diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 600a507d4f..b957ffee26 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3327,6 +3327,25 @@ export { ## The action taken in establishing the open. create_action : count; }; + + ## A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2. + ## + ## For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2 + ## + type SMB2::Fscontrol: record { + ## minimum amount of free disk space required to begin document filtering + free_space_start_filtering : int; + ## minimum amount of free disk space required to continue document filtering + free_space_threshold : int; + ## minimum amount of free disk space required to continue document filtering + free_space_threshold : int; + ## default per-user disk quota + delete_quota_threshold : count; + ## default per-user disk limit + default_quota_limit : count; + ## file systems control flags passed as unsigned int + fs_control_flags : count; + }; } module GLOBAL; diff --git a/src/analyzer/protocol/smb/smb2-com-set-info.pac b/src/analyzer/protocol/smb/smb2-com-set-info.pac index 6874808da9..7bf174d1a7 100644 --- a/src/analyzer/protocol/smb/smb2-com-set-info.pac +++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac @@ -5,10 +5,22 @@ enum smb2_set_info_type { SMB2_0_INFO_QUOTA = 0x04, }; +# taken from MS-FSCC 2.4 and 2.5 enum smb_file_info_type { SMB2_FILE_BASIC_INFO = 0x04, SMB2_FILE_RENAME_INFO = 0x0a, SMB2_FILE_DISPOSITION_INFO = 0x0d, + SMB2_FILE_ALLOCATION_INFO = 0x13, + SMB2_FILE_ENDOFFILE_INFO = 0x14, + SMB2_FILE_FULLEA_INFO = 0x0f, + SMB2_FILE_LINK_INFO = 0x0b, + SMB2_FILE_MODE_INFO = 0x10, + SMB2_FILE_PIPE_INFO = 0x18, + SMB2_FILE_POSITION_INFO = 0x0e, + SMB2_FILE_SHORTNAME_INFO = 0x28, + SMB2_FILE_VALIDDATALENGTH_INFO = 0x27, + SMB2_FILE_FSCONTROL_INFO = 0x06, + SMB2_FILE_FSOBJECTID_INFO = 0x08, } refine connection SMB_Conn += { @@ -53,7 +65,154 @@ refine connection SMB_Conn += { return true; %} -}; + function proc_smb2_set_info_request_file_allocation(val: SMB2_file_allocation_info): bool + %{ + if ( smb2_file_allocation ) + BifEvent::generate_smb2_file_allocation(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + (${val.allocation_size})); + + return true; + %} + + function proc_smb2_set_info_request_file_endoffile(val: SMB2_file_endoffile_info): bool + %{ + if ( smb2_file_endoffile ) + BifEvent::generate_smb2_file_endoffile(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + ${val.endoffile}); + + return true; + %} + + #TODO not sure how to handle multiple full_ea file information + function proc_smb2_set_info_request_file_fullea(val: SMB2_file_fullea_info): bool + %{ + if ( smb2_file_fullea ) + BifEvent::generate_smb2_file_fullea(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + smb2_string2stringval(${val.ea_name}), + smb2_string2stringval(${val.ea_value})); + + return true; + %} + + function proc_smb2_set_info_request_file_link(val: SMB2_file_link_info): bool + %{ + if ( smb2_file_link ) + BifEvent::generate_smb2_file_link(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + ${val.root_directory}, + smb2_string2stringval(${val.file_name})); + + return true; + %} + + function proc_smb2_set_info_request_file_mode(val: SMB2_file_mode_info): bool + %{ + if ( smb2_file_mode ) + BifEvent::generate_smb2_file_mode(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + ${val.mode}); + + return true; + %} + + function proc_smb2_set_info_request_file_pipe(val: SMB2_file_pipe_info): bool + %{ + if ( smb2_file_pipe ) + BifEvent::generate_smb2_file_pipe(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + ${val.read_mode}, + ${val.completion_mode}); + + return true; + %} + + function proc_smb2_set_info_request_file_position(val: SMB2_file_position_info): bool + %{ + if ( smb2_file_position ) + BifEvent::generate_smb2_file_position(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + ${val.current_byte_offset}); + + return true; + %} + + function proc_smb2_set_info_request_file_shortname(val: SMB2_file_shortname_info): bool + %{ + if ( smb2_file_shortname ) + BifEvent::generate_smb2_file_shortname(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + smb2_string2stringval(${val.filename})); + + return true; + %} + + function proc_smb2_set_info_request_file_validdatalength(val: SMB2_file_validdatalength_info): bool + %{ + if ( smb2_file_validdatalength ) + BifEvent::generate_smb2_file_validdatalength(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + ${val.validdatalength}); + + return true; + %} + + function proc_smb2_set_info_request_file_fscontrol(val: SMB2_file_fscontrol_info): bool + %{ + + RecordVal* r = new RecordVal(BifType::Record::SMB2::Fscontrol); + + r->Assign(0, val_mgr->GetInt(${val.free_space_start_filtering})); + r->Assign(1, val_mgr->GetInt(${val.free_space_start_threshold})); + r->Assign(2, val_mgr->GetInt(${val.free_space_stop_filtering})); + r->Assign(3, val_mgr->GetCount(${val.default_quota_threshold})); + r->Assign(4, val_mgr->GetCount(${val.default_quota_limit})); + r->Assign(5, val_mgr->GetCount(${val.file_system_control_flags})); + + if ( smb2_file_fscontrol ) + BifEvent::generate_smb2_file_fscontrol(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + r); + return true; + %} + + function proc_smb2_set_info_request_file_fsobjectid(val: SMB2_file_fsobjectid_info): bool + %{ + if ( smb2_file_fsobjectid ) + BifEvent::generate_smb2_file_fsobjectid(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + BuildSMB2GUID(${val.object_id}), + smb2_string2stringval(${val.extended_info})); + + return true; + %} + +} + type SMB2_file_basic_info(sir: SMB2_set_info_request) = record { creation_time : SMB_timestamp; @@ -81,13 +240,109 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record { proc: bool = $context.connection.proc_smb2_set_info_request_file_delete(this); }; -type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of { - SMB2_FILE_BASIC_INFO -> file_basic : SMB2_file_basic_info(sir); - SMB2_FILE_RENAME_INFO -> file_rename : SMB2_file_rename_info(sir); - SMB2_FILE_DISPOSITION_INFO -> file_disposition : SMB2_file_disposition_info(sir); - default -> info_file_unhandled : empty; +type SMB2_file_allocation_info(sir: SMB2_set_info_request) = record { + allocation_size : int64; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_allocation(this); }; +type SMB2_file_endoffile_info(sir: SMB2_set_info_request) = record { + endoffile : int64; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_endoffile(this); +}; + +type SMB2_file_fullea_info(sir: SMB2_set_info_request) = record { + next_entry_offset : uint32; + flags : uint8; + ea_name_length : uint8; + ea_value_length : uint16; + ea_name : SMB2_string(ea_name_length); + ea_value : SMB2_string(ea_value_length); +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_fullea(this); +}; + +type SMB2_file_link_info(sir: SMB2_set_info_request) = record { + replace_if_exists : uint8; #TODO this is a bool, not sure it is correct here + reserved : uint8[7]; #ignored... + root_directory : uint64; + file_name_length : uint32; + file_name : SMB2_string(file_name_length); +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_link(this); +}; + +type SMB2_file_mode_info(sir: SMB2_set_info_request) = record { + mode : uint32; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_mode(this); +}; + +type SMB2_file_pipe_info(sir: SMB2_set_info_request) = record { + read_mode : uint32; + completion_mode : uint32; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_pipe(this); +}; + +type SMB2_file_position_info(sir: SMB2_set_info_request) = record { + current_byte_offset : int64; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_position(this); +}; + +type SMB2_file_shortname_info(sir: SMB2_set_info_request) = record { + filename_length : uint32; + filename : SMB2_string(filename_length); +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_shortname(this); +}; + +type SMB2_file_validdatalength_info(sir: SMB2_set_info_request) = record { + validdatalength : int64; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_validdatalength(this); +}; + +type SMB2_file_fscontrol_info(sir: SMB2_set_info_request) = record { + free_space_start_filtering : int64; + free_space_start_threshold : int64; + free_space_stop_filtering : int64; + default_quota_threshold : uint64; + default_quota_limit : uint64; + file_system_control_flags : uint32; + pad : padding[4]; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_fscontrol(this); +}; + +type SMB2_file_fsobjectid_info(sir: SMB2_set_info_request) = record { + object_id : SMB2_guid; + extended_info : SMB2_string(48); +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file_fsobjectid(this); +}; + +type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of { + SMB2_FILE_BASIC_INFO -> file_basic : SMB2_file_basic_info(sir); + SMB2_FILE_RENAME_INFO -> file_rename : SMB2_file_rename_info(sir); + SMB2_FILE_DISPOSITION_INFO -> file_disposition : SMB2_file_disposition_info(sir); + SMB2_FILE_ALLOCATION_INFO -> file_allocation : SMB2_file_allocation_info(sir); + SMB2_FILE_ENDOFFILE_INFO -> file_endoffile : SMB2_file_endoffile_info(sir); + SMB2_FILE_FULLEA_INFO -> file_fullea : SMB2_file_fullea_info(sir); + SMB2_FILE_LINK_INFO -> file_link : SMB2_file_link_info(sir); + SMB2_FILE_MODE_INFO -> file_mode : SMB2_file_mode_info(sir); + SMB2_FILE_PIPE_INFO -> file_pipe : SMB2_file_pipe_info(sir); + SMB2_FILE_POSITION_INFO -> file_position : SMB2_file_position_info(sir); + SMB2_FILE_SHORTNAME_INFO -> file_shortname : SMB2_file_shortname_info(sir); + SMB2_FILE_VALIDDATALENGTH_INFO -> file_validdatalength : SMB2_file_validdatalength_info(sir); + SMB2_FILE_FSCONTROL_INFO -> file_fscontrol : SMB2_file_fscontrol_info(sir); + SMB2_FILE_FSOBJECTID_INFO -> file_fsobjectid : SMB2_file_fsobjectid_info(sir); + default -> info_file_unhandled : empty; +}; + + type SMB2_set_info_request(header: SMB2_Header) = record { structure_size : uint16; info_class : uint8; diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif index 1f6d9386f8..32de91c582 100644 --- a/src/analyzer/protocol/smb/smb2_com_set_info.bif +++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif @@ -11,7 +11,7 @@ ## ## dst_filename: The filename to rename the file into. ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -28,7 +28,7 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## delete_pending: A boolean value to indicate that a file should be deleted ## when it's closed if set to T. ## -## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -46,9 +46,174 @@ event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## ## attrs: File attributes. ## -## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *allocation* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## alloc_size: desired allocation size. +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_allocation%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, alloc_size: int%); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *end_of_file* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## end_of_file: the absolute new end of file position as a byte offset from the start of the file +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_endoffile%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, end_of_file: int%); + + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *mode* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## mode: specifies how the file will subsequently be accessed. +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_mode%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, mode: count%); + + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *pipe* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## read_mode: specifies if data must be read as a stream of bytes or messages +## +## completion_mode: specifies if blocking mode must be enabled or not +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_pipe%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, read_mode: count, completion_mode: count%); + + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *position* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## current_byte_offset: specifies the offset, in bytes, of the file pointer from the beginning of the file +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_position%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, current_byte_offset: int%); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *short_name* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## file_name: specifies the name of the file to be changed +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_shortname%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_name: string %); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *valid_data_length* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## valid_data_length: specifies the new valid data length +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_validdatalength%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, valid_data_length: int %); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *full_EA* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## ea_name: contains the extended attribute name +## +## ea_value: contains the extended attribute value +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_fullea%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ea_name: string, ea_value: string %); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *link* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## root_directory: contains the file handle for the directory where the link is to be created +## +## file_name: contains the name to be assigned to the newly created link +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_link%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, root_directory: count, file_name: string %); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *fs_control* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## fs_control: contains fs_control info (see MS-FCC 2.5.2) +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_fscontrol%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol %); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *fs_object_id* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## object_id: contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6) +## +## extended_info: contains extended information on the file system volume +## +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +event smb2_file_fsobjectid%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, object_id: SMB2::GUID, extended_info: string %); + # TODO - Not implemented # Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` diff --git a/src/analyzer/protocol/smb/types.bif b/src/analyzer/protocol/smb/types.bif index 4714046a62..33f1a5c5a2 100644 --- a/src/analyzer/protocol/smb/types.bif +++ b/src/analyzer/protocol/smb/types.bif @@ -4,4 +4,5 @@ type SMB1::Header: record; type SMB2::Header: record; type SMB2::GUID: record; -type SMB2::FileAttrs: record; \ No newline at end of file +type SMB2::FileAttrs: record; +type SMB2::Fscontrol: record;