Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 21:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Change smb2_create_response event arguments to single response struct.

Browse source 
Added disposition and create_action fields.
This commit is contained in:
Julien Wallior 2018-01-11 14:47:14 -05:00
parent f041c97cdc
commit a76e50d2e1
4 changed files with 41 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/policy/protocols/smb/smb2-main.bro
View file

@ -153,28 +153,28 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::Creat
}
}
event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=5
{
SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
SMB::set_current_file(c$smb_state, response$file_id$persistent+response$file_id$volatile);
c$smb_state$current_file$fid = file_id$persistent+file_id$volatile;
c$smb_state$current_file$size = file_size;
c$smb_state$current_file$fid = response$file_id$persistent+response$file_id$volatile;
c$smb_state$current_file$size = response$size;
if ( c$smb_state$current_tree?$path )
c$smb_state$current_file$path = c$smb_state$current_tree$path;
# I'm seeing negative data from IPC tree transfers
if ( time_to_double(times$modified) > 0.0 )
c$smb_state$current_file$times = times;
if ( time_to_double(response$times$modified) > 0.0 )
c$smb_state$current_file$times = response$times;
# We can identify the file by its file id now so let's stick it
# in the file map.
c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_file;
c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file;
c$smb_state$current_file = c$smb_state$fid_map[file_id$persistent+file_id$volatile];
c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile];
}
event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=-5
{
SMB::write_file_log(c$smb_state);
}