Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Migrate SMB analyzer to use IntrusivePtr

Browse source 
Deprecates the utf16_bytestring_to_utf8_val() function with replacement
being utf16_to_utf8_val().
This commit is contained in:
Jon Siwek 2020-05-05 22:56:38 -07:00
parent ad6dbada71
commit a60e5e9582
28 changed files with 377 additions and 344 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -140,6 +140,9 @@ Deprecated Functionality
- Various methods of ``Tag`` classes are deprecated with the warning
message advising what new method to use instead.
- The ``utf16_bytestring_to_utf8_val()`` function is deprecated, use
``utf16_to_utf8_val()`` instead.
Zeek 3.1.0
==========

24
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -45,19 +45,19 @@ refine connection NTLM_Conn += {
case 0:
return result;
case 1:
result->Assign(0, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
result->Assign(0, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
break;
case 2:
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data}));
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data}));
break;
case 3:
result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data}));
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data}));
break;
case 4:
result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data}));
result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data}));
break;
case 5:
result->Assign(4, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
result->Assign(4, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break;
case 6:
result->Assign(5, val_mgr->Bool(${val.pairs[i].constrained_auth}));
@ -69,7 +69,7 @@ refine connection NTLM_Conn += {
result->Assign(7, val_mgr->Count(${val.pairs[i].single_host.machine_id}));
break;
case 9:
result->Assign(8, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
result->Assign(8, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
break;
}
}
@ -114,10 +114,10 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() )
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_workstation() )
result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version}));
@ -138,7 +138,7 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_target_name() )
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data}));
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data}));
if ( ${val}->has_version() )
result->Assign(2, build_version_record(${val.version}));
@ -162,13 +162,13 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() > 0 )
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_user_name() > 0 )
result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data}));
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data}));
if ( ${val}->has_workstation() > 0 )
result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_encrypted_session_key() > 0 )
result->Assign(4, to_stringval(${val.encrypted_session_key.string.data}));

6
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -81,18 +81,18 @@ refine flow RDP_Flow += {
ccd->Assign(5, val_mgr->Count(${ccore.sas_sequence}));
ccd->Assign(6, val_mgr->Count(${ccore.keyboard_layout}));
ccd->Assign(7, val_mgr->Count(${ccore.client_build}));
ccd->Assign(8, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(8, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(9, val_mgr->Count(${ccore.keyboard_type}));
ccd->Assign(10, val_mgr->Count(${ccore.keyboard_sub}));
ccd->Assign(11, val_mgr->Count(${ccore.keyboard_function_key}));
ccd->Assign(12, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(12, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(13, val_mgr->Count(${ccore.post_beta2_color_depth}));
ccd->Assign(14, val_mgr->Count(${ccore.client_product_id}));
ccd->Assign(15, val_mgr->Count(${ccore.serial_number}));
ccd->Assign(16, val_mgr->Count(${ccore.high_color_depth}));
ccd->Assign(17, val_mgr->Count(${ccore.supported_color_depths}));
ccd->Assign(18, std::move(ec_flags));
ccd->Assign(19, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id}));
ccd->Assign(19, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id}));
BifEvent::enqueue_rdp_client_core_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),

102
src/analyzer/protocol/smb/smb-strings.pac
View file

@ -1,7 +1,61 @@
%extern{
#include "binpac_bro.h"
%}
%code{
IntrusivePtr<StringVal> binpac::SMB::SMB_Conn::uint8s_to_stringval(std::vector<uint8_t>* data)
{
int length = data->size();
auto buf = std::make_unique<uint8[]>(length);
for ( int i = 0; i < length; ++i)
buf[i] = (*data)[i];
const bytestring bs = bytestring(buf.get(), length);
return utf16_to_utf8_val(bro_analyzer()->Conn(), bs);
}
IntrusivePtr<StringVal> binpac::SMB::SMB_Conn::extract_string(SMB_string* s)
{
if ( s->unicode() == false )
{
int length = s->a()->size();
auto buf = std::make_unique<char[]>(length);
for ( int i = 0; i < length; i++)
{
unsigned char t = (*(s->a()))[i];
buf[i] = t;
}
if ( length > 0 && buf[length-1] == 0x00 )
length--;
return make_intrusive<StringVal>(length, buf.get());
}
else
return uint8s_to_stringval(s->u()->s());
}
IntrusivePtr<StringVal> binpac::SMB::SMB_Conn::smb_string2stringval(SMB_string* s)
{
return extract_string(s);
}
IntrusivePtr<StringVal> binpac::SMB::SMB_Conn::smb2_string2stringval(SMB2_string* s)
{
return uint8s_to_stringval(s->s());
}
%}
refine connection SMB_Conn += {
%member{
SMB_unicode_string *me;
IntrusivePtr<StringVal> uint8s_to_stringval(std::vector<uint8_t>* data);
IntrusivePtr<StringVal> extract_string(SMB_string* s);
IntrusivePtr<StringVal> smb_string2stringval(SMB_string* s);
IntrusivePtr<StringVal> smb2_string2stringval(SMB2_string* s);
SMB_unicode_string* me;
%}
%init{
@ -23,52 +77,6 @@ refine connection SMB_Conn += {
else
return 0xFF;
%}
function uint8s_to_stringval(data: uint8[]): StringVal
%{
int length = data->size();
auto buf = std::make_unique<uint8[]>(length);
for ( int i = 0; i < length; ++i)
buf[i] = (*data)[i];
const bytestring bs = bytestring(buf.get(), length);
return utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), bs);
%}
function extract_string(s: SMB_string) : StringVal
%{
if ( s->unicode() == false )
{
int length = s->a()->size();
auto buf = std::make_unique<char[]>(length);
for ( int i = 0; i < length; i++)
{
unsigned char t = (*(s->a()))[i];
buf[i] = t;
}
if ( length > 0 && buf[length-1] == 0x00 )
length--;
return new StringVal(length, buf.get());
}
else
{
return uint8s_to_stringval(s->u()->s());
}
%}
function smb_string2stringval(s: SMB_string) : StringVal
%{
return extract_string(s);
%}
function smb2_string2stringval(s: SMB2_string) : StringVal
%{
return uint8s_to_stringval(s->s());
%}
};
type SMB_ascii_string = uint8[] &until($element == 0x00);

47
src/analyzer/protocol/smb/smb-time.pac
View file

@ -1,28 +1,22 @@
function SMB_BuildMACTimes(modify: uint64, access: uint64, create: uint64, change: uint64): BroVal
%{
RecordVal* r = new RecordVal(BifType::Record::SMB::MACTimes);
%header{
IntrusivePtr<Val> filetime2brotime(uint64_t ts);
IntrusivePtr<Val> time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz);
r->Assign(0, filetime2brotime(modify));
r->Assign(1, filetime2brotime(access));
r->Assign(2, filetime2brotime(create));
r->Assign(3, filetime2brotime(change));
IntrusivePtr<RecordVal> SMB_BuildMACTimes(uint64_t modify, uint64_t access,
uint64_t create, uint64_t change);
%}
return r;
%}
function filetime2brotime(ts: uint64): Val
%{
%code{
IntrusivePtr<Val> filetime2brotime(uint64_t ts)
{
// Bro can't support times back to the 1600's
// so we subtract a lot of seconds.
double secs = (ts / 10000000.0L) - 11644473600.0L;
return make_intrusive<Val>(secs, TYPE_TIME);
}
Val* bro_ts = new Val(secs, TYPE_TIME);
return bro_ts;
%}
function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val
%{
IntrusivePtr<Val> time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz)
{
tm lTime;
lTime.tm_sec = ${t.two_seconds} * 2;
lTime.tm_min = ${t.minutes};
@ -32,9 +26,20 @@ function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val
lTime.tm_year = 1980 + ${d.year};
lTime.tm_isdst = -1;
double lResult = mktime(&lTime);
return new Val(lResult + tz, TYPE_TIME);
%}
return make_intrusive<Val>(lResult + tz, TYPE_TIME);
}
IntrusivePtr<RecordVal> SMB_BuildMACTimes(uint64_t modify, uint64_t access,
uint64_t create, uint64_t change)
{
auto r = make_intrusive<RecordVal>(BifType::Record::SMB::MACTimes);
r->Assign(0, filetime2brotime(modify));
r->Assign(1, filetime2brotime(access));
r->Assign(2, filetime2brotime(create));
r->Assign(3, filetime2brotime(change));
return r;
}
%}
type SMB_timestamp32 = uint32;
type SMB_timestamp = uint64;

2
src/analyzer/protocol/smb/smb1-com-check-directory.pac
View file

@ -6,7 +6,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb1_check_directory_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.directory_name})});
smb_string2stringval(${val.directory_name}));
return true;
%}

2
src/analyzer/protocol/smb/smb1-com-create-directory.pac
View file

@ -5,7 +5,7 @@ refine connection SMB_Conn += {
if ( smb1_create_directory_request )
BifEvent::enqueue_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.directory_name})});
smb_string2stringval(${val.directory_name}));
return true;
%}
function proc_smb1_create_directory_response(header: SMB_Header, val: SMB1_create_directory_response): bool

45
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -19,8 +19,8 @@ refine connection SMB_Conn += {
for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i )
{
StringVal* dia = smb_string2stringval((*${val.dialects})[i]->name());
dialects->Assign(i, dia);
auto dia = smb_string2stringval((*${val.dialects})[i]->name());
dialects->Assign(i, std::move(dia));
}
BifEvent::enqueue_smb1_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
@ -37,57 +37,55 @@ refine connection SMB_Conn += {
{
auto response = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateResponse);
RecordVal* core;
RecordVal* lanman;
RecordVal* ntlm;
RecordVal* security;
RecordVal* raw;
RecordVal* capabilities;
switch ( ${val.word_count} )
{
case 0x01:
core = new RecordVal(BifType::Record::SMB1::NegotiateResponseCore);
{
auto core = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateResponseCore);
core->Assign(0, val_mgr->Count(${val.dialect_index}));
response->Assign(0, core);
response->Assign(0, std::move(core));
}
break;
case 0x0d:
security = new RecordVal(BifType::Record::SMB1::NegotiateResponseSecurity);
{
auto security = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, val_mgr->Bool(${val.lanman.security_user_level}));
security->Assign(1, val_mgr->Bool(${val.lanman.security_challenge_response}));
raw = new RecordVal(BifType::Record::SMB1::NegotiateRawMode);
auto raw = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateRawMode);
raw->Assign(0, val_mgr->Bool(${val.lanman.raw_read_supported}));
raw->Assign(1, val_mgr->Bool(${val.lanman.raw_write_supported}));
lanman = new RecordVal(BifType::Record::SMB1::NegotiateResponseLANMAN);
auto lanman = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateResponseLANMAN);
lanman->Assign(0, val_mgr->Count(${val.word_count}));
lanman->Assign(1, val_mgr->Count(${val.dialect_index}));
lanman->Assign(2, security);
lanman->Assign(2, std::move(security));
lanman->Assign(3, val_mgr->Count(${val.lanman.max_buffer_size}));
lanman->Assign(4, val_mgr->Count(${val.lanman.max_mpx_count}));
lanman->Assign(5, val_mgr->Count(${val.lanman.max_number_vcs}));
lanman->Assign(6, raw);
lanman->Assign(6, std::move(raw));
lanman->Assign(7, val_mgr->Count(${val.lanman.session_key}));
lanman->Assign(8, time_from_lanman(${val.lanman.server_time}, ${val.lanman.server_date}, ${val.lanman.server_tz}));
lanman->Assign(9, to_stringval(${val.lanman.encryption_key}));
lanman->Assign(10, smb_string2stringval(${val.lanman.primary_domain}));
response->Assign(1, lanman);
response->Assign(1, std::move(lanman));
}
break;
case 0x11:
security = new RecordVal(BifType::Record::SMB1::NegotiateResponseSecurity);
{
auto security = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, val_mgr->Bool(${val.ntlm.security_user_level}));
security->Assign(1, val_mgr->Bool(${val.ntlm.security_challenge_response}));
security->Assign(2, val_mgr->Bool(${val.ntlm.security_signatures_enabled}));
security->Assign(3, val_mgr->Bool(${val.ntlm.security_signatures_required}));
capabilities = new RecordVal(BifType::Record::SMB1::NegotiateCapabilities);
auto capabilities = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateCapabilities);
capabilities->Assign(0, val_mgr->Bool(${val.ntlm.capabilities_raw_mode}));
capabilities->Assign(1, val_mgr->Bool(${val.ntlm.capabilities_mpx_mode}));
capabilities->Assign(2, val_mgr->Bool(${val.ntlm.capabilities_unicode}));
@ -110,17 +108,17 @@ refine connection SMB_Conn += {
capabilities->Assign(16, val_mgr->Bool(${val.ntlm.capabilities_compressed_data}));
capabilities->Assign(17, val_mgr->Bool(${val.ntlm.capabilities_extended_security}));
ntlm = new RecordVal(BifType::Record::SMB1::NegotiateResponseNTLM);
auto ntlm = make_intrusive<RecordVal>(BifType::Record::SMB1::NegotiateResponseNTLM);
ntlm->Assign(0, val_mgr->Count(${val.word_count}));
ntlm->Assign(1, val_mgr->Count(${val.dialect_index}));
ntlm->Assign(2, security);
ntlm->Assign(2, std::move(security));
ntlm->Assign(3, val_mgr->Count(${val.ntlm.max_buffer_size}));
ntlm->Assign(4, val_mgr->Count(${val.ntlm.max_mpx_count}));
ntlm->Assign(5, val_mgr->Count(${val.ntlm.max_number_vcs}));
ntlm->Assign(6, val_mgr->Count(${val.ntlm.max_raw_size}));
ntlm->Assign(7, val_mgr->Count(${val.ntlm.session_key}));
ntlm->Assign(8, capabilities);
ntlm->Assign(8, std::move(capabilities));
ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time}));
if ( ${val.ntlm.capabilities_extended_security} == false )
@ -133,7 +131,8 @@ refine connection SMB_Conn += {
ntlm->Assign(12, to_stringval(${val.ntlm.server_guid}));
}
response->Assign(2, ntlm);
response->Assign(2, std::move(ntlm));
}
break;
}
BifEvent::enqueue_smb1_negotiate_response(bro_analyzer(),

6
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -1,7 +1,7 @@
refine connection SMB_Conn += {
function proc_smb1_nt_create_andx_request(header: SMB_Header, val: SMB1_nt_create_andx_request): bool
%{
auto filename = IntrusivePtr<StringVal>{AdoptRef{}, smb_string2stringval(${val.filename})};
auto filename = smb_string2stringval(${val.filename});
if ( ! ${header.is_pipe} &&
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
@ -33,10 +33,10 @@ refine connection SMB_Conn += {
SMBHeaderVal(header),
${val.file_id},
${val.end_of_file},
{AdoptRef{}, SMB_BuildMACTimes(${val.last_write_time},
SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.create_time},
${val.last_change_time})});
${val.last_change_time}));
}
return true;

2
src/analyzer/protocol/smb/smb1-com-query-information.pac
View file

@ -6,7 +6,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb1_query_information_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.filename})});
smb_string2stringval(${val.filename}));
return true;
%}

19
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -13,7 +13,6 @@ refine connection SMB_Conn += {
if ( smb1_session_setup_andx_request )
{
auto request = make_intrusive<RecordVal>(BifType::Record::SMB1::SessionSetupAndXRequest);
RecordVal* capabilities;
request->Assign(0, val_mgr->Count(${val.word_count}));
switch ( ${val.word_count} ) {
@ -31,7 +30,8 @@ refine connection SMB_Conn += {
break;
case 12: // NT LM 0.12 with extended security
capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities);
{
auto capabilities = make_intrusive<RecordVal>(BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, val_mgr->Bool(${val.ntlm_extended_security.capabilities.unicode}));
capabilities->Assign(1, val_mgr->Bool(${val.ntlm_extended_security.capabilities.large_files}));
capabilities->Assign(2, val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_smbs}));
@ -47,11 +47,13 @@ refine connection SMB_Conn += {
request->Assign(5, smb_string2stringval(${val.ntlm_extended_security.native_os}));
request->Assign(6, smb_string2stringval(${val.ntlm_extended_security.native_lanman}));
request->Assign(13, capabilities);
request->Assign(13, std::move(capabilities));
}
break;
case 13: // NT LM 0.12 without extended security
capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities);
{
auto capabilities = make_intrusive<RecordVal>(BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.unicode}));
capabilities->Assign(1, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.large_files}));
capabilities->Assign(2, val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_smbs}));
@ -71,7 +73,8 @@ refine connection SMB_Conn += {
request->Assign(10, to_stringval(${val.ntlm_nonextended_security.case_insensitive_password}));
request->Assign(11, to_stringval(${val.ntlm_nonextended_security.case_sensitive_password}));
request->Assign(13, capabilities);
request->Assign(13, std::move(capabilities));
}
break;
}
@ -94,9 +97,9 @@ refine connection SMB_Conn += {
{
case 3: // pre NT LM 0.12
response->Assign(1, val_mgr->Bool(${val.lanman.is_guest}));
response->Assign(2, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString()->Ref()->AsStringVal() : smb_string2stringval(${val.lanman.native_os[0]}));
response->Assign(3, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString()->Ref()->AsStringVal() : smb_string2stringval(${val.lanman.native_lanman[0]}));
response->Assign(4, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString()->Ref()->AsStringVal() : smb_string2stringval(${val.lanman.primary_domain[0]}));
response->Assign(2, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_os[0]}));
response->Assign(3, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_lanman[0]}));
response->Assign(4, ${val.lanman.byte_count} == 0 ? val_mgr->EmptyString() : smb_string2stringval(${val.lanman.primary_domain[0]}));
break;
case 4: // NT LM 0.12
response->Assign(1, val_mgr->Bool(${val.ntlm.is_guest}));

2
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -65,7 +65,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.name})},
smb_string2stringval(${val.name}),
${val.sub_cmd},
std::move(parameters),
std::move(payload_str));

4
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -220,7 +220,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb1_trans2_query_path_info_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.file_name})});
smb_string2stringval(${val.file_name}));
}
return true;
@ -325,7 +325,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.file_name})});
smb_string2stringval(${val.file_name}));
}
return true;
%}

8
src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
View file

@ -6,14 +6,14 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb1_tree_connect_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
SMBHeaderVal(header),
{AdoptRef{}, smb_string2stringval(${val.path})},
{AdoptRef{}, smb_string2stringval(${val.service})});
smb_string2stringval(${val.path}),
smb_string2stringval(${val.service}));
return true;
%}
function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool
%{
auto service_string = IntrusivePtr<StringVal>{AdoptRef{}, smb_string2stringval(${val.service})};
auto service_string = smb_string2stringval(${val.service});
auto s = reinterpret_cast<const char*>(service_string->Bytes());
if ( strncmp(s, "IPC", 3) == 0 )
@ -25,7 +25,7 @@ refine connection SMB_Conn += {
SMBHeaderVal(header),
std::move(service_string),
${val.byte_count} > ${val.service.a}->size() ?
IntrusivePtr<StringVal>{AdoptRef{}, smb_string2stringval(${val.native_file_system[0]})} :
smb_string2stringval(${val.native_file_system[0]}) :
val_mgr->EmptyString());
return true;

6
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -6,8 +6,8 @@ refine connection SMB_Conn += {
{
BifEvent::enqueue_smb2_close_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
{AdoptRef{}, BuildSMB2GUID(${val.file_id})});
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}));
}
file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
@ -32,7 +32,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb2_close_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
std::move(resp));
}

13
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -2,7 +2,8 @@ refine connection SMB_Conn += {
function proc_smb2_create_request(h: SMB2_Header, val: SMB2_create_request): bool
%{
StringVal *filename = smb2_string2stringval(${val.filename});
auto filename = smb2_string2stringval(${val.filename});
if ( ! ${h.is_pipe} &&
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
@ -16,18 +17,14 @@ refine connection SMB_Conn += {
if ( smb2_create_request )
{
auto requestinfo = make_intrusive<RecordVal>(BifType::Record::SMB2::CreateRequest);
requestinfo->Assign(0, filename);
requestinfo->Assign(0, std::move(filename));
requestinfo->Assign(1, val_mgr->Count(${val.disposition}));
requestinfo->Assign(2, val_mgr->Count(${val.create_options}));
BifEvent::enqueue_smb2_create_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
std::move(requestinfo));
}
else
{
delete filename;
}
return true;
%}
@ -47,7 +44,7 @@ refine connection SMB_Conn += {
responseinfo->Assign(4, val_mgr->Count(${val.create_action}));
BifEvent::enqueue_smb2_create_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
std::move(responseinfo));
}

8
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -28,7 +28,7 @@ refine connection SMB_Conn += {
dialects->Assign(i, val_mgr->Count((*${val.dialects})[i]));
BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
std::move(dialects));
}
@ -48,7 +48,7 @@ refine connection SMB_Conn += {
nr->Assign(4, filetime2brotime(${val.server_start_time}));
nr->Assign(5, val_mgr->Count(${val.negotiate_context_count}));
VectorVal* cv = new VectorVal(BifType::Vector::SMB2::NegotiateContextValues);
auto cv = make_intrusive<VectorVal>(BifType::Vector::SMB2::NegotiateContextValues);
if ( ${val.dialect_revision} == 0x0311 && ${val.negotiate_context_count} > 0 )
{
@ -58,10 +58,10 @@ refine connection SMB_Conn += {
cv->Assign(${val.smb3_ncl.list.vals}->size(), BuildSMB2ContextVal(${val.smb3_ncl.list.last_val}));
}
nr->Assign(6, cv);
nr->Assign(6, std::move(cv));
BifEvent::enqueue_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
std::move(nr));
}

4
src/analyzer/protocol/smb/smb2-com-read.pac
View file

@ -28,8 +28,8 @@ refine connection SMB_Conn += {
{
BifEvent::enqueue_smb2_read_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
{AdoptRef{}, BuildSMB2GUID(${val.file_id})},
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}),
${val.offset},
${val.read_len});
}

4
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -9,7 +9,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
std::move(req));
}
@ -30,7 +30,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb2_session_setup_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
std::move(resp));
}

72
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -30,13 +30,13 @@ refine connection SMB_Conn += {
if ( smb2_file_sattr )
BifEvent::enqueue_smb2_file_sattr(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, SMB_BuildMACTimes(${val.last_write_time},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time})},
{AdoptRef{}, smb2_file_attrs_to_bro(${val.file_attrs})});
${val.change_time}),
smb2_file_attrs_to_bro(${val.file_attrs}));
return true;
%}
@ -46,9 +46,9 @@ refine connection SMB_Conn += {
if ( smb2_file_rename )
BifEvent::enqueue_smb2_file_rename(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, smb2_string2stringval(${val.filename})});
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
smb2_string2stringval(${val.filename}));
return true;
%}
@ -58,8 +58,8 @@ refine connection SMB_Conn += {
if ( smb2_file_delete )
BifEvent::enqueue_smb2_file_delete(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
(${val.delete_pending} > 0));
return true;
@ -70,8 +70,8 @@ refine connection SMB_Conn += {
if ( smb2_file_allocation )
BifEvent::enqueue_smb2_file_allocation(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
(${val.allocation_size}));
return true;
@ -82,8 +82,8 @@ refine connection SMB_Conn += {
if ( smb2_file_endoffile )
BifEvent::enqueue_smb2_file_endoffile(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.endoffile});
return true;
@ -106,8 +106,8 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb2_file_fullea(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
std::move(eas));
}
@ -119,10 +119,10 @@ refine connection SMB_Conn += {
if ( smb2_file_link )
BifEvent::enqueue_smb2_file_link(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.root_directory},
{AdoptRef{}, smb2_string2stringval(${val.file_name})});
smb2_string2stringval(${val.file_name}));
return true;
%}
@ -132,8 +132,8 @@ refine connection SMB_Conn += {
if ( smb2_file_mode )
BifEvent::enqueue_smb2_file_mode(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.mode});
return true;
@ -144,8 +144,8 @@ refine connection SMB_Conn += {
if ( smb2_file_pipe )
BifEvent::enqueue_smb2_file_pipe(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.read_mode},
${val.completion_mode});
@ -157,8 +157,8 @@ refine connection SMB_Conn += {
if ( smb2_file_position )
BifEvent::enqueue_smb2_file_position(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.current_byte_offset});
return true;
@ -169,9 +169,9 @@ refine connection SMB_Conn += {
if ( smb2_file_shortname )
BifEvent::enqueue_smb2_file_shortname(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, smb2_string2stringval(${val.filename})});
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
smb2_string2stringval(${val.filename}));
return true;
%}
@ -181,8 +181,8 @@ refine connection SMB_Conn += {
if ( smb2_file_validdatalength )
BifEvent::enqueue_smb2_file_validdatalength(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.validdatalength});
return true;
@ -202,8 +202,8 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb2_file_fscontrol(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
std::move(r));
}
@ -215,10 +215,10 @@ refine connection SMB_Conn += {
if ( smb2_file_fsobjectid )
BifEvent::enqueue_smb2_file_fsobjectid(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(${val.sir.header})},
{AdoptRef{}, BuildSMB2GUID(${val.sir.file_id})},
{AdoptRef{}, BuildSMB2GUID(${val.object_id})},
{AdoptRef{}, smb2_string2stringval(${val.extended_info})});
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
BuildSMB2GUID(${val.object_id}),
smb2_string2stringval(${val.extended_info}));
return true;
%}

16
src/analyzer/protocol/smb/smb2-com-transform-header.pac
View file

@ -1,24 +1,20 @@
refine connection SMB_Conn += {
function BuildSMB2TransformHeaderVal(hdr: SMB2_transform_header): BroVal
function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool
%{
RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header);
if ( smb2_transform_header )
{
auto r = make_intrusive<RecordVal>(BifType::Record::SMB2::Transform_header);
r->Assign(0, to_stringval(${hdr.signature}));
r->Assign(1, to_stringval(${hdr.nonce}));
r->Assign(2, val_mgr->Count(${hdr.orig_msg_size}));
r->Assign(3, val_mgr->Count(${hdr.flags}));
r->Assign(4, val_mgr->Count(${hdr.session_id}));
return r;
%}
function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool
%{
if ( smb2_transform_header )
BifEvent::enqueue_smb2_transform_header(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2TransformHeaderVal(hdr)});
std::move(r));
}
return true;
%}

6
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -5,8 +5,8 @@ refine connection SMB_Conn += {
if ( smb2_tree_connect_request )
BifEvent::enqueue_smb2_tree_connect_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)},
{AdoptRef{}, smb2_string2stringval(${val.path})});
BuildSMB2HeaderVal(header),
smb2_string2stringval(${val.path}));
return true;
%}
@ -23,7 +23,7 @@ refine connection SMB_Conn += {
BifEvent::enqueue_smb2_tree_connect_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)},
BuildSMB2HeaderVal(header),
std::move(resp));
}

4
src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac
View file

@ -9,7 +9,7 @@ refine connection SMB_Conn += {
{
BifEvent::enqueue_smb2_tree_disconnect_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)});
BuildSMB2HeaderVal(header));
}
return true;
@ -21,7 +21,7 @@ refine connection SMB_Conn += {
{
BifEvent::enqueue_smb2_tree_disconnect_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(header)});
BuildSMB2HeaderVal(header));
}
return true;

6
src/analyzer/protocol/smb/smb2-com-write.pac
View file

@ -6,8 +6,8 @@ refine connection SMB_Conn += {
{
BifEvent::enqueue_smb2_write_request(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
{AdoptRef{}, BuildSMB2GUID(${val.file_id})},
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}),
${val.offset},
${val.data_len});
}
@ -29,7 +29,7 @@ refine connection SMB_Conn += {
{
BifEvent::enqueue_smb2_write_response(bro_analyzer(),
bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
BuildSMB2HeaderVal(h),
${val.write_count});
}

253
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -1,6 +1,137 @@
# Documentation for SMB2 protocol from here:
# http://msdn.microsoft.com/en-us/library/cc246497(v=PROT.13).aspx
%header{
IntrusivePtr<RecordVal> BuildSMB2HeaderVal(SMB2_Header* hdr);
IntrusivePtr<RecordVal> BuildSMB2GUID(SMB2_guid* file_id);
IntrusivePtr<RecordVal> smb2_file_attrs_to_bro(SMB2_file_attributes* val);
IntrusivePtr<RecordVal> BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv);
%}
%code{
IntrusivePtr<RecordVal> BuildSMB2HeaderVal(SMB2_Header* hdr)
{
auto r = make_intrusive<RecordVal>(BifType::Record::SMB2::Header);
r->Assign(0, val_mgr->Count(${hdr.credit_charge}));
r->Assign(1, val_mgr->Count(${hdr.status}));
r->Assign(2, val_mgr->Count(${hdr.command}));
r->Assign(3, val_mgr->Count(${hdr.credits}));
r->Assign(4, val_mgr->Count(${hdr.flags}));
r->Assign(5, val_mgr->Count(${hdr.message_id}));
r->Assign(6, val_mgr->Count(${hdr.process_id}));
r->Assign(7, val_mgr->Count(${hdr.tree_id}));
r->Assign(8, val_mgr->Count(${hdr.session_id}));
r->Assign(9, to_stringval(${hdr.signature}));
return r;
}
IntrusivePtr<RecordVal> BuildSMB2GUID(SMB2_guid* file_id)
{
auto r = make_intrusive<RecordVal>(BifType::Record::SMB2::GUID);
r->Assign(0, val_mgr->Count(${file_id.persistent}));
r->Assign(1, val_mgr->Count(${file_id._volatile}));
return r;
}
IntrusivePtr<RecordVal> smb2_file_attrs_to_bro(SMB2_file_attributes* val)
{
auto r = make_intrusive<RecordVal>(BifType::Record::SMB2::FileAttrs);
r->Assign(0, val_mgr->Bool(${val.read_only}));
r->Assign(1, val_mgr->Bool(${val.hidden}));
r->Assign(2, val_mgr->Bool(${val.system}));
r->Assign(3, val_mgr->Bool(${val.directory}));
r->Assign(4, val_mgr->Bool(${val.archive}));
r->Assign(5, val_mgr->Bool(${val.normal}));
r->Assign(6, val_mgr->Bool(${val.temporary}));
r->Assign(7, val_mgr->Bool(${val.sparse_file}));
r->Assign(8, val_mgr->Bool(${val.reparse_point}));
r->Assign(9, val_mgr->Bool(${val.compressed}));
r->Assign(10, val_mgr->Bool(${val.offline}));
r->Assign(11, val_mgr->Bool(${val.not_content_indexed}));
r->Assign(12, val_mgr->Bool(${val.encrypted}));
r->Assign(13, val_mgr->Bool(${val.integrity_stream}));
r->Assign(14, val_mgr->Bool(${val.no_scrub_data}));
return r;
}
IntrusivePtr<RecordVal> BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
{
auto r = make_intrusive<RecordVal>(BifType::Record::SMB2::NegotiateContextValue);
r->Assign(0, val_mgr->Count(${ncv.context_type}));
r->Assign(1, val_mgr->Count(${ncv.data_length}));
switch ( ${ncv.context_type} ) {
case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
{
auto rpreauth = make_intrusive<RecordVal>(BifType::Record::SMB2::PreAuthIntegrityCapabilities);
rpreauth->Assign(0, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count}));
rpreauth->Assign(1, val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length}));
auto ha = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for ( int i = 0; i < ${ncv.preauth_integrity_capabilities.hash_alg_count}; ++i )
{
const auto& vec = *${ncv.preauth_integrity_capabilities.hash_alg};
ha->Assign(i, val_mgr->Count(vec[i]));
}
rpreauth->Assign(2, std::move(ha));
rpreauth->Assign(3, to_stringval(${ncv.preauth_integrity_capabilities.salt}));
r->Assign(2, std::move(rpreauth));
}
break;
case SMB2_ENCRYPTION_CAPABILITIES:
{
auto rencr = make_intrusive<RecordVal>(BifType::Record::SMB2::EncryptionCapabilities);
rencr->Assign(0, val_mgr->Count(${ncv.encryption_capabilities.cipher_count}));
auto c = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for ( int i = 0; i < ${ncv.encryption_capabilities.cipher_count}; ++i )
{
const auto& vec = *${ncv.encryption_capabilities.ciphers};
c->Assign(i, val_mgr->Count(vec[i]));
}
rencr->Assign(1, std::move(c));
r->Assign(3, std::move(rencr));
}
break;
case SMB2_COMPRESSION_CAPABILITIES:
{
auto rcomp = make_intrusive<RecordVal>(BifType::Record::SMB2::CompressionCapabilities);
rcomp->Assign(0, val_mgr->Count(${ncv.compression_capabilities.alg_count}));
auto c = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
for ( int i = 0; i < ${ncv.compression_capabilities.alg_count}; ++i )
{
const auto& vec = *${ncv.compression_capabilities.algs};
c->Assign(i, val_mgr->Count(vec[i]));
}
rcomp->Assign(1, std::move(c));
r->Assign(4, std::move(rcomp));
}
break;
case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID:
{
r->Assign(5, to_stringval(${ncv.netname_negotiate_context_id.net_name}));
}
break;
default:
break;
}
return r;
}
%}
enum smb2_commands {
SMB2_NEGOTIATE_PROTOCOL = 0,
SMB2_SESSION_SETUP = 1,
@ -100,102 +231,6 @@ refine connection SMB_Conn += {
std::map<uint64,uint64> smb2_request_tree_id;
%}
function BuildSMB2ContextVal(ncv: SMB3_negotiate_context_value): BroVal
%{
RecordVal* r = new RecordVal(BifType::Record::SMB2::NegotiateContextValue);
r->Assign(0, val_mgr->Count(${ncv.context_type}));
r->Assign(1, val_mgr->Count(${ncv.data_length}));
switch ( ${ncv.context_type} ) {
case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
{
RecordVal* rpreauth = new RecordVal(BifType::Record::SMB2::PreAuthIntegrityCapabilities);
rpreauth->Assign(0, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count}));
rpreauth->Assign(1, val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length}));
VectorVal* ha = new VectorVal(internal_type("index_vec")->AsVectorType());
for ( int i = 0; i < (${ncv.preauth_integrity_capabilities.hash_alg_count}); ++i )
ha->Assign(i, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg[i]}));
rpreauth->Assign(2, ha);
rpreauth->Assign(3, to_stringval(${ncv.preauth_integrity_capabilities.salt}));
r->Assign(2, rpreauth);
}
break;
case SMB2_ENCRYPTION_CAPABILITIES:
{
RecordVal* rencr = new RecordVal(BifType::Record::SMB2::EncryptionCapabilities);
rencr->Assign(0, val_mgr->Count(${ncv.encryption_capabilities.cipher_count}));
VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType());
for ( int i = 0; i < (${ncv.encryption_capabilities.cipher_count}); ++i )
c->Assign(i, val_mgr->Count(${ncv.encryption_capabilities.ciphers[i]}));
rencr->Assign(1, c);
r->Assign(3, rencr);
}
break;
case SMB2_COMPRESSION_CAPABILITIES:
{
RecordVal* rcomp = new RecordVal(BifType::Record::SMB2::CompressionCapabilities);
rcomp->Assign(0, val_mgr->Count(${ncv.compression_capabilities.alg_count}));
VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType());
for ( int i = 0; i < (${ncv.compression_capabilities.alg_count}); ++i )
c->Assign(i, val_mgr->Count(${ncv.compression_capabilities.algs[i]}));
rcomp->Assign(1, c);
r->Assign(4, rcomp);
}
break;
case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID:
{
r->Assign(5, to_stringval(${ncv.netname_negotiate_context_id.net_name}));
}
break;
default:
break;
}
return r;
%}
function BuildSMB2HeaderVal(hdr: SMB2_Header): BroVal
%{
RecordVal* r = new RecordVal(BifType::Record::SMB2::Header);
r->Assign(0, val_mgr->Count(${hdr.credit_charge}));
r->Assign(1, val_mgr->Count(${hdr.status}));
r->Assign(2, val_mgr->Count(${hdr.command}));
r->Assign(3, val_mgr->Count(${hdr.credits}));
r->Assign(4, val_mgr->Count(${hdr.flags}));
r->Assign(5, val_mgr->Count(${hdr.message_id}));
r->Assign(6, val_mgr->Count(${hdr.process_id}));
r->Assign(7, val_mgr->Count(${hdr.tree_id}));
r->Assign(8, val_mgr->Count(${hdr.session_id}));
r->Assign(9, to_stringval(${hdr.signature}));
return r;
%}
function BuildSMB2GUID(file_id: SMB2_guid): BroVal
%{
RecordVal* r = new RecordVal(BifType::Record::SMB2::GUID);
r->Assign(0, val_mgr->Count(${file_id.persistent}));
r->Assign(1, val_mgr->Count(${file_id._volatile}));
return r;
%}
function proc_smb2_message(h: SMB2_Header, is_orig: bool): bool
%{
if ( is_orig )
@ -216,8 +251,7 @@ refine connection SMB_Conn += {
if ( smb2_message )
{
BifEvent::enqueue_smb2_message(bro_analyzer(), bro_analyzer()->Conn(),
{AdoptRef{}, BuildSMB2HeaderVal(h)},
is_orig);
BuildSMB2HeaderVal(h), is_orig);
}
return true;
%}
@ -234,29 +268,6 @@ refine connection SMB_Conn += {
%}
};
function smb2_file_attrs_to_bro(val: SMB2_file_attributes): BroVal
%{
RecordVal* r = new RecordVal(BifType::Record::SMB2::FileAttrs);
r->Assign(0, val_mgr->Bool(${val.read_only}));
r->Assign(1, val_mgr->Bool(${val.hidden}));
r->Assign(2, val_mgr->Bool(${val.system}));
r->Assign(3, val_mgr->Bool(${val.directory}));
r->Assign(4, val_mgr->Bool(${val.archive}));
r->Assign(5, val_mgr->Bool(${val.normal}));
r->Assign(6, val_mgr->Bool(${val.temporary}));
r->Assign(7, val_mgr->Bool(${val.sparse_file}));
r->Assign(8, val_mgr->Bool(${val.reparse_point}));
r->Assign(9, val_mgr->Bool(${val.compressed}));
r->Assign(10, val_mgr->Bool(${val.offline}));
r->Assign(11, val_mgr->Bool(${val.not_content_indexed}));
r->Assign(12, val_mgr->Bool(${val.encrypted}));
r->Assign(13, val_mgr->Bool(${val.integrity_stream}));
r->Assign(14, val_mgr->Bool(${val.no_scrub_data}));
return r;
%}
type SMB2_file_attributes = record {
flags : uint32;
} &let {

31
src/binpac_bro-lib.pac
View file

@ -6,22 +6,18 @@
#include "ConvertUTF.h"
%}
function network_time(): double
%{
return ::network_time;
%}
function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal
%{
%code{
IntrusivePtr<StringVal> utf16_to_utf8_val(Connection* conn, const bytestring& utf16)
{
std::string resultstring;
size_t utf8size = (3 * utf16.length() + 1);
if ( utf8size > resultstring.max_size() )
{
reporter->Info("utf16 too long in utf16_bytestring_to_utf8_val");
reporter->Weird(conn, "utf16_conversion_failed", "utf16 too long in utf16_to_utf8_val");
// If the conversion didn't go well, return the original data.
return to_stringval(utf16).release();
return to_stringval(utf16);
}
resultstring.resize(utf8size, '\0');
@ -47,14 +43,25 @@ function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): Stri
lenientConversion);
if ( res != conversionOK )
{
reporter->Weird(conn, "utf16_conversion_failed", "utf16 conversion failed in utf16_bytestring_to_utf8_val");
reporter->Weird(conn, "utf16_conversion_failed", "utf16 conversion failed in utf16_to_utf8_val");
// If the conversion didn't go well, return the original data.
return to_stringval(utf16).release();
return to_stringval(utf16);
}
*targetstart = 0;
// We're relying on no nulls being in the string.
//return new StringVal(resultstring.length(), (const char *) resultstring.data());
return new StringVal(resultstring.c_str());
return make_intrusive<StringVal>(resultstring.c_str());
}
StringVal* utf16_bytestring_to_utf8_val(Connection* conn, const bytestring& utf16)
{
return utf16_to_utf8_val(conn, utf16).release();
}
%}
function network_time(): double
%{
return ::network_time;
%}

5
src/binpac_bro.h
View file

@ -40,4 +40,9 @@ inline IntrusivePtr<StringVal> to_stringval(const_bytestring const& str)
return make_intrusive<StringVal>(str.length(), (const char*) str.begin());
}
IntrusivePtr<StringVal> utf16_to_utf8_val(Connection* conn, const bytestring& utf16);
[[deprecated("Remove in v4.1. Use utf16_to_utf8_val() instead.")]]
StringVal* utf16_bytestring_to_utf8_val(Connection* conn, const bytestring& utf16);
} // namespace binpac

1
src/bro.pac
View file

@ -8,4 +8,3 @@ extern type BroPortVal;
extern type BroStringVal;
function network_time(): double;
function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal;