Change smb2_create_response event arguments to single response struct.

Added disposition and create_action fields.
2025-10-14 20:48:21 +00:00 · 2018-01-11 14:47:14 -05:00 · 2018-01-11 14:47:14 -05:00 · a76e50d2e1
commit a76e50d2e1
parent f041c97cdc
4 changed files with 41 additions and 24 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -3068,6 +3068,25 @@ export {
 		## Specifies the options to be applied when creating or opening the file.
 		create_options : count;
 	};
+
+	## The response to an SMB2 *create_request* request, which is sent by the client to request
+	## either creation of or access to a file.
+	##
+	## For more information, see MS-SMB2:2.2.14
+	##
+	## .. bro:see:: smb2_create_response
+	type SMB2::CreateResponse: record {
+		## The SMB2 GUID for the file.
+		file_id       : SMB2::GUID;
+		## Size of the file.
+		size          : count;
+		## Timestamps associated with the file in question.
+		times         : SMB::MACTimes;
+		## File attributes.
+		attrs         : SMB2::FileAttrs;
+		## The action taken in establishing the open.
+		create_action : count;
+	};
 }

 module GLOBAL;
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@ -153,28 +153,28 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::Creat
 		}
 	}

-event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=5
 	{
-	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+	SMB::set_current_file(c$smb_state, response$file_id$persistent+response$file_id$volatile);

-	c$smb_state$current_file$fid = file_id$persistent+file_id$volatile;
-	c$smb_state$current_file$size = file_size;
+	c$smb_state$current_file$fid = response$file_id$persistent+response$file_id$volatile;
+	c$smb_state$current_file$size = response$size;

 	if ( c$smb_state$current_tree?$path )
 		c$smb_state$current_file$path = c$smb_state$current_tree$path;

 	# I'm seeing negative data from IPC tree transfers
-	if ( time_to_double(times$modified) > 0.0 )
-		c$smb_state$current_file$times = times;
+	if ( time_to_double(response$times$modified) > 0.0 )
+		c$smb_state$current_file$times = response$times;

 	# We can identify the file by its file id now so let's stick it 
 	# in the file map.
-	c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_file;
+	c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file;
 	
-	c$smb_state$current_file = c$smb_state$fid_map[file_id$persistent+file_id$volatile];
+	c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile];
 	}

-event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=-5
 	{
 	SMB::write_file_log(c$smb_state);
 	}
--- a/src/analyzer/protocol/smb/smb2-com-create.pac
+++ b/src/analyzer/protocol/smb/smb2-com-create.pac
@ -34,16 +34,19 @@ refine connection SMB_Conn += {
 		%{
 		if ( smb2_create_response )
 			{
+			RecordVal* responseinfo = new RecordVal(BifType::Record::SMB2::CreateResponse);
+			responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
+			responseinfo->Assign(1, new Val(${val.eof}, TYPE_COUNT));
+			responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
+			                                          ${val.last_access_time},
+			                                          ${val.creation_time},
+			                                          ${val.change_time}));
+			responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
+			responseinfo->Assign(4, new Val(${val.create_action}, TYPE_COUNT));
 			BifEvent::generate_smb2_create_response(bro_analyzer(),
 			                                        bro_analyzer()->Conn(),
 			                                        BuildSMB2HeaderVal(h),
-			                                        BuildSMB2GUID(${val.file_id}),
-			                                        ${val.eof},
-			                                        SMB_BuildMACTimes(${val.last_write_time},
-			                                                          ${val.last_access_time},
-			                                                          ${val.creation_time},
-			                                                          ${val.change_time}),
-			                                        smb2_file_attrs_to_bro(${val.file_attrs}));
+			                                        responseinfo);
 			}

 		return true;
--- a/src/analyzer/protocol/smb/smb2_com_create.bif
+++ b/src/analyzer/protocol/smb/smb2_com_create.bif
@ -23,17 +23,12 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::Crea
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
-## file_id: The SMB2 GUID for the file.
-##
-## size: Size of the file.
-##
-## times: Timestamps associated with the file in question.
-##
-## attrs: File attributes.
+## response: A record with more information related to the response.
 ##
 ## .. bro:see:: smb2_message smb2_create_request
-event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%);

 #### Types

 type SMB2::CreateRequest: record;
+type SMB2::CreateResponse: record;