Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 20:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change smb2_create_response event arguments to single response struct.

Browse source 
Added disposition and create_action fields.
This commit is contained in:
Julien Wallior 2018-01-11 14:47:14 -05:00
parent f041c97cdc
commit a76e50d2e1
4 changed files with 41 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

19
scripts/base/init-bare.bro
View file

@ -3068,6 +3068,25 @@ export {
## Specifies the options to be applied when creating or opening the file. ## Specifies the options to be applied when creating or opening the file.
create_options : count; create_options : count;
}; };
## The response to an SMB2 *create_request* request, which is sent by the client to request
## either creation of or access to a file.
##
## For more information, see MS-SMB2:2.2.14
##
## .. bro:see:: smb2_create_response
type SMB2::CreateResponse: record {
## The SMB2 GUID for the file.
file_id : SMB2::GUID;
## Size of the file.
size : count;
## Timestamps associated with the file in question.
times : SMB::MACTimes;
## File attributes.
attrs : SMB2::FileAttrs;
## The action taken in establishing the open.
create_action : count;
};
} }
module GLOBAL; module GLOBAL;

18
scripts/policy/protocols/smb/smb2-main.bro
View file

@ -153,28 +153,28 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::Creat
} }
} }
event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5 event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=5
{ {
SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); SMB::set_current_file(c$smb_state, response$file_id$persistent+response$file_id$volatile);
c$smb_state$current_file$fid = file_id$persistent+file_id$volatile; c$smb_state$current_file$fid = response$file_id$persistent+response$file_id$volatile;
c$smb_state$current_file$size = file_size; c$smb_state$current_file$size = response$size;
if ( c$smb_state$current_tree?$path ) if ( c$smb_state$current_tree?$path )
c$smb_state$current_file$path = c$smb_state$current_tree$path; c$smb_state$current_file$path = c$smb_state$current_tree$path;
# I'm seeing negative data from IPC tree transfers # I'm seeing negative data from IPC tree transfers
if ( time_to_double(times$modified) > 0.0 ) if ( time_to_double(response$times$modified) > 0.0 )
c$smb_state$current_file$times = times; c$smb_state$current_file$times = response$times;
# We can identify the file by its file id now so let's stick it # We can identify the file by its file id now so let's stick it
# in the file map. # in the file map.
c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_file; c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file;
c$smb_state$current_file = c$smb_state$fid_map[file_id$persistent+file_id$volatile]; c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile];
} }
event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5 event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=-5
{ {
SMB::write_file_log(c$smb_state); SMB::write_file_log(c$smb_state);
} }

17
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -34,16 +34,19 @@ refine connection SMB_Conn += {
%{ %{
if ( smb2_create_response ) if ( smb2_create_response )
{ {
RecordVal* responseinfo = new RecordVal(BifType::Record::SMB2::CreateResponse);
responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
responseinfo->Assign(1, new Val(${val.eof}, TYPE_COUNT));
responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time}));
responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
responseinfo->Assign(4, new Val(${val.create_action}, TYPE_COUNT));
BifEvent::generate_smb2_create_response(bro_analyzer(), BifEvent::generate_smb2_create_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}), responseinfo);
${val.eof},
SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time}),
smb2_file_attrs_to_bro(${val.file_attrs}));
} }
return true; return true;

11
src/analyzer/protocol/smb/smb2_com_create.bif
View file

@ -23,17 +23,12 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::Crea
## ##
## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
## ##
## file_id: The SMB2 GUID for the file. ## response: A record with more information related to the response.
##
## size: Size of the file.
##
## times: Timestamps associated with the file in question.
##
## attrs: File attributes.
## ##
## .. bro:see:: smb2_message smb2_create_request ## .. bro:see:: smb2_message smb2_create_request
event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%);
#### Types #### Types
type SMB2::CreateRequest: record; type SMB2::CreateRequest: record;
type SMB2::CreateResponse: record;