mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Minor cleanup.
This commit is contained in:
Robin Sommer
parent
781fdfa5ba
commit
ad4263a98d
39 changed files with 102 additions and 105 deletions
|
|
@ -6,7 +6,7 @@ refine connection DCE_RPC_Conn += {
|
|||
%}
|
||||
|
||||
%init{
|
||||
fid=0;
|
||||
fid = 0;
|
||||
%}
|
||||
|
||||
function set_file_id(fid_in: uint64): bool
|
||||
|
|
|
|||
|
|
@ -14,10 +14,8 @@ refine connection DCE_RPC_Conn += {
|
|||
%}
|
||||
|
||||
%cleanup{
|
||||
if ( gssapi )
|
||||
delete gssapi;
|
||||
if ( ntlm )
|
||||
delete ntlm;
|
||||
delete gssapi;
|
||||
delete ntlm;
|
||||
%}
|
||||
|
||||
function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
# Empty.
|
||||
|
|
@ -29,7 +29,7 @@ refine connection NTLM_Conn += {
|
|||
RecordVal* result = new RecordVal(BifType::Record::NTLM::AVs);
|
||||
for ( uint i = 0; ${val.pairs[i].id} != 0; i++ )
|
||||
{
|
||||
switch ( ${val.pairs[i].id} )
|
||||
switch ( ${val.pairs[i].id} )
|
||||
{
|
||||
case 1:
|
||||
result->Assign(0, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_computer_name.data}));
|
||||
|
|
@ -106,7 +106,7 @@ refine connection NTLM_Conn += {
|
|||
if ( ${val.flags.negotiate_version} )
|
||||
result->Assign(3, build_version_record(${val.version}));
|
||||
|
||||
BifEvent::generate_ntlm_negotiate(bro_analyzer(),
|
||||
BifEvent::generate_ntlm_negotiate(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
result);
|
||||
|
||||
|
|
@ -127,7 +127,7 @@ refine connection NTLM_Conn += {
|
|||
if ( ${val.flags.negotiate_target_info} )
|
||||
result->Assign(3, build_av_record(${val.target_info}));
|
||||
|
||||
BifEvent::generate_ntlm_challenge(bro_analyzer(),
|
||||
BifEvent::generate_ntlm_challenge(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
result);
|
||||
|
||||
|
|
|
|||
|
|
@ -168,13 +168,13 @@ type NTLM_Negotiate_Flags = record {
|
|||
negotiate_56 : bool = (flags & 0x80000000) > 0;
|
||||
negotiate_key_exch : bool = (flags & 0x40000000) > 0;
|
||||
negotiate_128 : bool = (flags & 0x20000000) > 0;
|
||||
|
||||
|
||||
negotiate_version : bool = (flags & 0x02000000) > 0;
|
||||
|
||||
|
||||
negotiate_target_info : bool = (flags & 0x00800000) > 0;
|
||||
request_non_nt_session_key : bool = (flags & 0x00400000) > 0;
|
||||
negotiate_identify : bool = (flags & 0x00100000) > 0;
|
||||
|
||||
|
||||
negotiate_extended_sessionsecurity : bool = (flags & 0x00040000) > 0;
|
||||
target_type_server : bool = (flags & 0x00020000) > 0;
|
||||
target_type_domain : bool = (flags & 0x00010000) > 0;
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc)
|
|||
|
||||
bro_plugin_begin(Bro SMB)
|
||||
bro_plugin_cc(SMB.cc Plugin.cc)
|
||||
bro_plugin_bif(
|
||||
bro_plugin_bif(
|
||||
smb1_com_check_directory.bif
|
||||
smb1_com_close.bif
|
||||
smb1_com_create_directory.bif
|
||||
|
|
|
|||
|
|
@ -159,7 +159,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig)
|
|||
{
|
||||
TCP_SupportAnalyzer::DeliverStream(len, data, orig);
|
||||
|
||||
if (!CheckResync(len, data, orig))
|
||||
if ( ! CheckResync(len, data, orig))
|
||||
return; // Not in sync yet. Still resyncing
|
||||
|
||||
while ( len > 0 )
|
||||
|
|
@ -172,7 +172,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig)
|
|||
msg_type = data[0];
|
||||
for ( int i = 1; i < 4; i++)
|
||||
msg_len = (msg_len << 8) + data[i];
|
||||
msg_len+=4;
|
||||
msg_len += 4;
|
||||
msg_buf.Init(SMB_MAX_LEN+4, msg_len);
|
||||
state = WAIT_FOR_DATA;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ enum SMB_Command {
|
|||
SMB_COM_TRANSACTION2_SECONDARY = 0x33,
|
||||
SMB_COM_FIND_CLOSE2 = 0x34,
|
||||
SMB_COM_FIND_NOTIFY_CLOSE = 0x35,
|
||||
|
||||
|
||||
SMB_COM_TREE_CONNECT = 0x70,
|
||||
SMB_COM_TREE_DISCONNECT = 0x71,
|
||||
SMB_COM_NEGOTIATE = 0x72,
|
||||
|
|
@ -84,7 +84,7 @@ enum SMB_Command {
|
|||
SMB_COM_GET_PRINT_QUEUE = 0xC3,
|
||||
SMB_COM_READ_BULK = 0xD8,
|
||||
SMB_COM_WRITE_BULK = 0xD9,
|
||||
SMB_COM_WRITE_BULK_DATA = 0xDA,
|
||||
SMB_COM_WRITE_BULK_DATA = 0xDA,
|
||||
};
|
||||
|
||||
enum SMB_Status {
|
||||
|
|
@ -269,12 +269,12 @@ function determine_transaction_type(setup_count: int, name: SMB_string): Transac
|
|||
{
|
||||
return SMB_PIPE;
|
||||
}
|
||||
|
||||
|
||||
//if ( setup_count == 3 ||
|
||||
// bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\" ) )
|
||||
// {
|
||||
// return SMB_MAILSLOT_BROWSE;
|
||||
// }
|
||||
|
||||
|
||||
return SMB_UNKNOWN;
|
||||
%}
|
||||
|
|
|
|||
|
|
@ -14,10 +14,10 @@ function filetime2brotime(ts: uint64): Val
|
|||
%{
|
||||
double secs = (ts / 10000000.0);
|
||||
|
||||
// Bro can't support times back to the 1600's
|
||||
// Bro can't support times back to the 1600's
|
||||
// so we subtract a lot of seconds.
|
||||
Val* bro_ts = new Val(secs - 11644473600.0, TYPE_TIME);
|
||||
|
||||
|
||||
return bro_ts;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ refine connection SMB_Conn += {
|
|||
%{
|
||||
if ( smb1_check_directory_request )
|
||||
BifEvent::generate_smb1_check_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
BuildHeaderVal(header),
|
||||
BuildHeaderVal(header),
|
||||
smb_string2stringval(${val.directory_name}));
|
||||
return true;
|
||||
%}
|
||||
|
|
@ -13,7 +13,7 @@ refine connection SMB_Conn += {
|
|||
%{
|
||||
if ( smb1_check_directory_response )
|
||||
BifEvent::generate_smb1_check_directory_response(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
BuildHeaderVal(header));
|
||||
BuildHeaderVal(header));
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ refine connection SMB_Conn += {
|
|||
// This is commented out for the moment because it caused problems
|
||||
// with extraction because the file kept having the same name due
|
||||
// to repeatedly having the same file uid. This results in files
|
||||
// effectively falling of SMB solely by expiration instead of
|
||||
// effectively falling of SMB solely by expiration instead of
|
||||
// manually being closed.
|
||||
|
||||
//file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
|
||||
|
|
@ -27,7 +27,7 @@ type SMB1_close_request(header: SMB_Header) = record {
|
|||
word_count : uint8;
|
||||
file_id : uint16;
|
||||
last_modified_time : SMB_timestamp32;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
} &let {
|
||||
proc : bool = $context.connection.proc_smb1_close_request(header, this);
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ refine connection SMB_Conn += {
|
|||
%{
|
||||
if ( smb1_create_directory_request )
|
||||
BifEvent::generate_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
BuildHeaderVal(header),
|
||||
BuildHeaderVal(header),
|
||||
smb_string2stringval(${val.directory_name}));
|
||||
return true;
|
||||
%}
|
||||
|
|
@ -12,7 +12,7 @@ refine connection SMB_Conn += {
|
|||
%{
|
||||
if ( smb1_create_directory_response )
|
||||
BifEvent::generate_smb1_create_directory_response(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
BuildHeaderVal(header));
|
||||
BuildHeaderVal(header));
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,15 +3,15 @@ refine connection SMB_Conn += {
|
|||
function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool
|
||||
%{
|
||||
if ( smb1_echo_request )
|
||||
BifEvent::generate_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
BifEvent::generate_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
${val.echo_count}, bytestring_to_val(${val.data}));
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
||||
function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool
|
||||
%{
|
||||
if ( smb1_echo_response )
|
||||
BifEvent::generate_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
BifEvent::generate_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
${val.seq_num}, bytestring_to_val(${val.data}));
|
||||
return true;
|
||||
%}
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ type SMB1_locking_andx_request(header: SMB_Header) = record {
|
|||
|
||||
# http://msdn.microsoft.com/en-us/library/ee441519.aspx
|
||||
type SMB1_locking_andx_response(header: SMB_Header) = record {
|
||||
|
||||
|
||||
} &let {
|
||||
proc : bool = $context.connection.proc_smb1_locking_andx_response(header, this);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# This is an original Core Protocol command.
|
||||
# This is an original Core Protocol command.
|
||||
#
|
||||
# This command is used to initiate an SMB connection between the
|
||||
# client and the server. An SMB_COM_NEGOTIATE exchange MUST be
|
||||
|
|
@ -42,12 +42,12 @@ refine connection SMB_Conn += {
|
|||
RecordVal* security;
|
||||
RecordVal* raw;
|
||||
RecordVal* capabilities;
|
||||
switch ( ${val.word_count} )
|
||||
switch ( ${val.word_count} )
|
||||
{
|
||||
case 0x01:
|
||||
core = new RecordVal(BifType::Record::SMB1::NegotiateResponseCore);
|
||||
core->Assign(0, new Val(${val.dialect_index}, TYPE_COUNT));
|
||||
|
||||
|
||||
response->Assign(0, core);
|
||||
break;
|
||||
|
||||
|
|
@ -66,7 +66,7 @@ refine connection SMB_Conn += {
|
|||
lanman->Assign(2, security);
|
||||
lanman->Assign(3, new Val(${val.lanman.max_buffer_size}, TYPE_COUNT));
|
||||
lanman->Assign(4, new Val(${val.lanman.max_mpx_count}, TYPE_COUNT));
|
||||
|
||||
|
||||
lanman->Assign(5, new Val(${val.lanman.max_number_vcs}, TYPE_COUNT));
|
||||
lanman->Assign(6, raw);
|
||||
lanman->Assign(7, new Val(${val.lanman.session_key}, TYPE_COUNT));
|
||||
|
|
@ -74,7 +74,7 @@ refine connection SMB_Conn += {
|
|||
lanman->Assign(9, bytestring_to_val(${val.lanman.encryption_key}));
|
||||
|
||||
lanman->Assign(10, smb_string2stringval(${val.lanman.primary_domain}));
|
||||
|
||||
|
||||
response->Assign(1, lanman);
|
||||
break;
|
||||
|
||||
|
|
@ -114,14 +114,14 @@ refine connection SMB_Conn += {
|
|||
ntlm->Assign(2, security);
|
||||
ntlm->Assign(3, new Val(${val.ntlm.max_buffer_size}, TYPE_COUNT));
|
||||
ntlm->Assign(4, new Val(${val.ntlm.max_mpx_count}, TYPE_COUNT));
|
||||
|
||||
|
||||
ntlm->Assign(5, new Val(${val.ntlm.max_number_vcs}, TYPE_COUNT));
|
||||
ntlm->Assign(6, new Val(${val.ntlm.max_raw_size}, TYPE_COUNT));
|
||||
ntlm->Assign(7, new Val(${val.ntlm.session_key}, TYPE_COUNT));
|
||||
ntlm->Assign(8, capabilities);
|
||||
ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time}));
|
||||
|
||||
if ( ${val.ntlm.capabilities_extended_security} == false )
|
||||
if ( ${val.ntlm.capabilities_extended_security} == false )
|
||||
{
|
||||
ntlm->Assign(10, bytestring_to_val(${val.ntlm.encryption_key}));
|
||||
ntlm->Assign(11, smb_string2stringval(${val.ntlm.domain_name}));
|
||||
|
|
@ -130,13 +130,13 @@ refine connection SMB_Conn += {
|
|||
{
|
||||
ntlm->Assign(12, bytestring_to_val(${val.ntlm.server_guid}));
|
||||
}
|
||||
|
||||
|
||||
response->Assign(2, ntlm);
|
||||
break;
|
||||
}
|
||||
BifEvent::generate_smb1_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), response);
|
||||
}
|
||||
|
||||
|
||||
return true;
|
||||
%}
|
||||
};
|
||||
|
|
@ -155,7 +155,7 @@ type SMB1_negotiate_request(header: SMB_Header) = record {
|
|||
};
|
||||
|
||||
type SMB1_negotiate_response(header: SMB_Header) = record {
|
||||
word_count: uint8;
|
||||
word_count: uint8;
|
||||
dialect_index: uint16;
|
||||
response: case word_count of {
|
||||
0x01 -> core : SMB1_negotiate_core_response;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ refine connection SMB_Conn += {
|
|||
// create_options : uint32;
|
||||
// impersonation_level : uint32;
|
||||
// security_flags : uint8;
|
||||
//
|
||||
//
|
||||
// byte_count : uint16;
|
||||
// filename : SMB_string(header.unicode, offsetof(filename)) &length=name_length;
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ refine connection SMB_Conn += {
|
|||
|
||||
if ( ${val.end_of_file} > 0 )
|
||||
{
|
||||
//file_mgr->SetSize(${val.end_of_file},
|
||||
//file_mgr->SetSize(${val.end_of_file},
|
||||
// bro_analyzer()->GetAnalyzerTag(),
|
||||
// bro_analyzer()->Conn(),
|
||||
// header->is_orig());
|
||||
|
|
@ -59,7 +59,7 @@ type SMB1_nt_create_andx_request(header: SMB_Header) = record {
|
|||
word_count : uint8;
|
||||
andx : SMB_andx;
|
||||
reserved : uint8;
|
||||
|
||||
|
||||
name_length : uint16;
|
||||
flags : uint32;
|
||||
root_dir_file_id : uint32;
|
||||
|
|
@ -71,10 +71,10 @@ type SMB1_nt_create_andx_request(header: SMB_Header) = record {
|
|||
create_options : uint32;
|
||||
impersonation_level : uint32;
|
||||
security_flags : uint8;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
filename : SMB_string(header.unicode, offsetof(filename));
|
||||
|
||||
|
||||
andx_command : SMB_andx_command(header, 1, andx.command);
|
||||
} &let {
|
||||
proc : bool = $context.connection.proc_smb1_nt_create_andx_request(header, this);
|
||||
|
|
@ -96,7 +96,7 @@ type SMB1_nt_create_andx_response(header: SMB_Header) = record {
|
|||
resource_type : uint16;
|
||||
nm_pipe_status : uint16;
|
||||
directory : uint8;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
} &let {
|
||||
proc : bool = $context.connection.proc_smb1_nt_create_andx_response(header, this);
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
# Copyright (c) Broala LLC. All Rights Reserved. No use or distribution without permission.
|
||||
|
||||
refine connection SMB_Conn += {
|
||||
|
||||
function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ refine connection SMB_Conn += {
|
|||
|
||||
type SMB1_query_information_request(header: SMB_Header) = record {
|
||||
word_count : uint8;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
buffer_format : uint8;
|
||||
filename : SMB_string(header.unicode, offsetof(filename));
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
refine connection SMB_Conn += {
|
||||
|
||||
%member{
|
||||
// Track read offsets to provide correct
|
||||
// Track read offsets to provide correct
|
||||
// offsets for file manager.
|
||||
std::map<uint16,uint64> read_offsets;
|
||||
%}
|
||||
|
|
@ -77,7 +77,7 @@ type SMB1_read_andx_response(header: SMB_Header) = record {
|
|||
data_offset : uint16;
|
||||
data_len_high : uint16;
|
||||
reserved2 : uint64;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
pad : padding to data_offset - SMB_Header_length;
|
||||
data : bytestring &length=data_len;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ refine connection SMB_Conn += {
|
|||
{
|
||||
RecordVal* request = new RecordVal(BifType::Record::SMB1::SessionSetupAndXRequest);
|
||||
RecordVal* capabilities;
|
||||
|
||||
|
||||
request->Assign(0, new Val(${val.word_count}, TYPE_COUNT));
|
||||
switch ( ${val.word_count} ) {
|
||||
case 10: // pre NT LM 0.12
|
||||
|
|
@ -38,7 +38,7 @@ refine connection SMB_Conn += {
|
|||
capabilities->Assign(3, new Val(${val.ntlm_extended_security.capabilities.status32}, TYPE_BOOL));
|
||||
capabilities->Assign(4, new Val(${val.ntlm_extended_security.capabilities.level_2_oplocks}, TYPE_BOOL));
|
||||
capabilities->Assign(5, new Val(${val.ntlm_extended_security.capabilities.nt_find}, TYPE_BOOL));
|
||||
|
||||
|
||||
request->Assign(1, new Val(${val.ntlm_extended_security.max_buffer_size}, TYPE_COUNT));
|
||||
request->Assign(2, new Val(${val.ntlm_extended_security.max_mpx_count}, TYPE_COUNT));
|
||||
request->Assign(3, new Val(${val.ntlm_extended_security.vc_number}, TYPE_COUNT));
|
||||
|
|
@ -49,7 +49,7 @@ refine connection SMB_Conn += {
|
|||
|
||||
request->Assign(13, capabilities);
|
||||
break;
|
||||
|
||||
|
||||
case 13: // NT LM 0.12 without extended security
|
||||
capabilities = new RecordVal(BifType::Record::SMB1::SessionSetupAndXCapabilities);
|
||||
capabilities->Assign(0, new Val(${val.ntlm_nonextended_security.capabilities.unicode}, TYPE_BOOL));
|
||||
|
|
@ -58,7 +58,7 @@ refine connection SMB_Conn += {
|
|||
capabilities->Assign(3, new Val(${val.ntlm_nonextended_security.capabilities.status32}, TYPE_BOOL));
|
||||
capabilities->Assign(4, new Val(${val.ntlm_nonextended_security.capabilities.level_2_oplocks}, TYPE_BOOL));
|
||||
capabilities->Assign(5, new Val(${val.ntlm_nonextended_security.capabilities.nt_find}, TYPE_BOOL));
|
||||
|
||||
|
||||
request->Assign(1, new Val(${val.ntlm_nonextended_security.max_buffer_size}, TYPE_COUNT));
|
||||
request->Assign(2, new Val(${val.ntlm_nonextended_security.max_mpx_count}, TYPE_COUNT));
|
||||
request->Assign(3, new Val(${val.ntlm_nonextended_security.vc_number}, TYPE_COUNT));
|
||||
|
|
@ -79,7 +79,7 @@ refine connection SMB_Conn += {
|
|||
}
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
||||
function proc_smb1_session_setup_andx_response(header: SMB_Header, val: SMB1_session_setup_andx_response): bool
|
||||
%{
|
||||
if ( smb1_session_setup_andx_response )
|
||||
|
|
@ -105,13 +105,13 @@ refine connection SMB_Conn += {
|
|||
default: // Error!
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
BifEvent::generate_smb1_session_setup_andx_response(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
BuildHeaderVal(header),
|
||||
response);
|
||||
}
|
||||
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record {
|
|||
data_count : uint16;
|
||||
data_offset : uint16;
|
||||
data_displacement : uint16;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
pad1 : padding to param_offset - SMB_Header_length;
|
||||
parameters : bytestring &length = param_count;
|
||||
|
|
|
|||
|
|
@ -32,10 +32,10 @@ refine connection SMB_Conn += {
|
|||
function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
|
||||
%{
|
||||
if ( smb1_transaction_request )
|
||||
BifEvent::generate_smb1_transaction_request(bro_analyzer(),
|
||||
BifEvent::generate_smb1_transaction_request(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
BuildHeaderVal(header),
|
||||
smb_string2stringval(${val.name}),
|
||||
smb_string2stringval(${val.name}),
|
||||
${val.sub_cmd});
|
||||
|
||||
return true;
|
||||
|
|
@ -84,7 +84,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
|
|||
setup_count : uint8;
|
||||
reserved3 : uint8;
|
||||
setup : SMB1_transaction_setup(header);
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
name : SMB_string(header.unicode, offsetof(name));
|
||||
pad1 : padding to param_offset - SMB_Header_length;
|
||||
|
|
@ -114,7 +114,7 @@ type SMB1_transaction_response(header: SMB_Header) = record {
|
|||
setup_count : uint8;
|
||||
reserved2 : uint8;
|
||||
setup : uint16[setup_count];
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
pad0 : padding to param_offset - SMB_Header_length;
|
||||
parameters : bytestring &length = param_count;
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ refine connection SMB_Conn += {
|
|||
%{
|
||||
if ( smb1_transaction2_request )
|
||||
BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd});
|
||||
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
|
@ -54,7 +54,7 @@ type SMB1_transaction2_request(header: SMB_Header) = record {
|
|||
data_offset : uint16;
|
||||
setup_count : uint8;
|
||||
reserved3 : uint8;
|
||||
|
||||
|
||||
# I suspect this needs a word_count check
|
||||
#setup : uint16[setup_count];
|
||||
sub_cmd : uint16;
|
||||
|
|
@ -120,7 +120,7 @@ refine connection SMB_Conn += {
|
|||
result->Assign(5, smb_string2stringval(${val.file_name}));
|
||||
BifEvent::generate_smb1_trans2_find_first2_request(bro_analyzer(), bro_analyzer()->Conn(), \
|
||||
BuildHeaderVal(header), result);
|
||||
|
||||
|
||||
}
|
||||
return true;
|
||||
%}
|
||||
|
|
@ -198,7 +198,7 @@ refine connection SMB_Conn += {
|
|||
BifEvent::generate_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), \
|
||||
BuildHeaderVal(header), \
|
||||
smb_string2stringval(${val.file_name}));
|
||||
|
||||
|
||||
}
|
||||
return true;
|
||||
%}
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ type SMB1_tree_connect_andx_request(header: SMB_Header) = record {
|
|||
andx : SMB_andx;
|
||||
flags : uint16;
|
||||
password_length : uint16;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
password : uint8[password_length];
|
||||
path : SMB_string(header.unicode, offsetof(path));
|
||||
|
|
@ -45,7 +45,7 @@ type SMB1_tree_connect_andx_response(header: SMB_Header) = record {
|
|||
andx : SMB_andx;
|
||||
optional_support : uint16;
|
||||
pad : padding[(word_count-3)*2];
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
service : SMB_string(0, offsetof(service));
|
||||
native_file_system : SMB_string(header.unicode, offsetof(native_file_system));
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@ refine connection SMB_Conn += {
|
|||
function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool
|
||||
%{
|
||||
if ( smb1_tree_disconnect )
|
||||
BifEvent::generate_smb1_tree_disconnect(bro_analyzer(),
|
||||
BifEvent::generate_smb1_tree_disconnect(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
BuildHeaderVal(header),
|
||||
BuildHeaderVal(header),
|
||||
${val.is_orig});
|
||||
return true;
|
||||
%}
|
||||
|
|
@ -14,7 +14,7 @@ refine connection SMB_Conn += {
|
|||
|
||||
type SMB1_tree_disconnect(header: SMB_Header, is_orig: bool) = record {
|
||||
word_count : uint8;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
} &let {
|
||||
proc : bool = $context.connection.proc_smb1_tree_disconnect(header, this);
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ refine connection SMB_Conn += {
|
|||
|
||||
if ( ! ${val.is_pipe} && ${val.data}.length() > 0 )
|
||||
{
|
||||
file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
|
||||
file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
|
||||
${val.offset},
|
||||
bro_analyzer()->GetAnalyzerTag(),
|
||||
bro_analyzer()->Conn(), h->is_orig());
|
||||
|
|
@ -49,7 +49,7 @@ type SMB1_write_andx_request(header: SMB_Header) = record {
|
|||
0x0E -> offset_high_tmp : uint32;
|
||||
default -> null : empty;
|
||||
};
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
pad : padding to data_offset - SMB_Header_length;
|
||||
data : bytestring &length=data_len;
|
||||
|
|
@ -70,7 +70,7 @@ type SMB1_write_andx_response(header: SMB_Header) = record {
|
|||
remaining : uint16;
|
||||
written_high : uint16;
|
||||
reserved : uint16;
|
||||
|
||||
|
||||
byte_count : uint16;
|
||||
} &let {
|
||||
written_bytes : uint32 = (written_high * 0x10000) + written_low;
|
||||
|
|
|
|||
|
|
@ -23,11 +23,11 @@ refine connection SMB_Conn += {
|
|||
resp->Assign(1, new Val(${val.eof}, TYPE_COUNT));
|
||||
resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
|
||||
${val.last_access_time},
|
||||
${val.creation_time},
|
||||
${val.creation_time},
|
||||
${val.change_time}));
|
||||
resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
|
||||
|
||||
BifEvent::generate_smb2_close_response(bro_analyzer(),
|
||||
BifEvent::generate_smb2_close_response(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
BuildSMB2HeaderVal(h),
|
||||
resp);
|
||||
|
|
@ -50,7 +50,7 @@ type SMB2_close_response(header: SMB2_Header) = record {
|
|||
structure_size : uint16;
|
||||
flags : uint16;
|
||||
reserved : uint32;
|
||||
|
||||
|
||||
creation_time : SMB_timestamp;
|
||||
last_access_time : SMB_timestamp;
|
||||
last_write_time : SMB_timestamp;
|
||||
|
|
|
|||
|
|
@ -17,21 +17,21 @@ refine connection SMB_Conn += {
|
|||
%{
|
||||
if ( smb2_create_response )
|
||||
{
|
||||
BifEvent::generate_smb2_create_response(bro_analyzer(),
|
||||
BifEvent::generate_smb2_create_response(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
BuildSMB2HeaderVal(h),
|
||||
BuildSMB2GUID(${val.file_id}),
|
||||
${val.eof},
|
||||
SMB_BuildMACTimes(${val.last_write_time},
|
||||
${val.last_access_time},
|
||||
${val.creation_time},
|
||||
SMB_BuildMACTimes(${val.last_write_time},
|
||||
${val.last_access_time},
|
||||
${val.creation_time},
|
||||
${val.change_time}),
|
||||
smb2_file_attrs_to_bro(${val.file_attrs}));
|
||||
}
|
||||
|
||||
if ( ${val.eof} > 0 )
|
||||
{
|
||||
//file_mgr->SetSize(${val.eof},
|
||||
//file_mgr->SetSize(${val.eof},
|
||||
// bro_analyzer()->GetAnalyzerTag(),
|
||||
// bro_analyzer()->Conn(),
|
||||
// h->is_orig());
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ refine connection SMB_Conn += {
|
|||
smb2_ioctl_fids[${val.header.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile};
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
||||
};
|
||||
|
||||
type SMB2_ioctl_request(header: SMB2_Header) = record {
|
||||
|
|
@ -68,4 +68,4 @@ type SMB2_ioctl_response(header: SMB2_Header) = record {
|
|||
is_pipe : bool = (ctl_code == 0x0011C017);
|
||||
fid : uint64 = $context.connection.get_ioctl_fid(header.message_id);
|
||||
pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, fid, false) &if(is_pipe);
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
refine connection SMB_Conn += {
|
||||
|
||||
|
||||
};
|
||||
|
||||
type SMB2_lock = record {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
refine connection SMB_Conn += {
|
||||
|
||||
|
||||
function proc_smb2_negotiate_request(h: SMB2_Header, val: SMB2_negotiate_request) : bool
|
||||
%{
|
||||
if ( smb2_negotiate_request )
|
||||
|
|
@ -16,13 +16,13 @@ refine connection SMB_Conn += {
|
|||
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
||||
function proc_smb2_negotiate_response(h: SMB2_Header, val: SMB2_negotiate_response) : bool
|
||||
%{
|
||||
if ( smb2_negotiate_response )
|
||||
{
|
||||
RecordVal* nr = new RecordVal(BifType::Record::SMB2::NegotiateResponse);
|
||||
|
||||
|
||||
nr->Assign(0, new Val(${val.dialect_revision}, TYPE_COUNT));
|
||||
nr->Assign(1, new Val(${val.security_mode}, TYPE_COUNT));
|
||||
nr->Assign(2, BuildSMB2GUID(${val.server_guid})),
|
||||
|
|
@ -32,7 +32,7 @@ refine connection SMB_Conn += {
|
|||
BuildSMB2HeaderVal(h),
|
||||
nr);
|
||||
}
|
||||
|
||||
|
||||
return true;
|
||||
%}
|
||||
};
|
||||
|
|
@ -70,4 +70,4 @@ type SMB2_negotiate_response(header: SMB2_Header) = record {
|
|||
proc : bool = $context.connection.proc_smb2_negotiate_response(header, this);
|
||||
gssapi_proc : bool = $context.connection.forward_gssapi(security_blob, false);
|
||||
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
refine connection SMB_Conn += {
|
||||
|
||||
|
||||
%member{
|
||||
// Track read offsets to provide correct
|
||||
// Track read offsets to provide correct
|
||||
// offsets for file manager.
|
||||
std::map<uint16,uint64> smb2_read_offsets;
|
||||
std::map<uint64,uint64> smb2_read_fids;
|
||||
|
|
@ -30,7 +30,7 @@ refine connection SMB_Conn += {
|
|||
${val.offset},
|
||||
${val.read_len});
|
||||
}
|
||||
|
||||
|
||||
smb2_read_offsets[${h.message_id}] = ${val.offset};
|
||||
smb2_read_fids[${h.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile};
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ refine connection SMB_Conn += {
|
|||
RecordVal* resp = new RecordVal(BifType::Record::SMB2::SessionSetupResponse);
|
||||
resp->Assign(0, flags);
|
||||
|
||||
BifEvent::generate_smb2_session_setup_response(bro_analyzer(),
|
||||
BifEvent::generate_smb2_session_setup_response(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
BuildSMB2HeaderVal(h),
|
||||
resp);
|
||||
|
|
|
|||
|
|
@ -9,14 +9,14 @@ refine connection SMB_Conn += {
|
|||
|
||||
function proc_smb2_set_info_request(h: SMB2_Header, val: SMB2_set_info_request): bool
|
||||
%{
|
||||
//if ( smb2_set_info_request &&
|
||||
//if ( smb2_set_info_request &&
|
||||
// ${val.info_type} == SMB2_0_INFO_FILE &&
|
||||
// ${val.file_info_class} == 0x14 )
|
||||
// {
|
||||
// RecordVal* req = new RecordVal(BifType::Record::SMB2::SetInfoRequest);
|
||||
// //req->Assign(0, new Val(${val.eof}, TYPE_COUNT));
|
||||
// req->Assign(0, new Val(0, TYPE_COUNT));
|
||||
//
|
||||
//
|
||||
// BifEvent::generate_smb2_set_info_request(bro_analyzer(),
|
||||
// bro_analyzer()->Conn(),
|
||||
// BuildSMB2HeaderVal(h),
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ refine connection SMB_Conn += {
|
|||
bro_analyzer()->Conn(),
|
||||
BuildSMB2HeaderVal(header),
|
||||
smb2_string2stringval(${val.path}));
|
||||
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ refine connection SMB_Conn += {
|
|||
%{
|
||||
if ( smb2_write_request )
|
||||
{
|
||||
BifEvent::generate_smb2_write_request(bro_analyzer(),
|
||||
BifEvent::generate_smb2_write_request(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
BuildSMB2HeaderVal(h),
|
||||
BuildSMB2GUID(${val.file_id}),
|
||||
|
|
@ -24,7 +24,6 @@ refine connection SMB_Conn += {
|
|||
|
||||
function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool
|
||||
%{
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# Documentation for SMB2 protocol from here:
|
||||
# Documentation for SMB2 protocol from here:
|
||||
# http://msdn.microsoft.com/en-us/library/cc246497(v=PROT.13).aspx
|
||||
|
||||
enum smb2_commands {
|
||||
|
|
@ -32,7 +32,7 @@ enum smb2_share_types {
|
|||
type SMB2_PDU(is_orig: bool) = record {
|
||||
header : SMB2_Header(is_orig);
|
||||
message : case header.status of {
|
||||
# Status 0 indicates success. In the case of a
|
||||
# Status 0 indicates success. In the case of a
|
||||
# request this should just happen to work out due to
|
||||
# how the fields are set.
|
||||
0 -> msg : SMB2_Message(header, is_orig);
|
||||
|
|
@ -66,7 +66,7 @@ type SMB2_Message_Request(header: SMB2_Header) = case header.command of {
|
|||
SMB2_QUERY_INFO -> query_info : SMB2_query_info_request(header);
|
||||
SMB2_SET_INFO -> set_info : SMB2_set_info_request(header);
|
||||
SMB2_OPLOCK_BREAK -> oplock_break : SMB2_oplock_break(header);
|
||||
|
||||
|
||||
default -> unknown_msg : empty; # TODO: do something different here!
|
||||
} &byteorder = littleendian;
|
||||
|
||||
|
|
@ -108,7 +108,7 @@ refine connection SMB_Conn += {
|
|||
r->Assign(7, new Val(${hdr.tree_id}, TYPE_COUNT));
|
||||
r->Assign(8, new Val(${hdr.session_id}, TYPE_COUNT));
|
||||
r->Assign(9, bytestring_to_val(${hdr.signature}));
|
||||
|
||||
|
||||
return r;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
# Emoty.
|
||||
|
|
@ -1 +1 @@
|
|||
|
||||
# Empty.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue