From a76e50d2e15c6588773bb8e9e1120de32260af97 Mon Sep 17 00:00:00 2001 From: Julien Wallior Date: Thu, 11 Jan 2018 14:47:14 -0500 Subject: [PATCH] Change smb2_create_response event arguments to single response struct. Added disposition and create_action fields. --- scripts/base/init-bare.bro | 19 +++++++++++++++++++ scripts/policy/protocols/smb/smb2-main.bro | 18 +++++++++--------- src/analyzer/protocol/smb/smb2-com-create.pac | 17 ++++++++++------- src/analyzer/protocol/smb/smb2_com_create.bif | 11 +++-------- 4 files changed, 41 insertions(+), 24 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 4cd061e737..78b91b53f2 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3068,6 +3068,25 @@ export { ## Specifies the options to be applied when creating or opening the file. create_options : count; }; + + ## The response to an SMB2 *create_request* request, which is sent by the client to request + ## either creation of or access to a file. + ## + ## For more information, see MS-SMB2:2.2.14 + ## + ## .. bro:see:: smb2_create_response + type SMB2::CreateResponse: record { + ## The SMB2 GUID for the file. + file_id : SMB2::GUID; + ## Size of the file. + size : count; + ## Timestamps associated with the file in question. + times : SMB::MACTimes; + ## File attributes. + attrs : SMB2::FileAttrs; + ## The action taken in establishing the open. + create_action : count; + }; } module GLOBAL; diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro index 55b6da5534..750a7ff1bc 100644 --- a/scripts/policy/protocols/smb/smb2-main.bro +++ b/scripts/policy/protocols/smb/smb2-main.bro @@ -153,28 +153,28 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::Creat } } -event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5 +event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=5 { - SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); + SMB::set_current_file(c$smb_state, response$file_id$persistent+response$file_id$volatile); - c$smb_state$current_file$fid = file_id$persistent+file_id$volatile; - c$smb_state$current_file$size = file_size; + c$smb_state$current_file$fid = response$file_id$persistent+response$file_id$volatile; + c$smb_state$current_file$size = response$size; if ( c$smb_state$current_tree?$path ) c$smb_state$current_file$path = c$smb_state$current_tree$path; # I'm seeing negative data from IPC tree transfers - if ( time_to_double(times$modified) > 0.0 ) - c$smb_state$current_file$times = times; + if ( time_to_double(response$times$modified) > 0.0 ) + c$smb_state$current_file$times = response$times; # We can identify the file by its file id now so let's stick it # in the file map. - c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_file; + c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file; - c$smb_state$current_file = c$smb_state$fid_map[file_id$persistent+file_id$volatile]; + c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile]; } -event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5 +event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=-5 { SMB::write_file_log(c$smb_state); } diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index afa6dbcfec..1cc97fb0bd 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -34,16 +34,19 @@ refine connection SMB_Conn += { %{ if ( smb2_create_response ) { + RecordVal* responseinfo = new RecordVal(BifType::Record::SMB2::CreateResponse); + responseinfo->Assign(0, BuildSMB2GUID(${val.file_id})); + responseinfo->Assign(1, new Val(${val.eof}, TYPE_COUNT)); + responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time}, + ${val.last_access_time}, + ${val.creation_time}, + ${val.change_time})); + responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); + responseinfo->Assign(4, new Val(${val.create_action}, TYPE_COUNT)); BifEvent::generate_smb2_create_response(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), - BuildSMB2GUID(${val.file_id}), - ${val.eof}, - SMB_BuildMACTimes(${val.last_write_time}, - ${val.last_access_time}, - ${val.creation_time}, - ${val.change_time}), - smb2_file_attrs_to_bro(${val.file_attrs})); + responseinfo); } return true; diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif index ef7d8d93ff..9a77878e9f 100644 --- a/src/analyzer/protocol/smb/smb2_com_create.bif +++ b/src/analyzer/protocol/smb/smb2_com_create.bif @@ -23,17 +23,12 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::Crea ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## -## file_id: The SMB2 GUID for the file. -## -## size: Size of the file. -## -## times: Timestamps associated with the file in question. -## -## attrs: File attributes. +## response: A record with more information related to the response. ## ## .. bro:see:: smb2_message smb2_create_request -event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); +event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%); #### Types type SMB2::CreateRequest: record; +type SMB2::CreateResponse: record;