Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

performance speed-up for SMB base scripts

Browse source
This commit is contained in:
Vern Paxson 2024-04-08 17:29:16 -04:00 committed by Tim Wojtulewicz
parent 39c3a0ec0b
commit c11c2830b1
5 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/smb/files.zeek
View file

@ -27,10 +27,10 @@ function get_file_handle(c: connection, is_orig: bool): string
# should be considered a new file. We use the raw version here to avoid # should be considered a new file. We use the raw version here to avoid
# getting differences when double precision varies by architecture. # getting differences when double precision varies by architecture.
local last_mod = cat(current_file?$times ? current_file$times$modified_raw : 0); local last_mod = cat(current_file?$times ? current_file$times$modified_raw : 0);
# TODO: This is doing hexdump to avoid problems due to file analysis handling # TODO: This is doing clean to avoid problems due to file analysis handling
# using CheckString which is not immune to encapsulated null bytes. # using CheckString which is not immune to encapsulated null bytes.
# This needs to be fixed lower in the file analysis code later. # This needs to be fixed lower in the file analysis code later.
return hexdump(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod)); return clean(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod));
} }
function describe_file(f: fa_file): string function describe_file(f: fa_file): string

4
testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log
View file

@ -7,6 +7,6 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
XXXXXXXXXX.XXXXXX FVTHwlRSH2WI8fFw2 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile 0.000000 T F 16 16 0 0 F - - - - - - - XXXXXXXXXX.XXXXXX FH8ukp35vOgBQD0yi CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile 0.000000 T F 16 16 0 0 F - - - - - - -
XXXXXXXXXX.XXXXXX FAI5Dc4cLr5RAw3j0e CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile2 0.000000 T T 7000 - 0 0 F - - - - - - - XXXXXXXXXX.XXXXXX FZwWEMkEEYbonVSe2 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile2 0.000000 T T 7000 - 0 0 F - - - - - - -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

4
testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log
View file

@ -9,9 +9,9 @@
#types time string addr port addr port string enum string string count string time time time time #types time string addr port addr port string enum string string count string time time time time
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FVTHwlRSH2WI8fFw2 SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FH8ukp35vOgBQD0yi SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FAI5Dc4cLr5RAw3j0e SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FZwWEMkEEYbonVSe2 SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - <share_root> 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - <share_root> 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
XXXXXXXXXX.XXXXXX FwL5Z01az5ZsFYcHh5 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 T T 1508939 - 0 0 F - - - - - - - XXXXXXXXXX.XXXXXX FB7E9n1ZwSgkhBhU27 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 T T 1508939 - 0 0 F - - - - - - -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
#types time string addr port addr port string enum enum string set[enum] set[string] string string string #types time string addr port addr port string enum enum string set[enum] set[string] string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FVTHwlRSH2WI8fFw2 - pythonfile XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FH8ukp35vOgBQD0yi - pythonfile
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX