Merge branch 'smb2-updates' of https://github.com/dtrejod/bro

scripts/policy/protocols/smb/main.bro

@@ -18,6 +18,7 @@ export {
 		FILE_CLOSE,
 		FILE_DELETE,
 		FILE_RENAME,
+		FILE_SET_ATTRIBUTE,
 
 		PIPE_READ,
 		PIPE_WRITE,

scripts/policy/protocols/smb/smb2-main.bro

@@ -239,6 +239,26 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
 	SMB::write_file_log(c$smb_state);
 	}
 
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+	{
+	SMB::write_file_log(c$smb_state);
+	}
+
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
+	{
+	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+
+	switch ( c$smb_state$current_tree$share_type )
+		{
+		case "DISK":
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		default:
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		}
+	}
+
 event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5
 	{
 	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);

src/analyzer/protocol/smb/smb2-com-set-info.pac

@@ -6,12 +6,29 @@ enum smb2_set_info_type {
 };
 
 enum smb_file_info_type {
+	SMB2_FILE_BASIC_INFO        = 0x04,
 	SMB2_FILE_RENAME_INFO       = 0x0a,
 	SMB2_FILE_DISPOSITION_INFO = 0x0d,
 }
 
 refine connection SMB_Conn += {
 
+	function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool
+		%{
+		if ( smb2_file_sattr )
+			BifEvent::generate_smb2_file_sattr(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+			                                      BuildSMB2HeaderVal(${val.sir.header}),
+			                                      BuildSMB2GUID(${val.sir.file_id}),
+			                                      SMB_BuildMACTimes(${val.last_write_time},
+			                                                        ${val.last_access_time},
+			                                                        ${val.creation_time},
+			                                                        ${val.change_time}),
+			                                      smb2_file_attrs_to_bro(${val.file_attrs}));
+
+		return true;
+		%}
+
 	function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool
 		%{
 		if ( smb2_file_rename )
@@ -38,6 +55,16 @@ refine connection SMB_Conn += {
 
 };
 
+type SMB2_file_basic_info(sir: SMB2_set_info_request) = record {
+	creation_time    : SMB_timestamp;
+	last_access_time : SMB_timestamp;
+	last_write_time  : SMB_timestamp;
+	change_time      : SMB_timestamp;
+	file_attrs       : SMB2_file_attributes;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file(this);
+};
+
 type SMB2_file_rename_info(sir: SMB2_set_info_request) = record {
 	replace_if_exists : uint8;
 	reserved          : uint8[7];
@@ -55,6 +82,7 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record {
 };
 
 type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of {
+	SMB2_FILE_BASIC_INFO       -> file_basic          : SMB2_file_basic_info(sir);
 	SMB2_FILE_RENAME_INFO      -> file_rename         : SMB2_file_rename_info(sir);
 	SMB2_FILE_DISPOSITION_INFO -> file_disposition    : SMB2_file_disposition_info(sir);
 	default                    -> info_file_unhandled : empty;

src/analyzer/protocol/smb/smb2_com_set_info.bif

@@ -11,7 +11,7 @@
 ##
 ## dst_filename: The filename to rename the file into.
 ##
-## .. bro:see:: smb2_message smb2_file_delete
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr
 event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -23,12 +23,32 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
+## file_id: The SMB2 GUID for the file.
+##
 ## delete_pending: A boolean value to indicate that a file should be deleted 
 ##                 when it's closed if set to T.
 ##
-## .. bro:see:: smb2_message smb2_file_rename
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr
 event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
 
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *file* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## file_id: The SMB2 GUID for the file.
+##
+## times: Timestamps associated with the file in question.
+##
+## attrs: File attributes.
+##
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete
+event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+
 # TODO - Not implemented
 
 # Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`

testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout

@@ -5,6 +5,7 @@ smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatil
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=2, create_options=2097185]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
 smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
+smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=1319047808.3125, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
 smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]

testing/btest/scripts/base/protocols/smb/smb2.test

@@ -19,3 +19,8 @@ event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::Cre
 	print fmt("smb2_create_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, response);
 	}
 
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id:
+                      SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs)
+	{
+	print fmt("smb2_file_sattr %s -> %s:%d %s MACTimes:%s FileAttrs:%s", c$id$orig_h, c$id$resp_h, c$id$resp_p, file_id, times, attrs);
+	}