Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Minor cleanup.

Browse source
This commit is contained in:
Robin Sommer 2016-07-07 11:55:57 -07:00
parent 781fdfa5ba
commit ad4263a98d
39 changed files with 102 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -6,7 +6,7 @@ refine connection DCE_RPC_Conn += {
%} %}
%init{ %init{
fid=0; fid = 0;
%} %}
function set_file_id(fid_in: uint64): bool function set_file_id(fid_in: uint64): bool

6
src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
View file

@ -14,10 +14,8 @@ refine connection DCE_RPC_Conn += {
%} %}
%cleanup{ %cleanup{
if ( gssapi ) delete gssapi;
delete gssapi; delete ntlm;
if ( ntlm )
delete ntlm;
%} %}
function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool

1
src/analyzer/protocol/gssapi/types.bif
View file

@ -0,0 +1 @@
# Empty.

6
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -29,7 +29,7 @@ refine connection NTLM_Conn += {
RecordVal* result = new RecordVal(BifType::Record::NTLM::AVs); RecordVal* result = new RecordVal(BifType::Record::NTLM::AVs);
for ( uint i = 0; ${val.pairs[i].id} != 0; i++ ) for ( uint i = 0; ${val.pairs[i].id} != 0; i++ )
{ {
switch ( ${val.pairs[i].id} ) switch ( ${val.pairs[i].id} )
{ {
case 1: case 1:
result->Assign(0, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_computer_name.data})); result->Assign(0, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_computer_name.data}));
@ -106,7 +106,7 @@ refine connection NTLM_Conn += {
if ( ${val.flags.negotiate_version} ) if ( ${val.flags.negotiate_version} )
result->Assign(3, build_version_record(${val.version})); result->Assign(3, build_version_record(${val.version}));
BifEvent::generate_ntlm_negotiate(bro_analyzer(), BifEvent::generate_ntlm_negotiate(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
result); result);
@ -127,7 +127,7 @@ refine connection NTLM_Conn += {
if ( ${val.flags.negotiate_target_info} ) if ( ${val.flags.negotiate_target_info} )
result->Assign(3, build_av_record(${val.target_info})); result->Assign(3, build_av_record(${val.target_info}));
BifEvent::generate_ntlm_challenge(bro_analyzer(), BifEvent::generate_ntlm_challenge(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
result); result);

6
src/analyzer/protocol/ntlm/ntlm-protocol.pac
View file

@ -168,13 +168,13 @@ type NTLM_Negotiate_Flags = record {
negotiate_56 : bool = (flags & 0x80000000) > 0; negotiate_56 : bool = (flags & 0x80000000) > 0;
negotiate_key_exch : bool = (flags & 0x40000000) > 0; negotiate_key_exch : bool = (flags & 0x40000000) > 0;
negotiate_128 : bool = (flags & 0x20000000) > 0; negotiate_128 : bool = (flags & 0x20000000) > 0;
negotiate_version : bool = (flags & 0x02000000) > 0; negotiate_version : bool = (flags & 0x02000000) > 0;
negotiate_target_info : bool = (flags & 0x00800000) > 0; negotiate_target_info : bool = (flags & 0x00800000) > 0;
request_non_nt_session_key : bool = (flags & 0x00400000) > 0; request_non_nt_session_key : bool = (flags & 0x00400000) > 0;
negotiate_identify : bool = (flags & 0x00100000) > 0; negotiate_identify : bool = (flags & 0x00100000) > 0;
negotiate_extended_sessionsecurity : bool = (flags & 0x00040000) > 0; negotiate_extended_sessionsecurity : bool = (flags & 0x00040000) > 0;
target_type_server : bool = (flags & 0x00020000) > 0; target_type_server : bool = (flags & 0x00020000) > 0;
target_type_domain : bool = (flags & 0x00010000) > 0; target_type_domain : bool = (flags & 0x00010000) > 0;

2
src/analyzer/protocol/smb/CMakeLists.txt
View file

@ -5,7 +5,7 @@ include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc)
bro_plugin_begin(Bro SMB) bro_plugin_begin(Bro SMB)
bro_plugin_cc(SMB.cc Plugin.cc) bro_plugin_cc(SMB.cc Plugin.cc)
bro_plugin_bif( bro_plugin_bif(
smb1_com_check_directory.bif smb1_com_check_directory.bif
smb1_com_close.bif smb1_com_close.bif
smb1_com_create_directory.bif smb1_com_create_directory.bif

4
src/analyzer/protocol/smb/SMB.cc
View file

@ -159,7 +159,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig)
{ {
TCP_SupportAnalyzer::DeliverStream(len, data, orig); TCP_SupportAnalyzer::DeliverStream(len, data, orig);
if (!CheckResync(len, data, orig)) if ( ! CheckResync(len, data, orig))
return; // Not in sync yet. Still resyncing return; // Not in sync yet. Still resyncing
while ( len > 0 ) while ( len > 0 )
@ -172,7 +172,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig)
msg_type = data[0]; msg_type = data[0];
for ( int i = 1; i < 4; i++) for ( int i = 1; i < 4; i++)
msg_len = (msg_len << 8) + data[i]; msg_len = (msg_len << 8) + data[i];
msg_len+=4; msg_len += 4;
msg_buf.Init(SMB_MAX_LEN+4, msg_len); msg_buf.Init(SMB_MAX_LEN+4, msg_len);
state = WAIT_FOR_DATA; state = WAIT_FOR_DATA;
} }

8
src/analyzer/protocol/smb/smb-common.pac
View file

@ -61,7 +61,7 @@ enum SMB_Command {
SMB_COM_TRANSACTION2_SECONDARY = 0x33, SMB_COM_TRANSACTION2_SECONDARY = 0x33,
SMB_COM_FIND_CLOSE2 = 0x34, SMB_COM_FIND_CLOSE2 = 0x34,
SMB_COM_FIND_NOTIFY_CLOSE = 0x35, SMB_COM_FIND_NOTIFY_CLOSE = 0x35,
SMB_COM_TREE_CONNECT = 0x70, SMB_COM_TREE_CONNECT = 0x70,
SMB_COM_TREE_DISCONNECT = 0x71, SMB_COM_TREE_DISCONNECT = 0x71,
SMB_COM_NEGOTIATE = 0x72, SMB_COM_NEGOTIATE = 0x72,
@ -84,7 +84,7 @@ enum SMB_Command {
SMB_COM_GET_PRINT_QUEUE = 0xC3, SMB_COM_GET_PRINT_QUEUE = 0xC3,
SMB_COM_READ_BULK = 0xD8, SMB_COM_READ_BULK = 0xD8,
SMB_COM_WRITE_BULK = 0xD9, SMB_COM_WRITE_BULK = 0xD9,
SMB_COM_WRITE_BULK_DATA = 0xDA, SMB_COM_WRITE_BULK_DATA = 0xDA,
}; };
enum SMB_Status { enum SMB_Status {
@ -269,12 +269,12 @@ function determine_transaction_type(setup_count: int, name: SMB_string): Transac
{ {
return SMB_PIPE; return SMB_PIPE;
} }
//if ( setup_count == 3 || //if ( setup_count == 3 ||
// bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\" ) ) // bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\" ) )
// { // {
// return SMB_MAILSLOT_BROWSE; // return SMB_MAILSLOT_BROWSE;
// } // }
return SMB_UNKNOWN; return SMB_UNKNOWN;
%} %}

4
src/analyzer/protocol/smb/smb-time.pac
View file

@ -14,10 +14,10 @@ function filetime2brotime(ts: uint64): Val
%{ %{
double secs = (ts / 10000000.0); double secs = (ts / 10000000.0);
// Bro can't support times back to the 1600's // Bro can't support times back to the 1600's
// so we subtract a lot of seconds. // so we subtract a lot of seconds.
Val* bro_ts = new Val(secs - 11644473600.0, TYPE_TIME); Val* bro_ts = new Val(secs - 11644473600.0, TYPE_TIME);
return bro_ts; return bro_ts;
%} %}

4
src/analyzer/protocol/smb/smb1-com-check-directory.pac
View file

@ -4,7 +4,7 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_check_directory_request ) if ( smb1_check_directory_request )
BifEvent::generate_smb1_check_directory_request(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_smb1_check_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header), BuildHeaderVal(header),
smb_string2stringval(${val.directory_name})); smb_string2stringval(${val.directory_name}));
return true; return true;
%} %}
@ -13,7 +13,7 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_check_directory_response ) if ( smb1_check_directory_response )
BifEvent::generate_smb1_check_directory_response(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_smb1_check_directory_response(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header)); BuildHeaderVal(header));
return true; return true;
%} %}

4
src/analyzer/protocol/smb/smb1-com-close.pac
View file

@ -11,7 +11,7 @@ refine connection SMB_Conn += {
// This is commented out for the moment because it caused problems // This is commented out for the moment because it caused problems
// with extraction because the file kept having the same name due // with extraction because the file kept having the same name due
// to repeatedly having the same file uid. This results in files // to repeatedly having the same file uid. This results in files
// effectively falling of SMB solely by expiration instead of // effectively falling of SMB solely by expiration instead of
// manually being closed. // manually being closed.
//file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), //file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
@ -27,7 +27,7 @@ type SMB1_close_request(header: SMB_Header) = record {
word_count : uint8; word_count : uint8;
file_id : uint16; file_id : uint16;
last_modified_time : SMB_timestamp32; last_modified_time : SMB_timestamp32;
byte_count : uint16; byte_count : uint16;
} &let { } &let {
proc : bool = $context.connection.proc_smb1_close_request(header, this); proc : bool = $context.connection.proc_smb1_close_request(header, this);

4
src/analyzer/protocol/smb/smb1-com-create-directory.pac
View file

@ -4,7 +4,7 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_create_directory_request ) if ( smb1_create_directory_request )
BifEvent::generate_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header), BuildHeaderVal(header),
smb_string2stringval(${val.directory_name})); smb_string2stringval(${val.directory_name}));
return true; return true;
%} %}
@ -12,7 +12,7 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_create_directory_response ) if ( smb1_create_directory_response )
BifEvent::generate_smb1_create_directory_response(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_smb1_create_directory_response(bro_analyzer(), bro_analyzer()->Conn(),
BuildHeaderVal(header)); BuildHeaderVal(header));
return true; return true;
%} %}

6
src/analyzer/protocol/smb/smb1-com-echo.pac
View file

@ -3,15 +3,15 @@ refine connection SMB_Conn += {
function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool
%{ %{
if ( smb1_echo_request ) if ( smb1_echo_request )
BifEvent::generate_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(),
${val.echo_count}, bytestring_to_val(${val.data})); ${val.echo_count}, bytestring_to_val(${val.data}));
return true; return true;
%} %}
function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool
%{ %{
if ( smb1_echo_response ) if ( smb1_echo_response )
BifEvent::generate_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(),
${val.seq_num}, bytestring_to_val(${val.data})); ${val.seq_num}, bytestring_to_val(${val.data}));
return true; return true;
%} %}

2
src/analyzer/protocol/smb/smb1-com-locking-andx.pac
View file

@ -53,7 +53,7 @@ type SMB1_locking_andx_request(header: SMB_Header) = record {
# http://msdn.microsoft.com/en-us/library/ee441519.aspx # http://msdn.microsoft.com/en-us/library/ee441519.aspx
type SMB1_locking_andx_response(header: SMB_Header) = record { type SMB1_locking_andx_response(header: SMB_Header) = record {
} &let { } &let {
proc : bool = $context.connection.proc_smb1_locking_andx_response(header, this); proc : bool = $context.connection.proc_smb1_locking_andx_response(header, this);
}; };

20
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -1,4 +1,4 @@
# This is an original Core Protocol command. # This is an original Core Protocol command.
# #
# This command is used to initiate an SMB connection between the # This command is used to initiate an SMB connection between the
# client and the server. An SMB_COM_NEGOTIATE exchange MUST be # client and the server. An SMB_COM_NEGOTIATE exchange MUST be
@ -42,12 +42,12 @@ refine connection SMB_Conn += {
RecordVal* security; RecordVal* security;
RecordVal* raw; RecordVal* raw;
RecordVal* capabilities; RecordVal* capabilities;
switch ( ${val.word_count} ) switch ( ${val.word_count} )
{ {
case 0x01: case 0x01:
core = new RecordVal(BifType::Record::SMB1::NegotiateResponseCore); core = new RecordVal(BifType::Record::SMB1::NegotiateResponseCore);
core->Assign(0, new Val(${val.dialect_index}, TYPE_COUNT)); core->Assign(0, new Val(${val.dialect_index}, TYPE_COUNT));
response->Assign(0, core); response->Assign(0, core);
break; break;
@ -66,7 +66,7 @@ refine connection SMB_Conn += {
lanman->Assign(2, security); lanman->Assign(2, security);
lanman->Assign(3, new Val(${val.lanman.max_buffer_size}, TYPE_COUNT)); lanman->Assign(3, new Val(${val.lanman.max_buffer_size}, TYPE_COUNT));
lanman->Assign(4, new Val(${val.lanman.max_mpx_count}, TYPE_COUNT)); lanman->Assign(4, new Val(${val.lanman.max_mpx_count}, TYPE_COUNT));
lanman->Assign(5, new Val(${val.lanman.max_number_vcs}, TYPE_COUNT)); lanman->Assign(5, new Val(${val.lanman.max_number_vcs}, TYPE_COUNT));
lanman->Assign(6, raw); lanman->Assign(6, raw);
lanman->Assign(7, new Val(${val.lanman.session_key}, TYPE_COUNT)); lanman->Assign(7, new Val(${val.lanman.session_key}, TYPE_COUNT));
@ -74,7 +74,7 @@ refine connection SMB_Conn += {
lanman->Assign(9, bytestring_to_val(${val.lanman.encryption_key})); lanman->Assign(9, bytestring_to_val(${val.lanman.encryption_key}));
lanman->Assign(10, smb_string2stringval(${val.lanman.primary_domain})); lanman->Assign(10, smb_string2stringval(${val.lanman.primary_domain}));
response->Assign(1, lanman); response->Assign(1, lanman);
break; break;
@ -114,14 +114,14 @@ refine connection SMB_Conn += {
ntlm->Assign(2, security); ntlm->Assign(2, security);
ntlm->Assign(3, new Val(${val.ntlm.max_buffer_size}, TYPE_COUNT)); ntlm->Assign(3, new Val(${val.ntlm.max_buffer_size}, TYPE_COUNT));
ntlm->Assign(4, new Val(${val.ntlm.max_mpx_count}, TYPE_COUNT)); ntlm->Assign(4, new Val(${val.ntlm.max_mpx_count}, TYPE_COUNT));
ntlm->Assign(5, new Val(${val.ntlm.max_number_vcs}, TYPE_COUNT)); ntlm->Assign(5, new Val(${val.ntlm.max_number_vcs}, TYPE_COUNT));
ntlm->Assign(6, new Val(${val.ntlm.max_raw_size}, TYPE_COUNT)); ntlm->Assign(6, new Val(${val.ntlm.max_raw_size}, TYPE_COUNT));
ntlm->Assign(7, new Val(${val.ntlm.session_key}, TYPE_COUNT)); ntlm->Assign(7, new Val(${val.ntlm.session_key}, TYPE_COUNT));
ntlm->Assign(8, capabilities); ntlm->Assign(8, capabilities);
ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time})); ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time}));
if ( ${val.ntlm.capabilities_extended_security} == false ) if ( ${val.ntlm.capabilities_extended_security} == false )
{ {
ntlm->Assign(10, bytestring_to_val(${val.ntlm.encryption_key})); ntlm->Assign(10, bytestring_to_val(${val.ntlm.encryption_key}));
ntlm->Assign(11, smb_string2stringval(${val.ntlm.domain_name})); ntlm->Assign(11, smb_string2stringval(${val.ntlm.domain_name}));
@ -130,13 +130,13 @@ refine connection SMB_Conn += {
{ {
ntlm->Assign(12, bytestring_to_val(${val.ntlm.server_guid})); ntlm->Assign(12, bytestring_to_val(${val.ntlm.server_guid}));
} }
response->Assign(2, ntlm); response->Assign(2, ntlm);
break; break;
} }
BifEvent::generate_smb1_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), response); BifEvent::generate_smb1_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), response);
} }
return true; return true;
%} %}
}; };
@ -155,7 +155,7 @@ type SMB1_negotiate_request(header: SMB_Header) = record {
}; };
type SMB1_negotiate_response(header: SMB_Header) = record { type SMB1_negotiate_response(header: SMB_Header) = record {
word_count: uint8; word_count: uint8;
dialect_index: uint16; dialect_index: uint16;
response: case word_count of { response: case word_count of {
0x01 -> core : SMB1_negotiate_core_response; 0x01 -> core : SMB1_negotiate_core_response;

12
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -14,7 +14,7 @@ refine connection SMB_Conn += {
// create_options : uint32; // create_options : uint32;
// impersonation_level : uint32; // impersonation_level : uint32;
// security_flags : uint8; // security_flags : uint8;
// //
// byte_count : uint16; // byte_count : uint16;
// filename : SMB_string(header.unicode, offsetof(filename)) &length=name_length; // filename : SMB_string(header.unicode, offsetof(filename)) &length=name_length;
@ -43,7 +43,7 @@ refine connection SMB_Conn += {
if ( ${val.end_of_file} > 0 ) if ( ${val.end_of_file} > 0 )
{ {
//file_mgr->SetSize(${val.end_of_file}, //file_mgr->SetSize(${val.end_of_file},
// bro_analyzer()->GetAnalyzerTag(), // bro_analyzer()->GetAnalyzerTag(),
// bro_analyzer()->Conn(), // bro_analyzer()->Conn(),
// header->is_orig()); // header->is_orig());
@ -59,7 +59,7 @@ type SMB1_nt_create_andx_request(header: SMB_Header) = record {
word_count : uint8; word_count : uint8;
andx : SMB_andx; andx : SMB_andx;
reserved : uint8; reserved : uint8;
name_length : uint16; name_length : uint16;
flags : uint32; flags : uint32;
root_dir_file_id : uint32; root_dir_file_id : uint32;
@ -71,10 +71,10 @@ type SMB1_nt_create_andx_request(header: SMB_Header) = record {
create_options : uint32; create_options : uint32;
impersonation_level : uint32; impersonation_level : uint32;
security_flags : uint8; security_flags : uint8;
byte_count : uint16; byte_count : uint16;
filename : SMB_string(header.unicode, offsetof(filename)); filename : SMB_string(header.unicode, offsetof(filename));
andx_command : SMB_andx_command(header, 1, andx.command); andx_command : SMB_andx_command(header, 1, andx.command);
} &let { } &let {
proc : bool = $context.connection.proc_smb1_nt_create_andx_request(header, this); proc : bool = $context.connection.proc_smb1_nt_create_andx_request(header, this);
@ -96,7 +96,7 @@ type SMB1_nt_create_andx_response(header: SMB_Header) = record {
resource_type : uint16; resource_type : uint16;
nm_pipe_status : uint16; nm_pipe_status : uint16;
directory : uint8; directory : uint8;
byte_count : uint16; byte_count : uint16;
} &let { } &let {
proc : bool = $context.connection.proc_smb1_nt_create_andx_response(header, this); proc : bool = $context.connection.proc_smb1_nt_create_andx_response(header, this);

2
src/analyzer/protocol/smb/smb1-com-open-andx.pcap
View file

@ -1,5 +1,3 @@
# Copyright (c) Broala LLC. All Rights Reserved. No use or distribution without permission.
refine connection SMB_Conn += { refine connection SMB_Conn += {
function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool

2
src/analyzer/protocol/smb/smb1-com-query-information.pac
View file

@ -20,7 +20,7 @@ refine connection SMB_Conn += {
type SMB1_query_information_request(header: SMB_Header) = record { type SMB1_query_information_request(header: SMB_Header) = record {
word_count : uint8; word_count : uint8;
byte_count : uint16; byte_count : uint16;
buffer_format : uint8; buffer_format : uint8;
filename : SMB_string(header.unicode, offsetof(filename)); filename : SMB_string(header.unicode, offsetof(filename));

4
src/analyzer/protocol/smb/smb1-com-read-andx.pac
View file

@ -1,7 +1,7 @@
refine connection SMB_Conn += { refine connection SMB_Conn += {
%member{ %member{
// Track read offsets to provide correct // Track read offsets to provide correct
// offsets for file manager. // offsets for file manager.
std::map<uint16,uint64> read_offsets; std::map<uint16,uint64> read_offsets;
%} %}
@ -77,7 +77,7 @@ type SMB1_read_andx_response(header: SMB_Header) = record {
data_offset : uint16; data_offset : uint16;
data_len_high : uint16; data_len_high : uint16;
reserved2 : uint64; reserved2 : uint64;
byte_count : uint16; byte_count : uint16;
pad : padding to data_offset - SMB_Header_length; pad : padding to data_offset - SMB_Header_length;
data : bytestring &length=data_len; data : bytestring &length=data_len;

14
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -14,7 +14,7 @@ refine connection SMB_Conn += {
{ {
RecordVal* request = new RecordVal(BifType::Record::SMB1::SessionSetupAndXRequest); RecordVal* request = new RecordVal(BifType::Record::SMB1::SessionSetupAndXRequest);
RecordVal* capabilities; RecordVal* capabilities;
request->Assign(0, new Val(${val.word_count}, TYPE_COUNT)); request->Assign(0, new Val(${val.word_count}, TYPE_COUNT));
switch ( ${val.word_count} ) { switch ( ${val.word_count} ) {
case 10: // pre NT LM 0.12 case 10: // pre NT LM 0.12
@ -38,7 +38,7 @@ refine connection SMB_Conn += {
capabilities->Assign(3, new Val(${val.ntlm_extended_security.capabilities.status32}, TYPE_BOOL)); capabilities->Assign(3, new Val(${val.ntlm_extended_security.capabilities.status32}, TYPE_BOOL));
capabilities->Assign(4, new Val(${val.ntlm_extended_security.capabilities.level_2_oplocks}, TYPE_BOOL)); capabilities->Assign(4, new Val(${val.ntlm_extended_security.capabilities.level_2_oplocks}, TYPE_BOOL));
capabilities->Assign(5, new Val(${val.ntlm_extended_security.capabilities.nt_find}, TYPE_BOOL)); capabilities->Assign(5, new Val(${val.ntlm_extended_security.capabilities.nt_find}, TYPE_BOOL));
request->Assign(1, new Val(${val.ntlm_extended_security.max_buffer_size}, TYPE_COUNT)); request->Assign(1, new Val(${val.ntlm_extended_security.max_buffer_size}, TYPE_COUNT));
request->Assign(2, new Val(${val.ntlm_extended_security.max_mpx_count}, TYPE_COUNT)); request->Assign(2, new Val(${val.ntlm_extended_security.max_mpx_count}, TYPE_COUNT));
request->Assign(3, new Val(${val.ntlm_extended_security.vc_number}, TYPE_COUNT)); request->Assign(3, new Val(${val.ntlm_extended_security.vc_number}, TYPE_COUNT));
@ -49,7 +49,7 @@ refine connection SMB_Conn += {
request->Assign(13, capabilities); request->Assign(13, capabilities);
break; break;
case 13: // NT LM 0.12 without extended security case 13: // NT LM 0.12 without extended security
capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities); capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, new Val(${val.ntlm_nonextended_security.capabilities.unicode}, TYPE_BOOL)); capabilities->Assign(0, new Val(${val.ntlm_nonextended_security.capabilities.unicode}, TYPE_BOOL));
@ -58,7 +58,7 @@ refine connection SMB_Conn += {
capabilities->Assign(3, new Val(${val.ntlm_nonextended_security.capabilities.status32}, TYPE_BOOL)); capabilities->Assign(3, new Val(${val.ntlm_nonextended_security.capabilities.status32}, TYPE_BOOL));
capabilities->Assign(4, new Val(${val.ntlm_nonextended_security.capabilities.level_2_oplocks}, TYPE_BOOL)); capabilities->Assign(4, new Val(${val.ntlm_nonextended_security.capabilities.level_2_oplocks}, TYPE_BOOL));
capabilities->Assign(5, new Val(${val.ntlm_nonextended_security.capabilities.nt_find}, TYPE_BOOL)); capabilities->Assign(5, new Val(${val.ntlm_nonextended_security.capabilities.nt_find}, TYPE_BOOL));
request->Assign(1, new Val(${val.ntlm_nonextended_security.max_buffer_size}, TYPE_COUNT)); request->Assign(1, new Val(${val.ntlm_nonextended_security.max_buffer_size}, TYPE_COUNT));
request->Assign(2, new Val(${val.ntlm_nonextended_security.max_mpx_count}, TYPE_COUNT)); request->Assign(2, new Val(${val.ntlm_nonextended_security.max_mpx_count}, TYPE_COUNT));
request->Assign(3, new Val(${val.ntlm_nonextended_security.vc_number}, TYPE_COUNT)); request->Assign(3, new Val(${val.ntlm_nonextended_security.vc_number}, TYPE_COUNT));
@ -79,7 +79,7 @@ refine connection SMB_Conn += {
} }
return true; return true;
%} %}
function proc_smb1_session_setup_andx_response(header: SMB_Header, val: SMB1_session_setup_andx_response): bool function proc_smb1_session_setup_andx_response(header: SMB_Header, val: SMB1_session_setup_andx_response): bool
%{ %{
if ( smb1_session_setup_andx_response ) if ( smb1_session_setup_andx_response )
@ -105,13 +105,13 @@ refine connection SMB_Conn += {
default: // Error! default: // Error!
break; break;
} }
BifEvent::generate_smb1_session_setup_andx_response(bro_analyzer(), BifEvent::generate_smb1_session_setup_andx_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildHeaderVal(header), BuildHeaderVal(header),
response); response);
} }
return true; return true;
%} %}

2
src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
View file

@ -8,7 +8,7 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record {
data_count : uint16; data_count : uint16;
data_offset : uint16; data_offset : uint16;
data_displacement : uint16; data_displacement : uint16;
byte_count : uint16; byte_count : uint16;
pad1 : padding to param_offset - SMB_Header_length; pad1 : padding to param_offset - SMB_Header_length;
parameters : bytestring &length = param_count; parameters : bytestring &length = param_count;

8
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -32,10 +32,10 @@ refine connection SMB_Conn += {
function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
%{ %{
if ( smb1_transaction_request ) if ( smb1_transaction_request )
BifEvent::generate_smb1_transaction_request(bro_analyzer(), BifEvent::generate_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildHeaderVal(header), BuildHeaderVal(header),
smb_string2stringval(${val.name}), smb_string2stringval(${val.name}),
${val.sub_cmd}); ${val.sub_cmd});
return true; return true;
@ -84,7 +84,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
setup_count : uint8; setup_count : uint8;
reserved3 : uint8; reserved3 : uint8;
setup : SMB1_transaction_setup(header); setup : SMB1_transaction_setup(header);
byte_count : uint16; byte_count : uint16;
name : SMB_string(header.unicode, offsetof(name)); name : SMB_string(header.unicode, offsetof(name));
pad1 : padding to param_offset - SMB_Header_length; pad1 : padding to param_offset - SMB_Header_length;
@ -114,7 +114,7 @@ type SMB1_transaction_response(header: SMB_Header) = record {
setup_count : uint8; setup_count : uint8;
reserved2 : uint8; reserved2 : uint8;
setup : uint16[setup_count]; setup : uint16[setup_count];
byte_count : uint16; byte_count : uint16;
pad0 : padding to param_offset - SMB_Header_length; pad0 : padding to param_offset - SMB_Header_length;
parameters : bytestring &length = param_count; parameters : bytestring &length = param_count;

8
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -24,7 +24,7 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_transaction2_request ) if ( smb1_transaction2_request )
BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd}); BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd});
return true; return true;
%} %}
@ -54,7 +54,7 @@ type SMB1_transaction2_request(header: SMB_Header) = record {
data_offset : uint16; data_offset : uint16;
setup_count : uint8; setup_count : uint8;
reserved3 : uint8; reserved3 : uint8;
# I suspect this needs a word_count check # I suspect this needs a word_count check
#setup : uint16[setup_count]; #setup : uint16[setup_count];
sub_cmd : uint16; sub_cmd : uint16;
@ -120,7 +120,7 @@ refine connection SMB_Conn += {
result->Assign(5, smb_string2stringval(${val.file_name})); result->Assign(5, smb_string2stringval(${val.file_name}));
BifEvent::generate_smb1_trans2_find_first2_request(bro_analyzer(), bro_analyzer()->Conn(), \ BifEvent::generate_smb1_trans2_find_first2_request(bro_analyzer(), bro_analyzer()->Conn(), \
BuildHeaderVal(header), result); BuildHeaderVal(header), result);
} }
return true; return true;
%} %}
@ -198,7 +198,7 @@ refine connection SMB_Conn += {
BifEvent::generate_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), \ BifEvent::generate_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), \
BuildHeaderVal(header), \ BuildHeaderVal(header), \
smb_string2stringval(${val.file_name})); smb_string2stringval(${val.file_name}));
} }
return true; return true;
%} %}

4
src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
View file

@ -31,7 +31,7 @@ type SMB1_tree_connect_andx_request(header: SMB_Header) = record {
andx : SMB_andx; andx : SMB_andx;
flags : uint16; flags : uint16;
password_length : uint16; password_length : uint16;
byte_count : uint16; byte_count : uint16;
password : uint8[password_length]; password : uint8[password_length];
path : SMB_string(header.unicode, offsetof(path)); path : SMB_string(header.unicode, offsetof(path));
@ -45,7 +45,7 @@ type SMB1_tree_connect_andx_response(header: SMB_Header) = record {
andx : SMB_andx; andx : SMB_andx;
optional_support : uint16; optional_support : uint16;
pad : padding[(word_count-3)*2]; pad : padding[(word_count-3)*2];
byte_count : uint16; byte_count : uint16;
service : SMB_string(0, offsetof(service)); service : SMB_string(0, offsetof(service));
native_file_system : SMB_string(header.unicode, offsetof(native_file_system)); native_file_system : SMB_string(header.unicode, offsetof(native_file_system));

6
src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac
View file

@ -3,9 +3,9 @@ refine connection SMB_Conn += {
function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool
%{ %{
if ( smb1_tree_disconnect ) if ( smb1_tree_disconnect )
BifEvent::generate_smb1_tree_disconnect(bro_analyzer(), BifEvent::generate_smb1_tree_disconnect(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildHeaderVal(header), BuildHeaderVal(header),
${val.is_orig}); ${val.is_orig});
return true; return true;
%} %}
@ -14,7 +14,7 @@ refine connection SMB_Conn += {
type SMB1_tree_disconnect(header: SMB_Header, is_orig: bool) = record { type SMB1_tree_disconnect(header: SMB_Header, is_orig: bool) = record {
word_count : uint8; word_count : uint8;
byte_count : uint16; byte_count : uint16;
} &let { } &let {
proc : bool = $context.connection.proc_smb1_tree_disconnect(header, this); proc : bool = $context.connection.proc_smb1_tree_disconnect(header, this);

6
src/analyzer/protocol/smb/smb1-com-write-andx.pac
View file

@ -12,7 +12,7 @@ refine connection SMB_Conn += {
if ( ! ${val.is_pipe} && ${val.data}.length() > 0 ) if ( ! ${val.is_pipe} && ${val.data}.length() > 0 )
{ {
file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
${val.offset}, ${val.offset},
bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig()); bro_analyzer()->Conn(), h->is_orig());
@ -49,7 +49,7 @@ type SMB1_write_andx_request(header: SMB_Header) = record {
0x0E -> offset_high_tmp : uint32; 0x0E -> offset_high_tmp : uint32;
default -> null : empty; default -> null : empty;
}; };
byte_count : uint16; byte_count : uint16;
pad : padding to data_offset - SMB_Header_length; pad : padding to data_offset - SMB_Header_length;
data : bytestring &length=data_len; data : bytestring &length=data_len;
@ -70,7 +70,7 @@ type SMB1_write_andx_response(header: SMB_Header) = record {
remaining : uint16; remaining : uint16;
written_high : uint16; written_high : uint16;
reserved : uint16; reserved : uint16;
byte_count : uint16; byte_count : uint16;
} &let { } &let {
written_bytes : uint32 = (written_high * 0x10000) + written_low; written_bytes : uint32 = (written_high * 0x10000) + written_low;

6
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -23,11 +23,11 @@ refine connection SMB_Conn += {
resp->Assign(1, new Val(${val.eof}, TYPE_COUNT)); resp->Assign(1, new Val(${val.eof}, TYPE_COUNT));
resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time}, resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},
${val.change_time})); ${val.change_time}));
resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
BifEvent::generate_smb2_close_response(bro_analyzer(), BifEvent::generate_smb2_close_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
resp); resp);
@ -50,7 +50,7 @@ type SMB2_close_response(header: SMB2_Header) = record {
structure_size : uint16; structure_size : uint16;
flags : uint16; flags : uint16;
reserved : uint32; reserved : uint32;
creation_time : SMB_timestamp; creation_time : SMB_timestamp;
last_access_time : SMB_timestamp; last_access_time : SMB_timestamp;
last_write_time : SMB_timestamp; last_write_time : SMB_timestamp;

10
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -17,21 +17,21 @@ refine connection SMB_Conn += {
%{ %{
if ( smb2_create_response ) if ( smb2_create_response )
{ {
BifEvent::generate_smb2_create_response(bro_analyzer(), BifEvent::generate_smb2_create_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}), BuildSMB2GUID(${val.file_id}),
${val.eof}, ${val.eof},
SMB_BuildMACTimes(${val.last_write_time}, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},
${val.change_time}), ${val.change_time}),
smb2_file_attrs_to_bro(${val.file_attrs})); smb2_file_attrs_to_bro(${val.file_attrs}));
} }
if ( ${val.eof} > 0 ) if ( ${val.eof} > 0 )
{ {
//file_mgr->SetSize(${val.eof}, //file_mgr->SetSize(${val.eof},
// bro_analyzer()->GetAnalyzerTag(), // bro_analyzer()->GetAnalyzerTag(),
// bro_analyzer()->Conn(), // bro_analyzer()->Conn(),
// h->is_orig()); // h->is_orig());

4
src/analyzer/protocol/smb/smb2-com-ioctl.pac
View file

@ -20,7 +20,7 @@ refine connection SMB_Conn += {
smb2_ioctl_fids[${val.header.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile}; smb2_ioctl_fids[${val.header.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile};
return true; return true;
%} %}
}; };
type SMB2_ioctl_request(header: SMB2_Header) = record { type SMB2_ioctl_request(header: SMB2_Header) = record {
@ -68,4 +68,4 @@ type SMB2_ioctl_response(header: SMB2_Header) = record {
is_pipe : bool = (ctl_code == 0x0011C017); is_pipe : bool = (ctl_code == 0x0011C017);
fid : uint64 = $context.connection.get_ioctl_fid(header.message_id); fid : uint64 = $context.connection.get_ioctl_fid(header.message_id);
pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, fid, false) &if(is_pipe); pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, fid, false) &if(is_pipe);
}; };

2
src/analyzer/protocol/smb/smb2-com-lock.pac
View file

@ -1,5 +1,5 @@
refine connection SMB_Conn += { refine connection SMB_Conn += {
}; };
type SMB2_lock = record { type SMB2_lock = record {

10
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -1,5 +1,5 @@
refine connection SMB_Conn += { refine connection SMB_Conn += {
function proc_smb2_negotiate_request(h: SMB2_Header, val: SMB2_negotiate_request) : bool function proc_smb2_negotiate_request(h: SMB2_Header, val: SMB2_negotiate_request) : bool
%{ %{
if ( smb2_negotiate_request ) if ( smb2_negotiate_request )
@ -16,13 +16,13 @@ refine connection SMB_Conn += {
return true; return true;
%} %}
function proc_smb2_negotiate_response(h: SMB2_Header, val: SMB2_negotiate_response) : bool function proc_smb2_negotiate_response(h: SMB2_Header, val: SMB2_negotiate_response) : bool
%{ %{
if ( smb2_negotiate_response ) if ( smb2_negotiate_response )
{ {
RecordVal* nr = new RecordVal(BifType::Record::SMB2::NegotiateResponse); RecordVal* nr = new RecordVal(BifType::Record::SMB2::NegotiateResponse);
nr->Assign(0, new Val(${val.dialect_revision}, TYPE_COUNT)); nr->Assign(0, new Val(${val.dialect_revision}, TYPE_COUNT));
nr->Assign(1, new Val(${val.security_mode}, TYPE_COUNT)); nr->Assign(1, new Val(${val.security_mode}, TYPE_COUNT));
nr->Assign(2, BuildSMB2GUID(${val.server_guid})), nr->Assign(2, BuildSMB2GUID(${val.server_guid})),
@ -32,7 +32,7 @@ refine connection SMB_Conn += {
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
nr); nr);
} }
return true; return true;
%} %}
}; };
@ -70,4 +70,4 @@ type SMB2_negotiate_response(header: SMB2_Header) = record {
proc : bool = $context.connection.proc_smb2_negotiate_response(header, this); proc : bool = $context.connection.proc_smb2_negotiate_response(header, this);
gssapi_proc : bool = $context.connection.forward_gssapi(security_blob, false); gssapi_proc : bool = $context.connection.forward_gssapi(security_blob, false);
}; };

6
src/analyzer/protocol/smb/smb2-com-read.pac
View file

@ -1,7 +1,7 @@
refine connection SMB_Conn += { refine connection SMB_Conn += {
%member{ %member{
// Track read offsets to provide correct // Track read offsets to provide correct
// offsets for file manager. // offsets for file manager.
std::map<uint16,uint64> smb2_read_offsets; std::map<uint16,uint64> smb2_read_offsets;
std::map<uint64,uint64> smb2_read_fids; std::map<uint64,uint64> smb2_read_fids;
@ -30,7 +30,7 @@ refine connection SMB_Conn += {
${val.offset}, ${val.offset},
${val.read_len}); ${val.read_len});
} }
smb2_read_offsets[${h.message_id}] = ${val.offset}; smb2_read_offsets[${h.message_id}] = ${val.offset};
smb2_read_fids[${h.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile}; smb2_read_fids[${h.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile};

2
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -28,7 +28,7 @@ refine connection SMB_Conn += {
RecordVal* resp = new RecordVal(BifType::Record::SMB2::SessionSetupResponse); RecordVal* resp = new RecordVal(BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, flags); resp->Assign(0, flags);
BifEvent::generate_smb2_session_setup_response(bro_analyzer(), BifEvent::generate_smb2_session_setup_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
resp); resp);

4
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -9,14 +9,14 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request(h: SMB2_Header, val: SMB2_set_info_request): bool function proc_smb2_set_info_request(h: SMB2_Header, val: SMB2_set_info_request): bool
%{ %{
//if ( smb2_set_info_request && //if ( smb2_set_info_request &&
// ${val.info_type} == SMB2_0_INFO_FILE && // ${val.info_type} == SMB2_0_INFO_FILE &&
// ${val.file_info_class} == 0x14 ) // ${val.file_info_class} == 0x14 )
// { // {
// RecordVal* req = new RecordVal(BifType::Record::SMB2::SetInfoRequest); // RecordVal* req = new RecordVal(BifType::Record::SMB2::SetInfoRequest);
// //req->Assign(0, new Val(${val.eof}, TYPE_COUNT)); // //req->Assign(0, new Val(${val.eof}, TYPE_COUNT));
// req->Assign(0, new Val(0, TYPE_COUNT)); // req->Assign(0, new Val(0, TYPE_COUNT));
// //
// BifEvent::generate_smb2_set_info_request(bro_analyzer(), // BifEvent::generate_smb2_set_info_request(bro_analyzer(),
// bro_analyzer()->Conn(), // bro_analyzer()->Conn(),
// BuildSMB2HeaderVal(h), // BuildSMB2HeaderVal(h),

2
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -7,7 +7,7 @@ refine connection SMB_Conn += {
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(header), BuildSMB2HeaderVal(header),
smb2_string2stringval(${val.path})); smb2_string2stringval(${val.path}));
return true; return true;
%} %}

3
src/analyzer/protocol/smb/smb2-com-write.pac
View file

@ -4,7 +4,7 @@ refine connection SMB_Conn += {
%{ %{
if ( smb2_write_request ) if ( smb2_write_request )
{ {
BifEvent::generate_smb2_write_request(bro_analyzer(), BifEvent::generate_smb2_write_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}), BuildSMB2GUID(${val.file_id}),
@ -24,7 +24,6 @@ refine connection SMB_Conn += {
function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool
%{ %{
return true; return true;
%} %}

8
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -1,4 +1,4 @@
# Documentation for SMB2 protocol from here: # Documentation for SMB2 protocol from here:
# http://msdn.microsoft.com/en-us/library/cc246497(v=PROT.13).aspx # http://msdn.microsoft.com/en-us/library/cc246497(v=PROT.13).aspx
enum smb2_commands { enum smb2_commands {
@ -32,7 +32,7 @@ enum smb2_share_types {
type SMB2_PDU(is_orig: bool) = record { type SMB2_PDU(is_orig: bool) = record {
header : SMB2_Header(is_orig); header : SMB2_Header(is_orig);
message : case header.status of { message : case header.status of {
# Status 0 indicates success. In the case of a # Status 0 indicates success. In the case of a
# request this should just happen to work out due to # request this should just happen to work out due to
# how the fields are set. # how the fields are set.
0 -> msg : SMB2_Message(header, is_orig); 0 -> msg : SMB2_Message(header, is_orig);
@ -66,7 +66,7 @@ type SMB2_Message_Request(header: SMB2_Header) = case header.command of {
SMB2_QUERY_INFO -> query_info : SMB2_query_info_request(header); SMB2_QUERY_INFO -> query_info : SMB2_query_info_request(header);
SMB2_SET_INFO -> set_info : SMB2_set_info_request(header); SMB2_SET_INFO -> set_info : SMB2_set_info_request(header);
SMB2_OPLOCK_BREAK -> oplock_break : SMB2_oplock_break(header); SMB2_OPLOCK_BREAK -> oplock_break : SMB2_oplock_break(header);
default -> unknown_msg : empty; # TODO: do something different here! default -> unknown_msg : empty; # TODO: do something different here!
} &byteorder = littleendian; } &byteorder = littleendian;
@ -108,7 +108,7 @@ refine connection SMB_Conn += {
r->Assign(7, new Val(${hdr.tree_id}, TYPE_COUNT)); r->Assign(7, new Val(${hdr.tree_id}, TYPE_COUNT));
r->Assign(8, new Val(${hdr.session_id}, TYPE_COUNT)); r->Assign(8, new Val(${hdr.session_id}, TYPE_COUNT));
r->Assign(9, bytestring_to_val(${hdr.signature})); r->Assign(9, bytestring_to_val(${hdr.signature}));
return r; return r;
%} %}

1
src/analyzer/protocol/smb/smb2_com_ioctl.bif
View file

@ -0,0 +1 @@
# Emoty.

2
src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif
View file

@ -1 +1 @@
# Empty.