Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add support for TRANSACTION subcommands.

Browse source
This commit is contained in:
Vlad Grigorescu 2014-10-08 18:01:55 -04:00
parent 466a1e55e8
commit c4eb7e2377
6 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/smb/consts.bro
View file

@ -125,6 +125,20 @@ export {
[0x10] = "GET_DFS_REFERRAL", [0x10] = "GET_DFS_REFERRAL",
[0x11] = "REPORT_DFS_INCONSISTENCY", [0x11] = "REPORT_DFS_INCONSISTENCY",
} &default=function(i: count):string { return fmt("unknown-trans2-sub-cmd-%d", i); }; } &default=function(i: count):string { return fmt("unknown-trans2-sub-cmd-%d", i); };
const trans_sub_commands: table[count] of string = {
[0x01] = "SET_NMPIPE_STATE",
[0x11] = "RAW_READ_NMPIPE",
[0x21] = "QUERY_NMPIPE_STATE",
[0x22] = "QUERY_NMPIPE_INFO",
[0x23] = "PEEK_NMPIPE",
[0x26] = "TRANSACT_NMPIPE",
[0x31] = "RAW_WRITE_NMPIPE",
[0x36] = "READ_NMPIPE",
[0x37] = "WRITE_NMPIPE",
[0x53] = "WAIT_NMPIPE",
[0x54] = "CALL_NMPIPE",
} &default=function(i: count):string { return fmt("unknown-trans-sub-cmd-%d", i); };
} }
module SMB2; module SMB2;

5
scripts/base/protocols/smb/smb1-main.bro
View file

@ -307,4 +307,9 @@ event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLM
{ {
c$smb_state$uid_map[hdr$uid] = user; c$smb_state$uid_map[hdr$uid] = user;
} }
}
event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
{
c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
} }

1
src/analyzer/protocol/smb/CMakeLists.txt
View file

@ -20,6 +20,7 @@ bro_plugin_bif(
smb1_com_query_information.bif smb1_com_query_information.bif
smb1_com_read_andx.bif smb1_com_read_andx.bif
smb1_com_session_setup_andx.bif smb1_com_session_setup_andx.bif
smb1_com_transaction.bif
smb1_com_transaction2.bif smb1_com_transaction2.bif
smb1_com_tree_connect_andx.bif smb1_com_tree_connect_andx.bif
smb1_com_tree_disconnect.bif smb1_com_tree_disconnect.bif

1
src/analyzer/protocol/smb/smb.pac
View file

@ -21,6 +21,7 @@
#include "smb1_com_query_information.bif.h" #include "smb1_com_query_information.bif.h"
#include "smb1_com_read_andx.bif.h" #include "smb1_com_read_andx.bif.h"
#include "smb1_com_session_setup_andx.bif.h" #include "smb1_com_session_setup_andx.bif.h"
#include "smb1_com_transaction.bif.h"
#include "smb1_com_transaction2.bif.h" #include "smb1_com_transaction2.bif.h"
#include "smb1_com_tree_connect_andx.bif.h" #include "smb1_com_tree_connect_andx.bif.h"
#include "smb1_com_tree_disconnect.bif.h" #include "smb1_com_tree_disconnect.bif.h"

4
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -9,7 +9,9 @@ refine connection SMB_Conn += {
function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
%{ %{
//printf("transaction_request\n"); if ( smb1_transaction_request )
BifEvent::generate_smb1_transaction_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), \
smb_string2stringval(${val.name}), ${val.sub_cmd});
return true; return true;
%} %}
function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool

1
src/analyzer/protocol/smb/smb1_com_transaction.bif Normal file
View file

@ -0,0 +1 @@
event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);