Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Improve creation of SMB transaction data strings

Browse source
This commit is contained in:
Jon Siwek 2020-01-22 15:41:50 -08:00
parent 270702cacb
commit c75519ca88
1 changed files with 23 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

69
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -4,10 +4,29 @@ enum Trans_subcommands {
NT_TRANSACT_CREATE2 = 0x0009, NT_TRANSACT_CREATE2 = 0x0009,
}; };
%code{
StringVal* SMB_Conn::transaction_data_to_val(SMB1_transaction_data* payload)
{
switch ( payload->trans_type() ) {
case SMB_PIPE:
return bytestring_to_val(payload->pipe_data());
case SMB_UNKNOWN:
return bytestring_to_val(payload->unknown());
default:
return bytestring_to_val(payload->data());
}
assert(false);
return val_mgr->GetEmptyString();
}
%}
refine connection SMB_Conn += { refine connection SMB_Conn += {
%member{ %member{
map<uint16, bool> is_file_a_pipe; map<uint16, bool> is_file_a_pipe;
static StringVal* transaction_data_to_val(SMB1_transaction_data* payload);
%} %}
function get_is_file_a_pipe(id: uint16): bool function get_is_file_a_pipe(id: uint16): bool
@ -37,32 +56,11 @@ refine connection SMB_Conn += {
StringVal* parameters = new StringVal(${val.parameters}.length(), StringVal* parameters = new StringVal(${val.parameters}.length(),
(const char*)${val.parameters}.data()); (const char*)${val.parameters}.data());
StringVal* payload_str = nullptr; StringVal* payload_str = nullptr;
SMB1_transaction_data* payload = nullptr;
if ( ${val.data_count} > 0 ) if ( ${val.data_count} > 0 )
{ payload_str = transaction_data_to_val(${val.data});
payload = ${val.data}; else
}
if ( payload )
{
switch ( payload->trans_type() ) {
case SMB_PIPE:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
break;
case SMB_UNKNOWN:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
break;
default:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
break;
}
}
if ( ! payload_str )
{
payload_str = val_mgr->GetEmptyString(); payload_str = val_mgr->GetEmptyString();
}
BifEvent::generate_smb1_transaction_request(bro_analyzer(), BifEvent::generate_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
@ -83,32 +81,11 @@ refine connection SMB_Conn += {
StringVal* parameters = new StringVal(${val.parameters}.length(), StringVal* parameters = new StringVal(${val.parameters}.length(),
(const char*)${val.parameters}.data()); (const char*)${val.parameters}.data());
StringVal* payload_str = nullptr; StringVal* payload_str = nullptr;
SMB1_transaction_data* payload = nullptr;
if ( ${val.data_count} > 0 ) if ( ${val.data_count} > 0 )
{ payload_str = transaction_data_to_val(${val.data[0]});
payload = ${val.data[0]}; else
}
if ( payload )
{
switch ( payload->trans_type() ) {
case SMB_PIPE:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
break;
case SMB_UNKNOWN:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
break;
default:
payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
break;
}
}
if ( ! payload_str )
{
payload_str = val_mgr->GetEmptyString(); payload_str = val_mgr->GetEmptyString();
}
BifEvent::generate_smb1_transaction_response(bro_analyzer(), BifEvent::generate_smb1_transaction_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),