_intrusive(BifType::Record::SMB1::NegotiateResponse); - RecordVal* core; - RecordVal* lanman; - RecordVal* ntlm; - - RecordVal* security; - RecordVal* raw; - RecordVal* capabilities; switch ( ${val.word_count} ) { case 0x01: - core = new RecordVal(BifType::Record::SMB1::NegotiateResponseCore); + { + auto core = make_intrusive(BifType::Record::SMB1::NegotiateResponseCore); core->Assign(0, val_mgr->Count(${val.dialect_index})); - response->Assign(0, core); + response->Assign(0, std::move(core)); + } break; case 0x0d: - security = new RecordVal(BifType::Record::SMB1::NegotiateResponseSecurity); + { + auto security = make_intrusive(BifType::Record::SMB1::NegotiateResponseSecurity); security->Assign(0, val_mgr->Bool(${val.lanman.security_user_level})); security->Assign(1, val_mgr->Bool(${val.lanman.security_challenge_response})); - raw = new RecordVal(BifType::Record::SMB1::NegotiateRawMode); + auto raw = make_intrusive(BifType::Record::SMB1::NegotiateRawMode); raw->Assign(0, val_mgr->Bool(${val.lanman.raw_read_supported})); raw->Assign(1, val_mgr->Bool(${val.lanman.raw_write_supported})); - lanman = new RecordVal(BifType::Record::SMB1::NegotiateResponseLANMAN); + auto lanman = make_intrusive(BifType::Record::SMB1::NegotiateResponseLANMAN); lanman->Assign(0, val_mgr->Count(${val.word_count})); lanman->Assign(1, val_mgr->Count(${val.dialect_index})); - lanman->Assign(2, security); + lanman->Assign(2, std::move(security)); lanman->Assign(3, val_mgr->Count(${val.lanman.max_buffer_size})); lanman->Assign(4, val_mgr->Count(${val.lanman.max_mpx_count})); lanman->Assign(5, val_mgr->Count(${val.lanman.max_number_vcs})); - lanman->Assign(6, raw); + lanman->Assign(6, std::move(raw)); lanman->Assign(7, val_mgr->Count(${val.lanman.session_key})); lanman->Assign(8, time_from_lanman(${val.lanman.server_time}, ${val.lanman.server_date}, ${val.lanman.server_tz})); lanman->Assign(9, to_stringval(${val.lanman.encryption_key})); lanman->Assign(10, smb_string2stringval(${val.lanman.primary_domain})); - response->Assign(1, lanman); + response->Assign(1, std::move(lanman)); + } break; case 0x11: - security = new RecordVal(BifType::Record::SMB1::NegotiateResponseSecurity); + { + auto security = make_intrusive(BifType::Record::SMB1::NegotiateResponseSecurity); security->Assign(0, val_mgr->Bool(${val.ntlm.security_user_level})); security->Assign(1, val_mgr->Bool(${val.ntlm.security_challenge_response})); security->Assign(2, val_mgr->Bool(${val.ntlm.security_signatures_enabled})); security->Assign(3, val_mgr->Bool(${val.ntlm.security_signatures_required})); - capabilities = new RecordVal(BifType::Record::SMB1::NegotiateCapabilities); + auto capabilities = make_intrusive(BifType::Record::SMB1::NegotiateCapabilities); capabilities->Assign(0, val_mgr->Bool(${val.ntlm.capabilities_raw_mode})); capabilities->Assign(1, val_mgr->Bool(${val.ntlm.capabilities_mpx_mode})); capabilities->Assign(2, val_mgr->Bool(${val.ntlm.capabilities_unicode})); @@ -110,17 +108,17 @@ refine connection SMB_Conn += { capabilities->Assign(16, val_mgr->Bool(${val.ntlm.capabilities_compressed_data})); capabilities->Assign(17, val_mgr->Bool(${val.ntlm.capabilities_extended_security})); - ntlm = new RecordVal(BifType::Record::SMB1::NegotiateResponseNTLM); + auto ntlm = make_intrusive(BifType::Record::SMB1::NegotiateResponseNTLM); ntlm->Assign(0, val_mgr->Count(${val.word_count})); ntlm->Assign(1, val_mgr->Count(${val.dialect_index})); - ntlm->Assign(2, security); + ntlm->Assign(2, std::move(security)); ntlm->Assign(3, val_mgr->Count(${val.ntlm.max_buffer_size})); ntlm->Assign(4, val_mgr->Count(${val.ntlm.max_mpx_count})); ntlm->Assign(5, val_mgr->Count(${val.ntlm.max_number_vcs})); ntlm->Assign(6, val_mgr->Count(${val.ntlm.max_raw_size})); ntlm->Assign(7, val_mgr->Count(${val.ntlm.session_key})); - ntlm->Assign(8, capabilities); + ntlm->Assign(8, std::move(capabilities)); ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time})); if ( ${val.ntlm.capabilities_extended_security} == false ) @@ -133,7 +131,8 @@ refine connection SMB_Conn += { ntlm->Assign(12, to_stringval(${val.ntlm.server_guid})); } - response->Assign(2, ntlm); + response->Assign(2, std::move(ntlm)); + } break; } BifEvent::enqueue_smb1_negotiate_response(bro_analyzer(), diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index c8022c1bf6..05fc5d3014 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -1,7 +1,7 @@ refine connection SMB_Conn += { function proc_smb1_nt_create_andx_request(header: SMB_Header, val: SMB1_nt_create_andx_request): bool %{ - auto filename = IntrusivePtr{AdoptRef{}, smb_string2stringval(${val.filename})}; + auto filename = smb_string2stringval(${val.filename}); if ( ! ${header.is_pipe} && BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) @@ -33,10 +33,10 @@ refine connection SMB_Conn += { SMBHeaderVal(header), ${val.file_id}, ${val.end_of_file}, - {AdoptRef{}, SMB_BuildMACTimes(${val.last_write_time}, + SMB_BuildMACTimes(${val.last_write_time}, ${val.last_access_time}, ${val.create_time}, - ${val.last_change_time})}); + ${val.last_change_time})); } return true; diff --git a/src/analyzer/protocol/smb/smb1-com-query-information.pac b/src/analyzer/protocol/smb/smb1-com-query-information.pac index 29ffcf089c..fd458222f1 100644 --- a/src/analyzer/protocol/smb/smb1-com-query-information.pac +++ b/src/analyzer/protocol/smb/smb1-com-query-information.pac @@ -6,7 +6,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb1_query_information_request(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), - {AdoptRef{}, smb_string2stringval(${val.filename})}); + smb_string2stringval(${val.filename})); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac index d2eadde58a..f6dddc345e 100644 --- a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac @@ -13,7 +13,6 @@ refine connection SMB_Conn += { if ( smb1_session_setup_andx_request ) { auto request = make_intrusive(BifType::Record::SMB1::SessionSetupAndXRequest); - RecordVal* capabilities; request->Assign(0, val_mgr->Count(${val.word_count})); switch ( ${val.word_count} ) { @@ -31,7 +30,8 @@ refine connection SMB_Conn += { break; case 12: // NT LM 0.12 with extended security - capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities); + { + auto capabilities = make_intrusive(BifType::Record::SMB1::SessionSetupAndXCapabilities); capabilities->Assign(0, val_mgr->Bool(${val.ntlm_extended_security.capabilities.unicode})); capabilities->Assign(1, val_mgr->Bool(${val.ntlm_extended_security.capabilities.large_files})); capabilities->Assign(2, val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_smbs})); @@ -47,11 +47,13 @@ refine connection SMB_Conn += { request->Assign(5, smb_string2stringval(${val.ntlm_extended_security.native_os})); request->Assign(6, smb_string2stringval(${val.ntlm_extended_security.native_lanman})); - request->Assign(13, capabilities); + request->Assign(13, std::move(capabilities)); + } break; case 13: // NT LM 0.12 without extended security - capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities); + { + auto capabilities = make_intrusive(BifType::Record::SMB1::SessionSetupAndXCapabilities); capabilities->Assign(0, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.unicode})); capabilities->Assign(1, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.large_files})); capabilities->Assign(2, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_smbs})); @@ -71,7 +73,8 @@ refine connection SMB_Conn += { request->Assign(10, to_stringval(${val.ntlm_nonextended_security.case_insensitive_password})); request->Assign(11, to_stringval(${val.ntlm_nonextended_security.case_sensitive_password})); - request->Assign(13, capabilities); + request->Assign(13, std::move(capabilities)); + } break; } @@ -94,9 +97,9 @@ refine connection SMB_Conn += { { case 3: // pre NT LM 0.12 response->Assign(1, val_mgr->Bool(${val.lanman.is_guest})); - response->Assign(2, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString()->Ref()->AsStringVal() : smb_string2stringval(${val.lanman.native_os[0]})); - response->Assign(3, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString()->Ref()->AsStringVal() : smb_string2stringval(${val.lanman.native_lanman[0]})); - response->Assign(4, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString()->Ref()->AsStringVal() : smb_string2stringval(${val.lanman.primary_domain[0]})); + response->Assign(2, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_os[0]})); + response->Assign(3, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_lanman[0]})); + response->Assign(4, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.primary_domain[0]})); break; case 4: // NT LM 0.12 response->Assign(1, val_mgr->Bool(${val.ntlm.is_guest})); diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index c227203c6a..1ffc80209f 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -65,7 +65,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb1_transaction_request(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), - {AdoptRef{}, smb_string2stringval(${val.name})}, + smb_string2stringval(${val.name}), ${val.sub_cmd}, std::move(parameters), std::move(payload_str)); diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac index 5bec0b667b..b360c25798 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac @@ -220,7 +220,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), - {AdoptRef{}, smb_string2stringval(${val.file_name})}); + smb_string2stringval(${val.file_name})); } return true; @@ -325,7 +325,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), - {AdoptRef{}, smb_string2stringval(${val.file_name})}); + smb_string2stringval(${val.file_name})); } return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac index 69e53afcf7..a2c415e56c 100644 --- a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac @@ -6,14 +6,14 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb1_tree_connect_andx_request(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), - {AdoptRef{}, smb_string2stringval(${val.path})}, - {AdoptRef{}, smb_string2stringval(${val.service})}); + smb_string2stringval(${val.path}), + smb_string2stringval(${val.service})); return true; %} function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool %{ - auto service_string = IntrusivePtr{AdoptRef{}, smb_string2stringval(${val.service})}; + auto service_string = smb_string2stringval(${val.service}); auto s = reinterpret_cast(service_string->Bytes()); if ( strncmp(s, "IPC", 3) == 0 ) @@ -25,7 +25,7 @@ refine connection SMB_Conn += { SMBHeaderVal(header), std::move(service_string), ${val.byte_count} > ${val.service.a}->size() ? - IntrusivePtr{AdoptRef{}, smb_string2stringval(${val.native_file_system[0]})} : + smb_string2stringval(${val.native_file_system[0]}) : val_mgr->EmptyString()); return true; diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac index 9ad939f60a..2a4c7baa41 100644 --- a/src/analyzer/protocol/smb/smb2-com-close.pac +++ b/src/analyzer/protocol/smb/smb2-com-close.pac @@ -6,8 +6,8 @@ refine connection SMB_Conn += { { BifEvent::enqueue_smb2_close_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, - {AdoptRef{}, BuildSMB2GUID(${val.file_id})}); + BuildSMB2HeaderVal(h), + BuildSMB2GUID(${val.file_id})); } file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), @@ -32,7 +32,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb2_close_response(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), std::move(resp)); } diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 1b42de1b4a..ce4178ad95 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -2,7 +2,8 @@ refine connection SMB_Conn += { function proc_smb2_create_request(h: SMB2_Header, val: SMB2_create_request): bool %{ - StringVal *filename = smb2_string2stringval(${val.filename}); + auto filename = smb2_string2stringval(${val.filename}); + if ( ! ${h.is_pipe} && BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) { @@ -16,18 +17,14 @@ refine connection SMB_Conn += { if ( smb2_create_request ) { auto requestinfo = make_intrusive(BifType::Record::SMB2::CreateRequest); - requestinfo->Assign(0, filename); + requestinfo->Assign(0, std::move(filename)); requestinfo->Assign(1, val_mgr->Count(${val.disposition})); requestinfo->Assign(2, val_mgr->Count(${val.create_options})); BifEvent::enqueue_smb2_create_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), std::move(requestinfo)); } - else - { - delete filename; - } return true; %} @@ -47,7 +44,7 @@ refine connection SMB_Conn += { responseinfo->Assign(4, val_mgr->Count(${val.create_action})); BifEvent::enqueue_smb2_create_response(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), std::move(responseinfo)); } diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac index 6c3b26e8f5..0ebeda9012 100644 --- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac @@ -28,7 +28,7 @@ refine connection SMB_Conn += { dialects->Assign(i, val_mgr->Count((*${val.dialects})[i])); BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), std::move(dialects)); } @@ -48,7 +48,7 @@ refine connection SMB_Conn += { nr->Assign(4, filetime2brotime(${val.server_start_time})); nr->Assign(5, val_mgr->Count(${val.negotiate_context_count})); - VectorVal* cv = new VectorVal(BifType::Vector::SMB2::NegotiateContextValues); + auto cv = make_intrusive(BifType::Vector::SMB2::NegotiateContextValues); if ( ${val.dialect_revision} == 0x0311 && ${val.negotiate_context_count} > 0 ) { @@ -58,10 +58,10 @@ refine connection SMB_Conn += { cv->Assign(${val.smb3_ncl.list.vals}->size(), BuildSMB2ContextVal(${val.smb3_ncl.list.last_val})); } - nr->Assign(6, cv); + nr->Assign(6, std::move(cv)); BifEvent::enqueue_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), std::move(nr)); } diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index ce78903401..a3b01e4f5f 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -28,8 +28,8 @@ refine connection SMB_Conn += { { BifEvent::enqueue_smb2_read_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, - {AdoptRef{}, BuildSMB2GUID(${val.file_id})}, + BuildSMB2HeaderVal(h), + BuildSMB2GUID(${val.file_id}), ${val.offset}, ${val.read_len}); } diff --git a/src/analyzer/protocol/smb/smb2-com-session-setup.pac b/src/analyzer/protocol/smb/smb2-com-session-setup.pac index 4060b18f99..1f38fe1fb2 100644 --- a/src/analyzer/protocol/smb/smb2-com-session-setup.pac +++ b/src/analyzer/protocol/smb/smb2-com-session-setup.pac @@ -9,7 +9,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), std::move(req)); } @@ -30,7 +30,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb2_session_setup_response(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), std::move(resp)); } diff --git a/src/analyzer/protocol/smb/smb2-com-set-info.pac b/src/analyzer/protocol/smb/smb2-com-set-info.pac index d390c174db..ce6b089986 100644 --- a/src/analyzer/protocol/smb/smb2-com-set-info.pac +++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac @@ -30,13 +30,13 @@ refine connection SMB_Conn += { if ( smb2_file_sattr ) BifEvent::enqueue_smb2_file_sattr(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, - {AdoptRef{}, SMB_BuildMACTimes(${val.last_write_time}, - ${val.last_access_time}, - ${val.creation_time}, - ${val.change_time})}, - {AdoptRef{}, smb2_file_attrs_to_bro(${val.file_attrs})}); + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + SMB_BuildMACTimes(${val.last_write_time}, + ${val.last_access_time}, + ${val.creation_time}, + ${val.change_time}), + smb2_file_attrs_to_bro(${val.file_attrs})); return true; %} @@ -46,9 +46,9 @@ refine connection SMB_Conn += { if ( smb2_file_rename ) BifEvent::enqueue_smb2_file_rename(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, - {AdoptRef{}, smb2_string2stringval(${val.filename})}); + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + smb2_string2stringval(${val.filename})); return true; %} @@ -58,8 +58,8 @@ refine connection SMB_Conn += { if ( smb2_file_delete ) BifEvent::enqueue_smb2_file_delete(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), (${val.delete_pending} > 0)); return true; @@ -70,8 +70,8 @@ refine connection SMB_Conn += { if ( smb2_file_allocation ) BifEvent::enqueue_smb2_file_allocation(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), (${val.allocation_size})); return true; @@ -82,8 +82,8 @@ refine connection SMB_Conn += { if ( smb2_file_endoffile ) BifEvent::enqueue_smb2_file_endoffile(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), ${val.endoffile}); return true; @@ -106,9 +106,9 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb2_file_fullea(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, - std::move(eas)); + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + std::move(eas)); } return true; @@ -119,10 +119,10 @@ refine connection SMB_Conn += { if ( smb2_file_link ) BifEvent::enqueue_smb2_file_link(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), ${val.root_directory}, - {AdoptRef{}, smb2_string2stringval(${val.file_name})}); + smb2_string2stringval(${val.file_name})); return true; %} @@ -132,8 +132,8 @@ refine connection SMB_Conn += { if ( smb2_file_mode ) BifEvent::enqueue_smb2_file_mode(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), ${val.mode}); return true; @@ -144,10 +144,10 @@ refine connection SMB_Conn += { if ( smb2_file_pipe ) BifEvent::enqueue_smb2_file_pipe(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), ${val.read_mode}, - ${val.completion_mode}); + ${val.completion_mode}); return true; %} @@ -157,8 +157,8 @@ refine connection SMB_Conn += { if ( smb2_file_position ) BifEvent::enqueue_smb2_file_position(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), ${val.current_byte_offset}); return true; @@ -169,9 +169,9 @@ refine connection SMB_Conn += { if ( smb2_file_shortname ) BifEvent::enqueue_smb2_file_shortname(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, - {AdoptRef{}, smb2_string2stringval(${val.filename})}); + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + smb2_string2stringval(${val.filename})); return true; %} @@ -181,8 +181,8 @@ refine connection SMB_Conn += { if ( smb2_file_validdatalength ) BifEvent::enqueue_smb2_file_validdatalength(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), ${val.validdatalength}); return true; @@ -202,9 +202,9 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb2_file_fscontrol(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, - std::move(r)); + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + std::move(r)); } return true; @@ -215,10 +215,10 @@ refine connection SMB_Conn += { if ( smb2_file_fsobjectid ) BifEvent::enqueue_smb2_file_fsobjectid(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})}, - {AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})}, - {AdoptRef{}, BuildSMB2GUID(${val.object_id})}, - {AdoptRef{}, smb2_string2stringval(${val.extended_info})}); + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + BuildSMB2GUID(${val.object_id}), + smb2_string2stringval(${val.extended_info})); return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-transform-header.pac b/src/analyzer/protocol/smb/smb2-com-transform-header.pac index 2c2da578e6..c9629fa842 100644 --- a/src/analyzer/protocol/smb/smb2-com-transform-header.pac +++ b/src/analyzer/protocol/smb/smb2-com-transform-header.pac @@ -1,24 +1,20 @@ refine connection SMB_Conn += { - function BuildSMB2TransformHeaderVal(hdr: SMB2_transform_header): BroVal - %{ - RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header); - - r->Assign(0, to_stringval(${hdr.signature})); - r->Assign(1, to_stringval(${hdr.nonce})); - r->Assign(2, val_mgr->Count(${hdr.orig_msg_size})); - r->Assign(3, val_mgr->Count(${hdr.flags})); - r->Assign(4, val_mgr->Count(${hdr.session_id})); - - return r; - %} - function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool %{ if ( smb2_transform_header ) + { + auto r = make_intrusive(BifType::Record::SMB2::Transform_header); + r->Assign(0, to_stringval(${hdr.signature})); + r->Assign(1, to_stringval(${hdr.nonce})); + r->Assign(2, val_mgr->Count(${hdr.orig_msg_size})); + r->Assign(3, val_mgr->Count(${hdr.flags})); + r->Assign(4, val_mgr->Count(${hdr.session_id})); + BifEvent::enqueue_smb2_transform_header(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2TransformHeaderVal(hdr)}); + std::move(r)); + } return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac index 262c8ef173..68449d999f 100644 --- a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac +++ b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac @@ -5,8 +5,8 @@ refine connection SMB_Conn += { if ( smb2_tree_connect_request ) BifEvent::enqueue_smb2_tree_connect_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(header)}, - {AdoptRef{}, smb2_string2stringval(${val.path})}); + BuildSMB2HeaderVal(header), + smb2_string2stringval(${val.path})); return true; %} @@ -23,7 +23,7 @@ refine connection SMB_Conn += { BifEvent::enqueue_smb2_tree_connect_response(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(header)}, + BuildSMB2HeaderVal(header), std::move(resp)); } diff --git a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac index a4ce9cf21e..f98523e94a 100644 --- a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac +++ b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac @@ -9,7 +9,7 @@ refine connection SMB_Conn += { { BifEvent::enqueue_smb2_tree_disconnect_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(header)}); + BuildSMB2HeaderVal(header)); } return true; @@ -21,7 +21,7 @@ refine connection SMB_Conn += { { BifEvent::enqueue_smb2_tree_disconnect_response(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(header)}); + BuildSMB2HeaderVal(header)); } return true; diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index e638f45a55..773dcd8bcc 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -6,8 +6,8 @@ refine connection SMB_Conn += { { BifEvent::enqueue_smb2_write_request(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, - {AdoptRef{}, BuildSMB2GUID(${val.file_id})}, + BuildSMB2HeaderVal(h), + BuildSMB2GUID(${val.file_id}), ${val.offset}, ${val.data_len}); } @@ -29,7 +29,7 @@ refine connection SMB_Conn += { { BifEvent::enqueue_smb2_write_response(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, + BuildSMB2HeaderVal(h), ${val.write_count}); } diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index 00e525ff50..dd5a2a109a 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -1,6 +1,137 @@ # Documentation for SMB2 protocol from here: # http://msdn.microsoft.com/en-us/library/cc246497(v=PROT.13).aspx +%header{ +IntrusivePtr BuildSMB2HeaderVal(SMB2_Header* hdr); +IntrusivePtr BuildSMB2GUID(SMB2_guid* file_id); +IntrusivePtr smb2_file_attrs_to_bro(SMB2_file_attributes* val); +IntrusivePtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv); +%} + +%code{ +IntrusivePtr BuildSMB2HeaderVal(SMB2_Header* hdr) + { + auto r = make_intrusive(BifType::Record::SMB2::Header); + r->Assign(0, val_mgr->Count(${hdr.credit_charge})); + r->Assign(1, val_mgr->Count(${hdr.status})); + r->Assign(2, val_mgr->Count(${hdr.command})); + r->Assign(3, val_mgr->Count(${hdr.credits})); + r->Assign(4, val_mgr->Count(${hdr.flags})); + r->Assign(5, val_mgr->Count(${hdr.message_id})); + r->Assign(6, val_mgr->Count(${hdr.process_id})); + r->Assign(7, val_mgr->Count(${hdr.tree_id})); + r->Assign(8, val_mgr->Count(${hdr.session_id})); + r->Assign(9, to_stringval(${hdr.signature})); + return r; + } + +IntrusivePtr BuildSMB2GUID(SMB2_guid* file_id) + { + auto r = make_intrusive(BifType::Record::SMB2::GUID); + r->Assign(0, val_mgr->Count(${file_id.persistent})); + r->Assign(1, val_mgr->Count(${file_id._volatile})); + return r; + } + +IntrusivePtr smb2_file_attrs_to_bro(SMB2_file_attributes* val) + { + auto r = make_intrusive(BifType::Record::SMB2::FileAttrs); + r->Assign(0, val_mgr->Bool(${val.read_only})); + r->Assign(1, val_mgr->Bool(${val.hidden})); + r->Assign(2, val_mgr->Bool(${val.system})); + r->Assign(3, val_mgr->Bool(${val.directory})); + r->Assign(4, val_mgr->Bool(${val.archive})); + r->Assign(5, val_mgr->Bool(${val.normal})); + r->Assign(6, val_mgr->Bool(${val.temporary})); + r->Assign(7, val_mgr->Bool(${val.sparse_file})); + r->Assign(8, val_mgr->Bool(${val.reparse_point})); + r->Assign(9, val_mgr->Bool(${val.compressed})); + r->Assign(10, val_mgr->Bool(${val.offline})); + r->Assign(11, val_mgr->Bool(${val.not_content_indexed})); + r->Assign(12, val_mgr->Bool(${val.encrypted})); + r->Assign(13, val_mgr->Bool(${val.integrity_stream})); + r->Assign(14, val_mgr->Bool(${val.no_scrub_data})); + return r; + } + +IntrusivePtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv) + { + auto r = make_intrusive(BifType::Record::SMB2::NegotiateContextValue); + + r->Assign(0, val_mgr->Count(${ncv.context_type})); + r->Assign(1, val_mgr->Count(${ncv.data_length})); + + switch ( ${ncv.context_type} ) { + case SMB2_PREAUTH_INTEGRITY_CAPABILITIES: + { + auto rpreauth = make_intrusive(BifType::Record::SMB2::PreAuthIntegrityCapabilities); + rpreauth->Assign(0, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count})); + rpreauth->Assign(1, val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length})); + + auto ha = make_intrusive(internal_type("index_vec")->AsVectorType()); + + for ( int i = 0; i < ${ncv.preauth_integrity_capabilities.hash_alg_count}; ++i ) + { + const auto& vec = *${ncv.preauth_integrity_capabilities.hash_alg}; + ha->Assign(i, val_mgr->Count(vec[i])); + } + + rpreauth->Assign(2, std::move(ha)); + rpreauth->Assign(3, to_stringval(${ncv.preauth_integrity_capabilities.salt})); + r->Assign(2, std::move(rpreauth)); + } + break; + + case SMB2_ENCRYPTION_CAPABILITIES: + { + auto rencr = make_intrusive(BifType::Record::SMB2::EncryptionCapabilities); + rencr->Assign(0, val_mgr->Count(${ncv.encryption_capabilities.cipher_count})); + + auto c = make_intrusive(internal_type("index_vec")->AsVectorType()); + + for ( int i = 0; i < ${ncv.encryption_capabilities.cipher_count}; ++i ) + { + const auto& vec = *${ncv.encryption_capabilities.ciphers}; + c->Assign(i, val_mgr->Count(vec[i])); + } + + rencr->Assign(1, std::move(c)); + r->Assign(3, std::move(rencr)); + } + break; + + case SMB2_COMPRESSION_CAPABILITIES: + { + auto rcomp = make_intrusive(BifType::Record::SMB2::CompressionCapabilities); + rcomp->Assign(0, val_mgr->Count(${ncv.compression_capabilities.alg_count})); + + auto c = make_intrusive(internal_type("index_vec")->AsVectorType()); + + for ( int i = 0; i < ${ncv.compression_capabilities.alg_count}; ++i ) + { + const auto& vec = *${ncv.compression_capabilities.algs}; + c->Assign(i, val_mgr->Count(vec[i])); + } + + rcomp->Assign(1, std::move(c)); + r->Assign(4, std::move(rcomp)); + } + break; + + case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID: + { + r->Assign(5, to_stringval(${ncv.netname_negotiate_context_id.net_name})); + } + break; + + default: + break; + } + + return r; + } +%} + enum smb2_commands { SMB2_NEGOTIATE_PROTOCOL = 0, SMB2_SESSION_SETUP = 1, @@ -100,102 +231,6 @@ refine connection SMB_Conn += { std::map smb2_request_tree_id; %} - function BuildSMB2ContextVal(ncv: SMB3_negotiate_context_value): BroVal - %{ - RecordVal* r = new RecordVal(BifType::Record::SMB2::NegotiateContextValue); - - r->Assign(0, val_mgr->Count(${ncv.context_type})); - r->Assign(1, val_mgr->Count(${ncv.data_length})); - - switch ( ${ncv.context_type} ) { - case SMB2_PREAUTH_INTEGRITY_CAPABILITIES: - { - RecordVal* rpreauth = new RecordVal(BifType::Record::SMB2::PreAuthIntegrityCapabilities); - rpreauth->Assign(0, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count})); - rpreauth->Assign(1, val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length})); - - VectorVal* ha = new VectorVal(internal_type("index_vec")->AsVectorType()); - - for ( int i = 0; i < (${ncv.preauth_integrity_capabilities.hash_alg_count}); ++i ) - ha->Assign(i, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg[i]})); - - rpreauth->Assign(2, ha); - rpreauth->Assign(3, to_stringval(${ncv.preauth_integrity_capabilities.salt})); - r->Assign(2, rpreauth); - } - break; - - case SMB2_ENCRYPTION_CAPABILITIES: - { - RecordVal* rencr = new RecordVal(BifType::Record::SMB2::EncryptionCapabilities); - rencr->Assign(0, val_mgr->Count(${ncv.encryption_capabilities.cipher_count})); - - VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType()); - - for ( int i = 0; i < (${ncv.encryption_capabilities.cipher_count}); ++i ) - c->Assign(i, val_mgr->Count(${ncv.encryption_capabilities.ciphers[i]})); - - rencr->Assign(1, c); - r->Assign(3, rencr); - } - break; - - case SMB2_COMPRESSION_CAPABILITIES: - { - RecordVal* rcomp = new RecordVal(BifType::Record::SMB2::CompressionCapabilities); - rcomp->Assign(0, val_mgr->Count(${ncv.compression_capabilities.alg_count})); - - VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType()); - - for ( int i = 0; i < (${ncv.compression_capabilities.alg_count}); ++i ) - c->Assign(i, val_mgr->Count(${ncv.compression_capabilities.algs[i]})); - - rcomp->Assign(1, c); - r->Assign(4, rcomp); - } - break; - - case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID: - { - r->Assign(5, to_stringval(${ncv.netname_negotiate_context_id.net_name})); - } - break; - - default: - break; - } - - return r; - %} - - function BuildSMB2HeaderVal(hdr: SMB2_Header): BroVal - %{ - RecordVal* r = new RecordVal(BifType::Record::SMB2::Header); - - r->Assign(0, val_mgr->Count(${hdr.credit_charge})); - r->Assign(1, val_mgr->Count(${hdr.status})); - r->Assign(2, val_mgr->Count(${hdr.command})); - r->Assign(3, val_mgr->Count(${hdr.credits})); - r->Assign(4, val_mgr->Count(${hdr.flags})); - r->Assign(5, val_mgr->Count(${hdr.message_id})); - r->Assign(6, val_mgr->Count(${hdr.process_id})); - r->Assign(7, val_mgr->Count(${hdr.tree_id})); - r->Assign(8, val_mgr->Count(${hdr.session_id})); - r->Assign(9, to_stringval(${hdr.signature})); - - return r; - %} - - function BuildSMB2GUID(file_id: SMB2_guid): BroVal - %{ - RecordVal* r = new RecordVal(BifType::Record::SMB2::GUID); - - r->Assign(0, val_mgr->Count(${file_id.persistent})); - r->Assign(1, val_mgr->Count(${file_id._volatile})); - - return r; - %} - function proc_smb2_message(h: SMB2_Header, is_orig: bool): bool %{ if ( is_orig ) @@ -216,8 +251,7 @@ refine connection SMB_Conn += { if ( smb2_message ) { BifEvent::enqueue_smb2_message(bro_analyzer(), bro_analyzer()->Conn(), - {AdoptRef{}, BuildSMB2HeaderVal(h)}, - is_orig); + BuildSMB2HeaderVal(h), is_orig); } return true; %} @@ -234,29 +268,6 @@ refine connection SMB_Conn += { %} }; -function smb2_file_attrs_to_bro(val: SMB2_file_attributes): BroVal - %{ - RecordVal* r = new RecordVal(BifType::Record::SMB2::FileAttrs); - - r->Assign(0, val_mgr->Bool(${val.read_only})); - r->Assign(1, val_mgr->Bool(${val.hidden})); - r->Assign(2, val_mgr->Bool(${val.system})); - r->Assign(3, val_mgr->Bool(${val.directory})); - r->Assign(4, val_mgr->Bool(${val.archive})); - r->Assign(5, val_mgr->Bool(${val.normal})); - r->Assign(6, val_mgr->Bool(${val.temporary})); - r->Assign(7, val_mgr->Bool(${val.sparse_file})); - r->Assign(8, val_mgr->Bool(${val.reparse_point})); - r->Assign(9, val_mgr->Bool(${val.compressed})); - r->Assign(10, val_mgr->Bool(${val.offline})); - r->Assign(11, val_mgr->Bool(${val.not_content_indexed})); - r->Assign(12, val_mgr->Bool(${val.encrypted})); - r->Assign(13, val_mgr->Bool(${val.integrity_stream})); - r->Assign(14, val_mgr->Bool(${val.no_scrub_data})); - - return r; - %} - type SMB2_file_attributes = record { flags : uint32; } &let { diff --git a/src/binpac_bro-lib.pac b/src/binpac_bro-lib.pac index ed8efff361..5b5b7594b1 100644 --- a/src/binpac_bro-lib.pac +++ b/src/binpac_bro-lib.pac @@ -6,22 +6,18 @@ #include "ConvertUTF.h" %} -function network_time(): double - %{ - return ::network_time; - %} - -function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal - %{ +%code{ +IntrusivePtr utf16_to_utf8_val(Connection* conn, const bytestring& utf16) + { std::string resultstring; size_t utf8size = (3 * utf16.length() + 1); if ( utf8size > resultstring.max_size() ) { - reporter->Info("utf16 too long in utf16_bytestring_to_utf8_val"); + reporter->Weird(conn, "utf16_conversion_failed", "utf16 too long in utf16_to_utf8_val"); // If the conversion didn't go well, return the original data. - return to_stringval(utf16).release(); + return to_stringval(utf16); } resultstring.resize(utf8size, '\0'); @@ -47,14 +43,25 @@ function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): Stri lenientConversion); if ( res != conversionOK ) { - reporter->Weird(conn, "utf16_conversion_failed", "utf16 conversion failed in utf16_bytestring_to_utf8_val"); + reporter->Weird(conn, "utf16_conversion_failed", "utf16 conversion failed in utf16_to_utf8_val"); // If the conversion didn't go well, return the original data. - return to_stringval(utf16).release(); + return to_stringval(utf16); } *targetstart = 0; // We're relying on no nulls being in the string. //return new StringVal(resultstring.length(), (const char *) resultstring.data()); - return new StringVal(resultstring.c_str()); + return make_intrusive(resultstring.c_str()); + } + +StringVal* utf16_bytestring_to_utf8_val(Connection* conn, const bytestring& utf16) + { + return utf16_to_utf8_val(conn, utf16).release(); + } +%} + +function network_time(): double + %{ + return ::network_time; %} diff --git a/src/binpac_bro.h b/src/binpac_bro.h index 743bb7443d..1d84ad0810 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -40,4 +40,9 @@ inline IntrusivePtr to_stringval(const_bytestring const& str) return make_intrusive(str.length(), (const char*) str.begin()); } +IntrusivePtr utf16_to_utf8_val(Connection* conn, const bytestring& utf16); + +[[deprecated("Remove in v4.1. Use utf16_to_utf8_val() instead.")]] +StringVal* utf16_bytestring_to_utf8_val(Connection* conn, const bytestring& utf16); + } // namespace binpac diff --git a/src/bro.pac b/src/bro.pac index 5f976b448a..b622041c12 100644 --- a/src/bro.pac +++ b/src/bro.pac @@ -8,4 +8,3 @@ extern type BroPortVal; extern type BroStringVal; function network_time(): double; -function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal;