Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add parameters and data to smb1_transaction_request/response messages

Browse source 
expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of
SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section
2.2.4.33.1.

These fields are exposed to the script level as Bro strings. Note that
this commit also expose a new event smb1_transaction_response.
This commit is contained in:
Jeffrey Bencteux 2017-05-26 15:18:59 +02:00
parent f2c3a9495d
commit bd72710e3b
3 changed files with 104 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

84
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -31,18 +31,96 @@ refine connection SMB_Conn += {
function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
%{
StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
StringVal *payload_str = nullptr;
SMB1_transaction_data *payload = nullptr;
if ( !parameters )
{
parameters = new StringVal("");
}
if ( ${val.data_count > 0} )
{
payload = ${val.data};
}
if ( payload )
{
switch ( payload->trans_type() )
{
case SMB_PIPE:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
break;
case SMB_UNKNOWN:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
break;
default:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
break;
}
}
if ( !payload_str )
{
payload_str = new StringVal("");
}
if ( smb1_transaction_request )
BifEvent::generate_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
smb_string2stringval(${val.name}),
${val.sub_cmd});
${val.sub_cmd},
parameters,
payload_str);
return true;
%}
function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
%{
StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
StringVal *payload_str = nullptr;
SMB1_transaction_data *payload = nullptr;
if ( !parameters )
{
parameters = new StringVal("");
}
if ( ${val.data_count > 0} )
{
payload = ${val.data[0]};
}
if ( payload )
{
switch ( payload->trans_type() )
{
case SMB_PIPE:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
break;
case SMB_UNKNOWN:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
break;
default:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
break;
}
}
if ( !payload_str )
{
payload_str = new StringVal("");
}
if ( smb1_transaction_response )
BifEvent::generate_smb1_transaction_response(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(header),
parameters,
payload_str);
return true;
%}
};
@ -54,8 +132,8 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
# SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count);
# SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count);
SMB_PIPE -> pipe_data : bytestring &restofdata;
SMB_UNKNOWN -> unknown : bytestring &restofdata &transient;
default -> data : bytestring &restofdata &transient;
SMB_UNKNOWN -> unknown : bytestring &restofdata;
default -> data : bytestring &restofdata;
} &let {
pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
};