mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Improve creation of SMB transaction data strings
This commit is contained in:
Jon Siwek
parent
270702cacb
commit
c75519ca88
1 changed files with 23 additions and 46 deletions
|
|
@ -4,10 +4,29 @@ enum Trans_subcommands {
|
|||
NT_TRANSACT_CREATE2 = 0x0009,
|
||||
};
|
||||
|
||||
%code{
|
||||
StringVal* SMB_Conn::transaction_data_to_val(SMB1_transaction_data* payload)
|
||||
{
|
||||
switch ( payload->trans_type() ) {
|
||||
case SMB_PIPE:
|
||||
return bytestring_to_val(payload->pipe_data());
|
||||
case SMB_UNKNOWN:
|
||||
return bytestring_to_val(payload->unknown());
|
||||
default:
|
||||
return bytestring_to_val(payload->data());
|
||||
}
|
||||
|
||||
assert(false);
|
||||
return val_mgr->GetEmptyString();
|
||||
}
|
||||
%}
|
||||
|
||||
refine connection SMB_Conn += {
|
||||
|
||||
%member{
|
||||
map<uint16, bool> is_file_a_pipe;
|
||||
|
||||
static StringVal* transaction_data_to_val(SMB1_transaction_data* payload);
|
||||
%}
|
||||
|
||||
function get_is_file_a_pipe(id: uint16): bool
|
||||
|
|
@ -37,32 +56,11 @@ refine connection SMB_Conn += {
|
|||
StringVal* parameters = new StringVal(${val.parameters}.length(),
|
||||
(const char*)${val.parameters}.data());
|
||||
StringVal* payload_str = nullptr;
|
||||
SMB1_transaction_data* payload = nullptr;
|
||||
|
||||
if ( ${val.data_count} > 0 )
|
||||
{
|
||||
payload = ${val.data};
|
||||
}
|
||||
|
||||
if ( payload )
|
||||
{
|
||||
switch ( payload->trans_type() ) {
|
||||
case SMB_PIPE:
|
||||
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
|
||||
break;
|
||||
case SMB_UNKNOWN:
|
||||
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
|
||||
break;
|
||||
default:
|
||||
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( ! payload_str )
|
||||
{
|
||||
payload_str = transaction_data_to_val(${val.data});
|
||||
else
|
||||
payload_str = val_mgr->GetEmptyString();
|
||||
}
|
||||
|
||||
BifEvent::generate_smb1_transaction_request(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
|
|
@ -83,32 +81,11 @@ refine connection SMB_Conn += {
|
|||
StringVal* parameters = new StringVal(${val.parameters}.length(),
|
||||
(const char*)${val.parameters}.data());
|
||||
StringVal* payload_str = nullptr;
|
||||
SMB1_transaction_data* payload = nullptr;
|
||||
|
||||
if ( ${val.data_count} > 0 )
|
||||
{
|
||||
payload = ${val.data[0]};
|
||||
}
|
||||
|
||||
if ( payload )
|
||||
{
|
||||
switch ( payload->trans_type() ) {
|
||||
case SMB_PIPE:
|
||||
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
|
||||
break;
|
||||
case SMB_UNKNOWN:
|
||||
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
|
||||
break;
|
||||
default:
|
||||
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( ! payload_str )
|
||||
{
|
||||
payload_str = transaction_data_to_val(${val.data[0]});
|
||||
else
|
||||
payload_str = val_mgr->GetEmptyString();
|
||||
}
|
||||
|
||||
BifEvent::generate_smb1_transaction_response(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue