Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add smb1_transaction2_secondary_request event

Browse source 
parse and expose SMB_COM_TRANSACTION2_SECONDARY (0x33) message to
script level. See MS-CIFS section 2.2.4.47.1.
This commit is contained in:
Jeffrey Bencteux 2017-06-02 17:27:11 +02:00
parent 046c7bc481
commit bbe89a79a4
6 changed files with 107 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
scripts/base/init-bare.bro
View file

@ -2880,6 +2880,27 @@ export {
data_displacement: count; data_displacement: count;
}; };
type SMB1::Trans2_Sec_Args: record {
## Total parameter count
total_param_count: count;
## Total data count
total_data_count: count;
## Parameter count
param_count: count;
## Parameter offset
param_offset: count;
## Parameter displacement
param_displacement: count;
## Data count
data_count: count;
## Data offset
data_offset: count;
## Data displacement
data_displacement: count;
## File ID
FID: count;
};
type SMB1::Find_First2_Request_Args: record { type SMB1::Find_First2_Request_Args: record {
## File attributes to apply as a constraint to the search ## File attributes to apply as a constraint to the search
search_attrs : count; search_attrs : count;

2
src/analyzer/protocol/smb/CMakeLists.txt
View file

@ -20,6 +20,7 @@ bro_plugin_bif(
smb1_com_transaction.bif smb1_com_transaction.bif
smb1_com_transaction_secondary.bif smb1_com_transaction_secondary.bif
smb1_com_transaction2.bif smb1_com_transaction2.bif
smb1_com_transaction2_secondary.bif
smb1_com_tree_connect_andx.bif smb1_com_tree_connect_andx.bif
smb1_com_tree_disconnect.bif smb1_com_tree_disconnect.bif
smb1_com_write_andx.bif smb1_com_write_andx.bif
@ -66,6 +67,7 @@ bro_plugin_pac(
smb1-com-transaction-secondary.pac smb1-com-transaction-secondary.pac
smb1-com-transaction.pac smb1-com-transaction.pac
smb1-com-transaction2.pac smb1-com-transaction2.pac
smb1-com-transaction2-secondary.pac
smb1-com-tree-connect-andx.pac smb1-com-tree-connect-andx.pac
smb1-com-tree-disconnect.pac smb1-com-tree-disconnect.pac
smb1-com-write-andx.pac smb1-com-write-andx.pac

2
src/analyzer/protocol/smb/smb.pac
View file

@ -26,6 +26,7 @@
#include "smb1_com_transaction.bif.h" #include "smb1_com_transaction.bif.h"
#include "smb1_com_transaction_secondary.bif.h" #include "smb1_com_transaction_secondary.bif.h"
#include "smb1_com_transaction2.bif.h" #include "smb1_com_transaction2.bif.h"
#include "smb1_com_transaction2_secondary.bif.h"
#include "smb1_com_tree_connect_andx.bif.h" #include "smb1_com_tree_connect_andx.bif.h"
#include "smb1_com_tree_disconnect.bif.h" #include "smb1_com_tree_disconnect.bif.h"
#include "smb1_com_write_andx.bif.h" #include "smb1_com_write_andx.bif.h"
@ -75,6 +76,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
%include smb1-com-transaction-secondary.pac %include smb1-com-transaction-secondary.pac
%include smb1-com-transaction.pac %include smb1-com-transaction.pac
%include smb1-com-transaction2.pac %include smb1-com-transaction2.pac
%include smb1-com-transaction2-secondary.pac
%include smb1-com-tree-connect-andx.pac %include smb1-com-tree-connect-andx.pac
%include smb1-com-tree-disconnect.pac %include smb1-com-tree-disconnect.pac
%include smb1-com-write-andx.pac %include smb1-com-write-andx.pac

62
src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac Normal file
View file

@ -0,0 +1,62 @@
refine connection SMB_Conn += {
function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool
%{
RecordVal *args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
args->Assign(8, new Val(${val.FID}, TYPE_COUNT));
StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
StringVal *payload = new StringVal(${val.data_count}, (const char*)${val.data}.data());
if ( !parameters )
{
parameters = new StringVal("");
}
if ( !payload )
{
payload = new StringVal("");
}
if ( smb1_transaction2_secondary_request )
{
BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
args,
parameters,
payload);
}
return true;
%}
};
type SMB1_transaction2_secondary_request(header: SMB_Header) = record {
word_count : uint8;
total_param_count : uint16;
total_data_count : uint16;
param_count : uint16;
param_offset : uint16;
param_displacement : uint16;
data_count : uint16;
data_offset : uint16;
data_displacement : uint16;
FID : uint16;
byte_count : uint16;
pad1 : padding to (param_offset - SMB_Header_length);
parameters : bytestring &length = param_count;
pad2 : padding to (data_offset - SMB_Header_length);
data : bytestring &length=data_count;
} &let {
proc : bool = $context.connection.proc_smb1_transaction2_secondary_request(header, this);
};

2
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -179,7 +179,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
# #SMB_COM_WRITE_AND_CLOSE -> write_and_close : SMB_write_and_close_request(header); # #SMB_COM_WRITE_AND_CLOSE -> write_and_close : SMB_write_and_close_request(header);
# #SMB_COM_NEW_FILE_SIZE -> new_file_size : SMB_new_file_size_request(header); # #SMB_COM_NEW_FILE_SIZE -> new_file_size : SMB_new_file_size_request(header);
# #SMB_COM_CLOSE_AND_TREE_DISC -> close_and_tree_disc : SMB_close_and_tree_disc_request(header); # #SMB_COM_CLOSE_AND_TREE_DISC -> close_and_tree_disc : SMB_close_and_tree_disc_request(header);
# #SMB_COM_TRANSACTION2_SECONDARY -> transaction2_secondary : SMB1_transaction2_secondary_request(header); SMB_COM_TRANSACTION2_SECONDARY -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
# #SMB_COM_FIND_CLOSE2 -> find_close2 : SMB_find_close2_request(header); # #SMB_COM_FIND_CLOSE2 -> find_close2 : SMB_find_close2_request(header);
# #SMB_COM_FIND_NOTIFY_CLOSE -> find_notify_close : SMB_find_notify_close_request(header); # #SMB_COM_FIND_NOTIFY_CLOSE -> find_notify_close : SMB_find_notify_close_request(header);
# #SMB_COM_TREE_CONNECT -> tree_connect : SMB_tree_connect_request(header); # #SMB_COM_TREE_CONNECT -> tree_connect : SMB_tree_connect_request(header);

19
src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif Normal file
View file

@ -0,0 +1,19 @@
## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
## version 1 requests of type *transaction2 secondary*.
##
## For more information, see MS-CIFS:2.2.4.47.1
##
## c: The connection.
##
## hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
## version 1 message.
##
## args: arguments of the message (SMB_Parameters.Words)
##
## parameters: content of the SMB_Data.Trans_Parameters field
##
## data: content of the SMB_Data.Trans_Data field
event smb1_transaction2_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string%);
## Types
type SMB1::Trans2_Sec_Args: record;