diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro index db817ca4a3..6b23fe91db 100644 --- a/scripts/policy/protocols/smb/smb1-main.bro +++ b/scripts/policy/protocols/smb/smb1-main.bro @@ -263,7 +263,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons # No behavior yet. } -event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count) +event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string) { c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd]; } diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index d199b9062c..725399b1bb 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -31,18 +31,96 @@ refine connection SMB_Conn += { function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool %{ + StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *payload_str = nullptr; + SMB1_transaction_data *payload = nullptr; + + if ( !parameters ) + { + parameters = new StringVal(""); + } + + if ( ${val.data_count > 0} ) + { + payload = ${val.data}; + } + + if ( payload ) + { + switch ( payload->trans_type() ) + { + case SMB_PIPE: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data()); + break; + case SMB_UNKNOWN: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data()); + break; + default: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data()); + break; + } + } + + if ( !payload_str ) + { + payload_str = new StringVal(""); + } + if ( smb1_transaction_request ) BifEvent::generate_smb1_transaction_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), smb_string2stringval(${val.name}), - ${val.sub_cmd}); + ${val.sub_cmd}, + parameters, + payload_str); return true; %} function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool %{ + StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data()); + StringVal *payload_str = nullptr; + SMB1_transaction_data *payload = nullptr; + + if ( !parameters ) + { + parameters = new StringVal(""); + } + + if ( ${val.data_count > 0} ) + { + payload = ${val.data[0]}; + } + + if ( payload ) + { + switch ( payload->trans_type() ) + { + case SMB_PIPE: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data()); + break; + case SMB_UNKNOWN: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data()); + break; + default: + payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data()); + break; + } + } + + if ( !payload_str ) + { + payload_str = new StringVal(""); + } + + if ( smb1_transaction_response ) + BifEvent::generate_smb1_transaction_response(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(header), + parameters, + payload_str); return true; %} }; @@ -54,8 +132,8 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub # SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count); # SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count); SMB_PIPE -> pipe_data : bytestring &restofdata; - SMB_UNKNOWN -> unknown : bytestring &restofdata &transient; - default -> data : bytestring &restofdata &transient; + SMB_UNKNOWN -> unknown : bytestring &restofdata; + default -> data : bytestring &restofdata; } &let { pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE); }; diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif index 8811cc3e92..0c411b55c3 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif @@ -3,7 +3,7 @@ ## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, ## which are interprocess communication endpoints within the CIFS file system. ## -## For more information, see MS-CIFS:2.2.4.33 +## For more information, see MS-CIFS:2.2.4.33.1 ## ## c: The connection. ## @@ -14,5 +14,25 @@ ## ## sub_cmd: The sub command, some may be parsed and have their own events. ## +## parameters: content of the SMB_Data.Trans_Parameters field +## +## data: content of the SMB_Data.Trans_Data field +## ## .. bro:see:: smb1_message smb1_transaction2_request -event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%); +event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 1 requests of type *transaction*. This command serves as the transport for the +## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, +## which are interprocess communication endpoints within the CIFS file system. +## +## For more information, see MS-CIFS:2.2.4.33.2 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. +## +## parameters: content of the SMB_Data.Trans_Parameters field +## +## data: content of the SMB_Data.Trans_Data field +event smb1_transaction_response%(c: connection, hdr: SMB1::Header, parameters: string, data: string%);