From bbe89a79a47e6508a00c11d77d5ea5441723ee37 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 2 Jun 2017 17:27:11 +0200
Subject: [PATCH] add smb1_transaction2_secondary_request event

parse and expose SMB_COM_TRANSACTION2_SECONDARY (0x33) message to
script level. See MS-CIFS section 2.2.4.47.1.
---
 scripts/base/init-bare.bro                    | 21 +++++++
 src/analyzer/protocol/smb/CMakeLists.txt      |  2 +
 src/analyzer/protocol/smb/smb.pac             |  2 +
 .../smb/smb1-com-transaction2-secondary.pac   | 62 +++++++++++++++++++
 src/analyzer/protocol/smb/smb1-protocol.pac   |  2 +-
 .../smb/smb1_com_transaction2_secondary.bif   | 19 ++++++
 6 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
 create mode 100644 src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index b92ac9a5e4..592c89116e 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2880,6 +2880,27 @@ export {
 	     data_displacement: count;
 	};
 
+	type SMB1::Trans2_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	     ## File ID
+	     FID: count;
+	};
+
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
 		search_attrs		: count;
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index 6b594d5367..cc5d690dfd 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -20,6 +20,7 @@ bro_plugin_bif(
 	smb1_com_transaction.bif
 	smb1_com_transaction_secondary.bif
 	smb1_com_transaction2.bif
+	smb1_com_transaction2_secondary.bif
 	smb1_com_tree_connect_andx.bif
 	smb1_com_tree_disconnect.bif
 	smb1_com_write_andx.bif
@@ -66,6 +67,7 @@ bro_plugin_pac(
 	smb1-com-transaction-secondary.pac
 	smb1-com-transaction.pac
 	smb1-com-transaction2.pac
+	smb1-com-transaction2-secondary.pac
 	smb1-com-tree-connect-andx.pac
 	smb1-com-tree-disconnect.pac
 	smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac
index c747d87e92..a21101faaa 100644
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@@ -26,6 +26,7 @@
 #include "smb1_com_transaction.bif.h"
 #include "smb1_com_transaction_secondary.bif.h"
 #include "smb1_com_transaction2.bif.h"
+#include "smb1_com_transaction2_secondary.bif.h"
 #include "smb1_com_tree_connect_andx.bif.h"
 #include "smb1_com_tree_disconnect.bif.h"
 #include "smb1_com_write_andx.bif.h"
@@ -75,6 +76,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb1-com-transaction-secondary.pac
 %include smb1-com-transaction.pac
 %include smb1-com-transaction2.pac
+%include smb1-com-transaction2-secondary.pac
 %include smb1-com-tree-connect-andx.pac
 %include smb1-com-tree-disconnect.pac
 %include smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
new file mode 100644
index 0000000000..f2ae2e8e99
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
@@ -0,0 +1,62 @@
+refine connection SMB_Conn += {
+
+       function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool
+       %{
+	RecordVal *args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+	args->Assign(8, new Val(${val.FID}, TYPE_COUNT));
+
+	StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+	StringVal *payload = new StringVal(${val.data_count}, (const char*)${val.data}.data());
+
+	if ( !parameters )
+	{
+		parameters = new StringVal("");
+	}
+
+	if ( !payload )
+	{
+		payload = new StringVal("");
+	}
+
+	if ( smb1_transaction2_secondary_request )
+	{
+		BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
+								       bro_analyzer()->Conn(),
+								       BuildHeaderVal(header),
+								       args,
+								       parameters,
+								       payload);
+	}
+
+	return true;
+       %}
+};
+
+type SMB1_transaction2_secondary_request(header: SMB_Header) = record {
+	word_count          : uint8;
+	total_param_count   : uint16;
+	total_data_count    : uint16;
+	param_count         : uint16;
+	param_offset        : uint16;
+	param_displacement  : uint16;
+	data_count          : uint16;
+	data_offset         : uint16;
+	data_displacement   : uint16;
+	FID                 : uint16;
+
+	byte_count          : uint16;
+	pad1                : padding to (param_offset - SMB_Header_length);
+	parameters          : bytestring &length = param_count;
+	pad2                : padding to (data_offset - SMB_Header_length);
+	data                : bytestring &length=data_count;
+} &let {
+	proc : bool = $context.connection.proc_smb1_transaction2_secondary_request(header, this);
+};
diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac
index 92a448ea8e..75db898f73 100644
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@@ -179,7 +179,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_WRITE_AND_CLOSE          -> write_and_close        : SMB_write_and_close_request(header);
 #	#SMB_COM_NEW_FILE_SIZE            -> new_file_size          : SMB_new_file_size_request(header);
 #	#SMB_COM_CLOSE_AND_TREE_DISC      -> close_and_tree_disc    : SMB_close_and_tree_disc_request(header);
-#	#SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
+	SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
 #	#SMB_COM_FIND_CLOSE2              -> find_close2            : SMB_find_close2_request(header);
 #	#SMB_COM_FIND_NOTIFY_CLOSE        -> find_notify_close      : SMB_find_notify_close_request(header);
 #	#SMB_COM_TREE_CONNECT             -> tree_connect           : SMB_tree_connect_request(header);
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
new file mode 100644
index 0000000000..81aef809aa
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction2 secondary*.
+##
+## For more information, see MS-CIFS:2.2.4.47.1
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
+## version 1 message.
+##
+## args: arguments of the message (SMB_Parameters.Words)
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction2_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string%);
+
+## Types
+type SMB1::Trans2_Sec_Args: record;