Add support for TRANSACTION subcommands.

This commit is contained in:
Vlad Grigorescu 2014-10-08 18:01:55 -04:00
parent 466a1e55e8
commit c4eb7e2377
6 changed files with 25 additions and 1 deletions

View file

@ -125,6 +125,20 @@ export {
[0x10] = "GET_DFS_REFERRAL",
[0x11] = "REPORT_DFS_INCONSISTENCY",
} &default=function(i: count):string { return fmt("unknown-trans2-sub-cmd-%d", i); };
const trans_sub_commands: table[count] of string = {
[0x01] = "SET_NMPIPE_STATE",
[0x11] = "RAW_READ_NMPIPE",
[0x21] = "QUERY_NMPIPE_STATE",
[0x22] = "QUERY_NMPIPE_INFO",
[0x23] = "PEEK_NMPIPE",
[0x26] = "TRANSACT_NMPIPE",
[0x31] = "RAW_WRITE_NMPIPE",
[0x36] = "READ_NMPIPE",
[0x37] = "WRITE_NMPIPE",
[0x53] = "WAIT_NMPIPE",
[0x54] = "CALL_NMPIPE",
} &default=function(i: count):string { return fmt("unknown-trans-sub-cmd-%d", i); };
}
module SMB2;

View file

@ -307,4 +307,9 @@ event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLM
{
c$smb_state$uid_map[hdr$uid] = user;
}
}
event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
{
c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
}

View file

@ -20,6 +20,7 @@ bro_plugin_bif(
smb1_com_query_information.bif
smb1_com_read_andx.bif
smb1_com_session_setup_andx.bif
smb1_com_transaction.bif
smb1_com_transaction2.bif
smb1_com_tree_connect_andx.bif
smb1_com_tree_disconnect.bif

View file

@ -21,6 +21,7 @@
#include "smb1_com_query_information.bif.h"
#include "smb1_com_read_andx.bif.h"
#include "smb1_com_session_setup_andx.bif.h"
#include "smb1_com_transaction.bif.h"
#include "smb1_com_transaction2.bif.h"
#include "smb1_com_tree_connect_andx.bif.h"
#include "smb1_com_tree_disconnect.bif.h"

View file

@ -9,7 +9,9 @@ refine connection SMB_Conn += {
function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
%{
//printf("transaction_request\n");
if ( smb1_transaction_request )
BifEvent::generate_smb1_transaction_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), \
smb_string2stringval(${val.name}), ${val.sub_cmd});
return true;
%}
function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool

View file

@ -0,0 +1 @@
event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);