diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac index 141acd5248..657352ce95 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac @@ -6,7 +6,7 @@ refine connection DCE_RPC_Conn += { %} %init{ - fid=0; + fid = 0; %} function set_file_id(fid_in: uint64): bool diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac index 85a90e48c4..0317978f78 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac @@ -14,10 +14,8 @@ refine connection DCE_RPC_Conn += { %} %cleanup{ - if ( gssapi ) - delete gssapi; - if ( ntlm ) - delete ntlm; + delete gssapi; + delete ntlm; %} function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool diff --git a/src/analyzer/protocol/gssapi/types.bif b/src/analyzer/protocol/gssapi/types.bif index e69de29bb2..996cee9ad8 100644 --- a/src/analyzer/protocol/gssapi/types.bif +++ b/src/analyzer/protocol/gssapi/types.bif @@ -0,0 +1 @@ +# Empty. diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac index 73083bcfb5..bc55bf3c1c 100644 --- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac +++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac @@ -29,7 +29,7 @@ refine connection NTLM_Conn += { RecordVal* result = new RecordVal(BifType::Record::NTLM::AVs); for ( uint i = 0; ${val.pairs[i].id} != 0; i++ ) { - switch ( ${val.pairs[i].id} ) + switch ( ${val.pairs[i].id} ) { case 1: result->Assign(0, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_computer_name.data})); @@ -106,7 +106,7 @@ refine connection NTLM_Conn += { if ( ${val.flags.negotiate_version} ) result->Assign(3, build_version_record(${val.version})); - BifEvent::generate_ntlm_negotiate(bro_analyzer(), + BifEvent::generate_ntlm_negotiate(bro_analyzer(), bro_analyzer()->Conn(), result); @@ -127,7 +127,7 @@ refine connection NTLM_Conn += { if ( ${val.flags.negotiate_target_info} ) result->Assign(3, build_av_record(${val.target_info})); - BifEvent::generate_ntlm_challenge(bro_analyzer(), + BifEvent::generate_ntlm_challenge(bro_analyzer(), bro_analyzer()->Conn(), result); diff --git a/src/analyzer/protocol/ntlm/ntlm-protocol.pac b/src/analyzer/protocol/ntlm/ntlm-protocol.pac index 471a124301..136eddb9c7 100644 --- a/src/analyzer/protocol/ntlm/ntlm-protocol.pac +++ b/src/analyzer/protocol/ntlm/ntlm-protocol.pac @@ -168,13 +168,13 @@ type NTLM_Negotiate_Flags = record { negotiate_56 : bool = (flags & 0x80000000) > 0; negotiate_key_exch : bool = (flags & 0x40000000) > 0; negotiate_128 : bool = (flags & 0x20000000) > 0; - + negotiate_version : bool = (flags & 0x02000000) > 0; - + negotiate_target_info : bool = (flags & 0x00800000) > 0; request_non_nt_session_key : bool = (flags & 0x00400000) > 0; negotiate_identify : bool = (flags & 0x00100000) > 0; - + negotiate_extended_sessionsecurity : bool = (flags & 0x00040000) > 0; target_type_server : bool = (flags & 0x00020000) > 0; target_type_domain : bool = (flags & 0x00010000) > 0; diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 5b9ca3469f..2ea745d51d 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -5,7 +5,7 @@ include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc) bro_plugin_begin(Bro SMB) bro_plugin_cc(SMB.cc Plugin.cc) -bro_plugin_bif( +bro_plugin_bif( smb1_com_check_directory.bif smb1_com_close.bif smb1_com_create_directory.bif diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc index 6eaae487c9..a84331583d 100644 --- a/src/analyzer/protocol/smb/SMB.cc +++ b/src/analyzer/protocol/smb/SMB.cc @@ -159,7 +159,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) { TCP_SupportAnalyzer::DeliverStream(len, data, orig); - if (!CheckResync(len, data, orig)) + if ( ! CheckResync(len, data, orig)) return; // Not in sync yet. Still resyncing while ( len > 0 ) @@ -172,7 +172,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) msg_type = data[0]; for ( int i = 1; i < 4; i++) msg_len = (msg_len << 8) + data[i]; - msg_len+=4; + msg_len += 4; msg_buf.Init(SMB_MAX_LEN+4, msg_len); state = WAIT_FOR_DATA; } diff --git a/src/analyzer/protocol/smb/smb-common.pac b/src/analyzer/protocol/smb/smb-common.pac index b25f35ee53..046cdc49f2 100644 --- a/src/analyzer/protocol/smb/smb-common.pac +++ b/src/analyzer/protocol/smb/smb-common.pac @@ -61,7 +61,7 @@ enum SMB_Command { SMB_COM_TRANSACTION2_SECONDARY = 0x33, SMB_COM_FIND_CLOSE2 = 0x34, SMB_COM_FIND_NOTIFY_CLOSE = 0x35, - + SMB_COM_TREE_CONNECT = 0x70, SMB_COM_TREE_DISCONNECT = 0x71, SMB_COM_NEGOTIATE = 0x72, @@ -84,7 +84,7 @@ enum SMB_Command { SMB_COM_GET_PRINT_QUEUE = 0xC3, SMB_COM_READ_BULK = 0xD8, SMB_COM_WRITE_BULK = 0xD9, - SMB_COM_WRITE_BULK_DATA = 0xDA, + SMB_COM_WRITE_BULK_DATA = 0xDA, }; enum SMB_Status { @@ -269,12 +269,12 @@ function determine_transaction_type(setup_count: int, name: SMB_string): Transac { return SMB_PIPE; } - + //if ( setup_count == 3 || // bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\" ) ) // { // return SMB_MAILSLOT_BROWSE; // } - + return SMB_UNKNOWN; %} diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac index cf507722d8..c4ed6289b8 100644 --- a/src/analyzer/protocol/smb/smb-time.pac +++ b/src/analyzer/protocol/smb/smb-time.pac @@ -14,10 +14,10 @@ function filetime2brotime(ts: uint64): Val %{ double secs = (ts / 10000000.0); - // Bro can't support times back to the 1600's + // Bro can't support times back to the 1600's // so we subtract a lot of seconds. Val* bro_ts = new Val(secs - 11644473600.0, TYPE_TIME); - + return bro_ts; %} diff --git a/src/analyzer/protocol/smb/smb1-com-check-directory.pac b/src/analyzer/protocol/smb/smb1-com-check-directory.pac index 3b661033a3..8de25eda0b 100644 --- a/src/analyzer/protocol/smb/smb1-com-check-directory.pac +++ b/src/analyzer/protocol/smb/smb1-com-check-directory.pac @@ -4,7 +4,7 @@ refine connection SMB_Conn += { %{ if ( smb1_check_directory_request ) BifEvent::generate_smb1_check_directory_request(bro_analyzer(), bro_analyzer()->Conn(), - BuildHeaderVal(header), + BuildHeaderVal(header), smb_string2stringval(${val.directory_name})); return true; %} @@ -13,7 +13,7 @@ refine connection SMB_Conn += { %{ if ( smb1_check_directory_response ) BifEvent::generate_smb1_check_directory_response(bro_analyzer(), bro_analyzer()->Conn(), - BuildHeaderVal(header)); + BuildHeaderVal(header)); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-close.pac b/src/analyzer/protocol/smb/smb1-com-close.pac index aafc31addc..4aa6c5c3a0 100644 --- a/src/analyzer/protocol/smb/smb1-com-close.pac +++ b/src/analyzer/protocol/smb/smb1-com-close.pac @@ -11,7 +11,7 @@ refine connection SMB_Conn += { // This is commented out for the moment because it caused problems // with extraction because the file kept having the same name due // to repeatedly having the same file uid. This results in files - // effectively falling of SMB solely by expiration instead of + // effectively falling of SMB solely by expiration instead of // manually being closed. //file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), @@ -27,7 +27,7 @@ type SMB1_close_request(header: SMB_Header) = record { word_count : uint8; file_id : uint16; last_modified_time : SMB_timestamp32; - + byte_count : uint16; } &let { proc : bool = $context.connection.proc_smb1_close_request(header, this); diff --git a/src/analyzer/protocol/smb/smb1-com-create-directory.pac b/src/analyzer/protocol/smb/smb1-com-create-directory.pac index bdb72ba1f6..a6c4572812 100644 --- a/src/analyzer/protocol/smb/smb1-com-create-directory.pac +++ b/src/analyzer/protocol/smb/smb1-com-create-directory.pac @@ -4,7 +4,7 @@ refine connection SMB_Conn += { %{ if ( smb1_create_directory_request ) BifEvent::generate_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(), - BuildHeaderVal(header), + BuildHeaderVal(header), smb_string2stringval(${val.directory_name})); return true; %} @@ -12,7 +12,7 @@ refine connection SMB_Conn += { %{ if ( smb1_create_directory_response ) BifEvent::generate_smb1_create_directory_response(bro_analyzer(), bro_analyzer()->Conn(), - BuildHeaderVal(header)); + BuildHeaderVal(header)); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-echo.pac b/src/analyzer/protocol/smb/smb1-com-echo.pac index 198839cd0d..a1356ecb48 100644 --- a/src/analyzer/protocol/smb/smb1-com-echo.pac +++ b/src/analyzer/protocol/smb/smb1-com-echo.pac @@ -3,15 +3,15 @@ refine connection SMB_Conn += { function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool %{ if ( smb1_echo_request ) - BifEvent::generate_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(), + BifEvent::generate_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(), ${val.echo_count}, bytestring_to_val(${val.data})); return true; %} - + function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool %{ if ( smb1_echo_response ) - BifEvent::generate_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(), + BifEvent::generate_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(), ${val.seq_num}, bytestring_to_val(${val.data})); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-locking-andx.pac b/src/analyzer/protocol/smb/smb1-com-locking-andx.pac index 8ba468b66d..e519dd8984 100644 --- a/src/analyzer/protocol/smb/smb1-com-locking-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-locking-andx.pac @@ -53,7 +53,7 @@ type SMB1_locking_andx_request(header: SMB_Header) = record { # http://msdn.microsoft.com/en-us/library/ee441519.aspx type SMB1_locking_andx_response(header: SMB_Header) = record { - + } &let { proc : bool = $context.connection.proc_smb1_locking_andx_response(header, this); }; diff --git a/src/analyzer/protocol/smb/smb1-com-negotiate.pac b/src/analyzer/protocol/smb/smb1-com-negotiate.pac index 304a253335..1dd837e328 100644 --- a/src/analyzer/protocol/smb/smb1-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb1-com-negotiate.pac @@ -1,4 +1,4 @@ -# This is an original Core Protocol command. +# This is an original Core Protocol command. # # This command is used to initiate an SMB connection between the # client and the server. An SMB_COM_NEGOTIATE exchange MUST be @@ -42,12 +42,12 @@ refine connection SMB_Conn += { RecordVal* security; RecordVal* raw; RecordVal* capabilities; - switch ( ${val.word_count} ) + switch ( ${val.word_count} ) { case 0x01: core = new RecordVal(BifType::Record::SMB1::NegotiateResponseCore); core->Assign(0, new Val(${val.dialect_index}, TYPE_COUNT)); - + response->Assign(0, core); break; @@ -66,7 +66,7 @@ refine connection SMB_Conn += { lanman->Assign(2, security); lanman->Assign(3, new Val(${val.lanman.max_buffer_size}, TYPE_COUNT)); lanman->Assign(4, new Val(${val.lanman.max_mpx_count}, TYPE_COUNT)); - + lanman->Assign(5, new Val(${val.lanman.max_number_vcs}, TYPE_COUNT)); lanman->Assign(6, raw); lanman->Assign(7, new Val(${val.lanman.session_key}, TYPE_COUNT)); @@ -74,7 +74,7 @@ refine connection SMB_Conn += { lanman->Assign(9, bytestring_to_val(${val.lanman.encryption_key})); lanman->Assign(10, smb_string2stringval(${val.lanman.primary_domain})); - + response->Assign(1, lanman); break; @@ -114,14 +114,14 @@ refine connection SMB_Conn += { ntlm->Assign(2, security); ntlm->Assign(3, new Val(${val.ntlm.max_buffer_size}, TYPE_COUNT)); ntlm->Assign(4, new Val(${val.ntlm.max_mpx_count}, TYPE_COUNT)); - + ntlm->Assign(5, new Val(${val.ntlm.max_number_vcs}, TYPE_COUNT)); ntlm->Assign(6, new Val(${val.ntlm.max_raw_size}, TYPE_COUNT)); ntlm->Assign(7, new Val(${val.ntlm.session_key}, TYPE_COUNT)); ntlm->Assign(8, capabilities); ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time})); - if ( ${val.ntlm.capabilities_extended_security} == false ) + if ( ${val.ntlm.capabilities_extended_security} == false ) { ntlm->Assign(10, bytestring_to_val(${val.ntlm.encryption_key})); ntlm->Assign(11, smb_string2stringval(${val.ntlm.domain_name})); @@ -130,13 +130,13 @@ refine connection SMB_Conn += { { ntlm->Assign(12, bytestring_to_val(${val.ntlm.server_guid})); } - + response->Assign(2, ntlm); break; } BifEvent::generate_smb1_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), response); } - + return true; %} }; @@ -155,7 +155,7 @@ type SMB1_negotiate_request(header: SMB_Header) = record { }; type SMB1_negotiate_response(header: SMB_Header) = record { - word_count: uint8; + word_count: uint8; dialect_index: uint16; response: case word_count of { 0x01 -> core : SMB1_negotiate_core_response; diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index cd3367ef7e..36ee60ed06 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -14,7 +14,7 @@ refine connection SMB_Conn += { // create_options : uint32; // impersonation_level : uint32; // security_flags : uint8; - // + // // byte_count : uint16; // filename : SMB_string(header.unicode, offsetof(filename)) &length=name_length; @@ -43,7 +43,7 @@ refine connection SMB_Conn += { if ( ${val.end_of_file} > 0 ) { - //file_mgr->SetSize(${val.end_of_file}, + //file_mgr->SetSize(${val.end_of_file}, // bro_analyzer()->GetAnalyzerTag(), // bro_analyzer()->Conn(), // header->is_orig()); @@ -59,7 +59,7 @@ type SMB1_nt_create_andx_request(header: SMB_Header) = record { word_count : uint8; andx : SMB_andx; reserved : uint8; - + name_length : uint16; flags : uint32; root_dir_file_id : uint32; @@ -71,10 +71,10 @@ type SMB1_nt_create_andx_request(header: SMB_Header) = record { create_options : uint32; impersonation_level : uint32; security_flags : uint8; - + byte_count : uint16; filename : SMB_string(header.unicode, offsetof(filename)); - + andx_command : SMB_andx_command(header, 1, andx.command); } &let { proc : bool = $context.connection.proc_smb1_nt_create_andx_request(header, this); @@ -96,7 +96,7 @@ type SMB1_nt_create_andx_response(header: SMB_Header) = record { resource_type : uint16; nm_pipe_status : uint16; directory : uint8; - + byte_count : uint16; } &let { proc : bool = $context.connection.proc_smb1_nt_create_andx_response(header, this); diff --git a/src/analyzer/protocol/smb/smb1-com-open-andx.pcap b/src/analyzer/protocol/smb/smb1-com-open-andx.pcap index 5c8eaeb66a..80f0d2e490 100644 --- a/src/analyzer/protocol/smb/smb1-com-open-andx.pcap +++ b/src/analyzer/protocol/smb/smb1-com-open-andx.pcap @@ -1,5 +1,3 @@ -# Copyright (c) Broala LLC. All Rights Reserved. No use or distribution without permission. - refine connection SMB_Conn += { function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool diff --git a/src/analyzer/protocol/smb/smb1-com-query-information.pac b/src/analyzer/protocol/smb/smb1-com-query-information.pac index e09e688c35..f2215fadc2 100644 --- a/src/analyzer/protocol/smb/smb1-com-query-information.pac +++ b/src/analyzer/protocol/smb/smb1-com-query-information.pac @@ -20,7 +20,7 @@ refine connection SMB_Conn += { type SMB1_query_information_request(header: SMB_Header) = record { word_count : uint8; - + byte_count : uint16; buffer_format : uint8; filename : SMB_string(header.unicode, offsetof(filename)); diff --git a/src/analyzer/protocol/smb/smb1-com-read-andx.pac b/src/analyzer/protocol/smb/smb1-com-read-andx.pac index 490fbe75fe..d947dd0d06 100644 --- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac @@ -1,7 +1,7 @@ refine connection SMB_Conn += { %member{ - // Track read offsets to provide correct + // Track read offsets to provide correct // offsets for file manager. std::map read_offsets; %} @@ -77,7 +77,7 @@ type SMB1_read_andx_response(header: SMB_Header) = record { data_offset : uint16; data_len_high : uint16; reserved2 : uint64; - + byte_count : uint16; pad : padding to data_offset - SMB_Header_length; data : bytestring &length=data_len; diff --git a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac index c5cfe02969..45ef4c6127 100644 --- a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac @@ -14,7 +14,7 @@ refine connection SMB_Conn += { { RecordVal* request = new RecordVal(BifType::Record::SMB1::SessionSetupAndXRequest); RecordVal* capabilities; - + request->Assign(0, new Val(${val.word_count}, TYPE_COUNT)); switch ( ${val.word_count} ) { case 10: // pre NT LM 0.12 @@ -38,7 +38,7 @@ refine connection SMB_Conn += { capabilities->Assign(3, new Val(${val.ntlm_extended_security.capabilities.status32}, TYPE_BOOL)); capabilities->Assign(4, new Val(${val.ntlm_extended_security.capabilities.level_2_oplocks}, TYPE_BOOL)); capabilities->Assign(5, new Val(${val.ntlm_extended_security.capabilities.nt_find}, TYPE_BOOL)); - + request->Assign(1, new Val(${val.ntlm_extended_security.max_buffer_size}, TYPE_COUNT)); request->Assign(2, new Val(${val.ntlm_extended_security.max_mpx_count}, TYPE_COUNT)); request->Assign(3, new Val(${val.ntlm_extended_security.vc_number}, TYPE_COUNT)); @@ -49,7 +49,7 @@ refine connection SMB_Conn += { request->Assign(13, capabilities); break; - + case 13: // NT LM 0.12 without extended security capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities); capabilities->Assign(0, new Val(${val.ntlm_nonextended_security.capabilities.unicode}, TYPE_BOOL)); @@ -58,7 +58,7 @@ refine connection SMB_Conn += { capabilities->Assign(3, new Val(${val.ntlm_nonextended_security.capabilities.status32}, TYPE_BOOL)); capabilities->Assign(4, new Val(${val.ntlm_nonextended_security.capabilities.level_2_oplocks}, TYPE_BOOL)); capabilities->Assign(5, new Val(${val.ntlm_nonextended_security.capabilities.nt_find}, TYPE_BOOL)); - + request->Assign(1, new Val(${val.ntlm_nonextended_security.max_buffer_size}, TYPE_COUNT)); request->Assign(2, new Val(${val.ntlm_nonextended_security.max_mpx_count}, TYPE_COUNT)); request->Assign(3, new Val(${val.ntlm_nonextended_security.vc_number}, TYPE_COUNT)); @@ -79,7 +79,7 @@ refine connection SMB_Conn += { } return true; %} - + function proc_smb1_session_setup_andx_response(header: SMB_Header, val: SMB1_session_setup_andx_response): bool %{ if ( smb1_session_setup_andx_response ) @@ -105,13 +105,13 @@ refine connection SMB_Conn += { default: // Error! break; } - + BifEvent::generate_smb1_session_setup_andx_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), response); } - + return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac index c2bc9490fa..ceefb0a1a4 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac @@ -8,7 +8,7 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record { data_count : uint16; data_offset : uint16; data_displacement : uint16; - + byte_count : uint16; pad1 : padding to param_offset - SMB_Header_length; parameters : bytestring &length = param_count; diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index e7d390db4e..8f2215cff9 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -32,10 +32,10 @@ refine connection SMB_Conn += { function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool %{ if ( smb1_transaction_request ) - BifEvent::generate_smb1_transaction_request(bro_analyzer(), + BifEvent::generate_smb1_transaction_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), - smb_string2stringval(${val.name}), + smb_string2stringval(${val.name}), ${val.sub_cmd}); return true; @@ -84,7 +84,7 @@ type SMB1_transaction_request(header: SMB_Header) = record { setup_count : uint8; reserved3 : uint8; setup : SMB1_transaction_setup(header); - + byte_count : uint16; name : SMB_string(header.unicode, offsetof(name)); pad1 : padding to param_offset - SMB_Header_length; @@ -114,7 +114,7 @@ type SMB1_transaction_response(header: SMB_Header) = record { setup_count : uint8; reserved2 : uint8; setup : uint16[setup_count]; - + byte_count : uint16; pad0 : padding to param_offset - SMB_Header_length; parameters : bytestring &length = param_count; diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac index a65ba823a0..1025e89dc2 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac @@ -24,7 +24,7 @@ refine connection SMB_Conn += { %{ if ( smb1_transaction2_request ) BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd}); - + return true; %} @@ -54,7 +54,7 @@ type SMB1_transaction2_request(header: SMB_Header) = record { data_offset : uint16; setup_count : uint8; reserved3 : uint8; - + # I suspect this needs a word_count check #setup : uint16[setup_count]; sub_cmd : uint16; @@ -120,7 +120,7 @@ refine connection SMB_Conn += { result->Assign(5, smb_string2stringval(${val.file_name})); BifEvent::generate_smb1_trans2_find_first2_request(bro_analyzer(), bro_analyzer()->Conn(), \ BuildHeaderVal(header), result); - + } return true; %} @@ -198,7 +198,7 @@ refine connection SMB_Conn += { BifEvent::generate_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), \ BuildHeaderVal(header), \ smb_string2stringval(${val.file_name})); - + } return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac index 06956b85be..ef32492414 100644 --- a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac @@ -31,7 +31,7 @@ type SMB1_tree_connect_andx_request(header: SMB_Header) = record { andx : SMB_andx; flags : uint16; password_length : uint16; - + byte_count : uint16; password : uint8[password_length]; path : SMB_string(header.unicode, offsetof(path)); @@ -45,7 +45,7 @@ type SMB1_tree_connect_andx_response(header: SMB_Header) = record { andx : SMB_andx; optional_support : uint16; pad : padding[(word_count-3)*2]; - + byte_count : uint16; service : SMB_string(0, offsetof(service)); native_file_system : SMB_string(header.unicode, offsetof(native_file_system)); diff --git a/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac b/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac index f41c1bcabd..ebde842ebb 100644 --- a/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac +++ b/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac @@ -3,9 +3,9 @@ refine connection SMB_Conn += { function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool %{ if ( smb1_tree_disconnect ) - BifEvent::generate_smb1_tree_disconnect(bro_analyzer(), + BifEvent::generate_smb1_tree_disconnect(bro_analyzer(), bro_analyzer()->Conn(), - BuildHeaderVal(header), + BuildHeaderVal(header), ${val.is_orig}); return true; %} @@ -14,7 +14,7 @@ refine connection SMB_Conn += { type SMB1_tree_disconnect(header: SMB_Header, is_orig: bool) = record { word_count : uint8; - + byte_count : uint16; } &let { proc : bool = $context.connection.proc_smb1_tree_disconnect(header, this); diff --git a/src/analyzer/protocol/smb/smb1-com-write-andx.pac b/src/analyzer/protocol/smb/smb1-com-write-andx.pac index 3905b7293a..fed5a7440a 100644 --- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac @@ -12,7 +12,7 @@ refine connection SMB_Conn += { if ( ! ${val.is_pipe} && ${val.data}.length() > 0 ) { - file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), + file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), ${val.offset}, bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), h->is_orig()); @@ -49,7 +49,7 @@ type SMB1_write_andx_request(header: SMB_Header) = record { 0x0E -> offset_high_tmp : uint32; default -> null : empty; }; - + byte_count : uint16; pad : padding to data_offset - SMB_Header_length; data : bytestring &length=data_len; @@ -70,7 +70,7 @@ type SMB1_write_andx_response(header: SMB_Header) = record { remaining : uint16; written_high : uint16; reserved : uint16; - + byte_count : uint16; } &let { written_bytes : uint32 = (written_high * 0x10000) + written_low; diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac index 05ead765fe..bb3b1bab49 100644 --- a/src/analyzer/protocol/smb/smb2-com-close.pac +++ b/src/analyzer/protocol/smb/smb2-com-close.pac @@ -23,11 +23,11 @@ refine connection SMB_Conn += { resp->Assign(1, new Val(${val.eof}, TYPE_COUNT)); resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time}, ${val.last_access_time}, - ${val.creation_time}, + ${val.creation_time}, ${val.change_time})); resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); - BifEvent::generate_smb2_close_response(bro_analyzer(), + BifEvent::generate_smb2_close_response(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), resp); @@ -50,7 +50,7 @@ type SMB2_close_response(header: SMB2_Header) = record { structure_size : uint16; flags : uint16; reserved : uint32; - + creation_time : SMB_timestamp; last_access_time : SMB_timestamp; last_write_time : SMB_timestamp; diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 341d629f38..0072e75adf 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -17,21 +17,21 @@ refine connection SMB_Conn += { %{ if ( smb2_create_response ) { - BifEvent::generate_smb2_create_response(bro_analyzer(), + BifEvent::generate_smb2_create_response(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), BuildSMB2GUID(${val.file_id}), ${val.eof}, - SMB_BuildMACTimes(${val.last_write_time}, - ${val.last_access_time}, - ${val.creation_time}, + SMB_BuildMACTimes(${val.last_write_time}, + ${val.last_access_time}, + ${val.creation_time}, ${val.change_time}), smb2_file_attrs_to_bro(${val.file_attrs})); } if ( ${val.eof} > 0 ) { - //file_mgr->SetSize(${val.eof}, + //file_mgr->SetSize(${val.eof}, // bro_analyzer()->GetAnalyzerTag(), // bro_analyzer()->Conn(), // h->is_orig()); diff --git a/src/analyzer/protocol/smb/smb2-com-ioctl.pac b/src/analyzer/protocol/smb/smb2-com-ioctl.pac index 1d1e6ad8ea..e5abeefc82 100644 --- a/src/analyzer/protocol/smb/smb2-com-ioctl.pac +++ b/src/analyzer/protocol/smb/smb2-com-ioctl.pac @@ -20,7 +20,7 @@ refine connection SMB_Conn += { smb2_ioctl_fids[${val.header.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile}; return true; %} - + }; type SMB2_ioctl_request(header: SMB2_Header) = record { @@ -68,4 +68,4 @@ type SMB2_ioctl_response(header: SMB2_Header) = record { is_pipe : bool = (ctl_code == 0x0011C017); fid : uint64 = $context.connection.get_ioctl_fid(header.message_id); pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, fid, false) &if(is_pipe); -}; \ No newline at end of file +}; diff --git a/src/analyzer/protocol/smb/smb2-com-lock.pac b/src/analyzer/protocol/smb/smb2-com-lock.pac index 69482e7900..d6b1f5c2c8 100644 --- a/src/analyzer/protocol/smb/smb2-com-lock.pac +++ b/src/analyzer/protocol/smb/smb2-com-lock.pac @@ -1,5 +1,5 @@ refine connection SMB_Conn += { - + }; type SMB2_lock = record { diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac index 55e65ccdf2..ff0f89048e 100644 --- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac @@ -1,5 +1,5 @@ refine connection SMB_Conn += { - + function proc_smb2_negotiate_request(h: SMB2_Header, val: SMB2_negotiate_request) : bool %{ if ( smb2_negotiate_request ) @@ -16,13 +16,13 @@ refine connection SMB_Conn += { return true; %} - + function proc_smb2_negotiate_response(h: SMB2_Header, val: SMB2_negotiate_response) : bool %{ if ( smb2_negotiate_response ) { RecordVal* nr = new RecordVal(BifType::Record::SMB2::NegotiateResponse); - + nr->Assign(0, new Val(${val.dialect_revision}, TYPE_COUNT)); nr->Assign(1, new Val(${val.security_mode}, TYPE_COUNT)); nr->Assign(2, BuildSMB2GUID(${val.server_guid})), @@ -32,7 +32,7 @@ refine connection SMB_Conn += { BuildSMB2HeaderVal(h), nr); } - + return true; %} }; @@ -70,4 +70,4 @@ type SMB2_negotiate_response(header: SMB2_Header) = record { proc : bool = $context.connection.proc_smb2_negotiate_response(header, this); gssapi_proc : bool = $context.connection.forward_gssapi(security_blob, false); -}; \ No newline at end of file +}; diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index ea72a337c5..45ce893a35 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -1,7 +1,7 @@ refine connection SMB_Conn += { - + %member{ - // Track read offsets to provide correct + // Track read offsets to provide correct // offsets for file manager. std::map smb2_read_offsets; std::map smb2_read_fids; @@ -30,7 +30,7 @@ refine connection SMB_Conn += { ${val.offset}, ${val.read_len}); } - + smb2_read_offsets[${h.message_id}] = ${val.offset}; smb2_read_fids[${h.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile}; diff --git a/src/analyzer/protocol/smb/smb2-com-session-setup.pac b/src/analyzer/protocol/smb/smb2-com-session-setup.pac index 39ef04ead8..5b48f10f96 100644 --- a/src/analyzer/protocol/smb/smb2-com-session-setup.pac +++ b/src/analyzer/protocol/smb/smb2-com-session-setup.pac @@ -28,7 +28,7 @@ refine connection SMB_Conn += { RecordVal* resp = new RecordVal(BifType::Record::SMB2::SessionSetupResponse); resp->Assign(0, flags); - BifEvent::generate_smb2_session_setup_response(bro_analyzer(), + BifEvent::generate_smb2_session_setup_response(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), resp); diff --git a/src/analyzer/protocol/smb/smb2-com-set-info.pac b/src/analyzer/protocol/smb/smb2-com-set-info.pac index 5a5570f86f..60ee5554c2 100644 --- a/src/analyzer/protocol/smb/smb2-com-set-info.pac +++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac @@ -9,14 +9,14 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request(h: SMB2_Header, val: SMB2_set_info_request): bool %{ - //if ( smb2_set_info_request && + //if ( smb2_set_info_request && // ${val.info_type} == SMB2_0_INFO_FILE && // ${val.file_info_class} == 0x14 ) // { // RecordVal* req = new RecordVal(BifType::Record::SMB2::SetInfoRequest); // //req->Assign(0, new Val(${val.eof}, TYPE_COUNT)); // req->Assign(0, new Val(0, TYPE_COUNT)); - // + // // BifEvent::generate_smb2_set_info_request(bro_analyzer(), // bro_analyzer()->Conn(), // BuildSMB2HeaderVal(h), diff --git a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac index f2860172b1..1c8b4d5978 100644 --- a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac +++ b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac @@ -7,7 +7,7 @@ refine connection SMB_Conn += { bro_analyzer()->Conn(), BuildSMB2HeaderVal(header), smb2_string2stringval(${val.path})); - + return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index 13b0a0828b..f463afc767 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -4,7 +4,7 @@ refine connection SMB_Conn += { %{ if ( smb2_write_request ) { - BifEvent::generate_smb2_write_request(bro_analyzer(), + BifEvent::generate_smb2_write_request(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), BuildSMB2GUID(${val.file_id}), @@ -24,7 +24,6 @@ refine connection SMB_Conn += { function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool %{ - return true; %} diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index 222a8f9d13..523ab3b890 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -1,4 +1,4 @@ -# Documentation for SMB2 protocol from here: +# Documentation for SMB2 protocol from here: # http://msdn.microsoft.com/en-us/library/cc246497(v=PROT.13).aspx enum smb2_commands { @@ -32,7 +32,7 @@ enum smb2_share_types { type SMB2_PDU(is_orig: bool) = record { header : SMB2_Header(is_orig); message : case header.status of { - # Status 0 indicates success. In the case of a + # Status 0 indicates success. In the case of a # request this should just happen to work out due to # how the fields are set. 0 -> msg : SMB2_Message(header, is_orig); @@ -66,7 +66,7 @@ type SMB2_Message_Request(header: SMB2_Header) = case header.command of { SMB2_QUERY_INFO -> query_info : SMB2_query_info_request(header); SMB2_SET_INFO -> set_info : SMB2_set_info_request(header); SMB2_OPLOCK_BREAK -> oplock_break : SMB2_oplock_break(header); - + default -> unknown_msg : empty; # TODO: do something different here! } &byteorder = littleendian; @@ -108,7 +108,7 @@ refine connection SMB_Conn += { r->Assign(7, new Val(${hdr.tree_id}, TYPE_COUNT)); r->Assign(8, new Val(${hdr.session_id}, TYPE_COUNT)); r->Assign(9, bytestring_to_val(${hdr.signature})); - + return r; %} diff --git a/src/analyzer/protocol/smb/smb2_com_ioctl.bif b/src/analyzer/protocol/smb/smb2_com_ioctl.bif index e69de29bb2..222a4a41e0 100644 --- a/src/analyzer/protocol/smb/smb2_com_ioctl.bif +++ b/src/analyzer/protocol/smb/smb2_com_ioctl.bif @@ -0,0 +1 @@ +# Emoty. diff --git a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif index 8b13789179..996cee9ad8 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif @@ -1 +1 @@ - +# Empty.