Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix SMB tree connect handling.

Browse source 
It was misidentifying share mappings as FILE shares
sometimes when they were actually PIPE shares.
This commit is contained in:
Seth Hall 2016-11-01 03:14:15 -04:00
parent 19a4376a9a
commit bb5c2c94ec
5 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/analyzer/protocol/smb/smb-pipe.pac
View file

@ -25,9 +25,9 @@ refine connection SMB_Conn += {
return ( tree_is_pipe_map.count(tree_id) > 0 );
%}
function set_tree_is_pipe(tree_id: uint16, is_pipe: bool): bool
function set_tree_is_pipe(tree_id: uint16): bool
%{
tree_is_pipe_map[tree_id] = is_pipe;
tree_is_pipe_map[tree_id] = true;
return true;
%}

2
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -5,7 +5,7 @@ refine connection SMB_Conn += {
if ( ! ${header.is_pipe} &&
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
set_tree_is_pipe(${header.tid}, true);
set_tree_is_pipe(${header.tid});
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}

6
src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
View file

@ -13,7 +13,11 @@ refine connection SMB_Conn += {
function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool
%{
set_tree_is_pipe(${header.tid}, strncmp((const char*) smb_string2stringval(${val.service})->Bytes(), "IPC", 3) == 0);
if ( strncmp((const char*) smb_string2stringval(${val.service})->Bytes(),
"IPC", 3) == 0 )
{
set_tree_is_pipe(${header.tid});
}
if ( smb1_tree_connect_andx_response )
{

2
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -6,7 +6,7 @@ refine connection SMB_Conn += {
if ( ! ${h.is_pipe} &&
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
set_tree_is_pipe(${h.tree_id}, true);
set_tree_is_pipe(${h.tree_id});
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}

3
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -13,7 +13,8 @@ refine connection SMB_Conn += {
function proc_smb2_tree_connect_response(header: SMB2_Header, val: SMB2_tree_connect_response): bool
%{
set_tree_is_pipe(${header.tree_id}, ${val.share_type} == SMB2_SHARE_TYPE_PIPE);
if ( ${val.share_type} == SMB2_SHARE_TYPE_PIPE )
set_tree_is_pipe(${header.tree_id});
if ( smb2_tree_connect_response )
{