mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/seth/smb-auth-fixes'
* origin/topic/seth/smb-auth-fixes: Disable SMB2 error data parsing. Removed some files that aren't being used. Fix SMB tree connect handling. Fix a small issue where DCE_RPC commands were improperly being logged. SMB fixes and cleanup. Including a test for raw NTLM in SMB Updates for SMB auth handling from Martin van Hensbergen. BIT-1721 #merged
This commit is contained in:
Johanna Amann
commit
c92060a8ca
44 changed files with 327 additions and 308 deletions
|
|
@ -158,13 +158,14 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
|
|||
{
|
||||
if ( c?$dce_rpc )
|
||||
{
|
||||
# If there is not an endpoint, there isn't much reason to log.
|
||||
# If there is noendpoint, there isn't much reason to log.
|
||||
# This can happen if the request isn't seen.
|
||||
if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
|
||||
||
|
||||
(c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
|
||||
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
|
||||
"*" !in ignored_operations[c$dce_rpc$endpoint]) )
|
||||
if ( ( c$dce_rpc?$endpoint && c$dce_rpc?$operation ) &&
|
||||
( c$dce_rpc$endpoint !in ignored_operations
|
||||
||
|
||||
( c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
|
||||
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
|
||||
"*" !in ignored_operations[c$dce_rpc$endpoint] ) ) )
|
||||
{
|
||||
Log::write(LOG, c$dce_rpc);
|
||||
}
|
||||
|
|
@ -195,11 +196,12 @@ event connection_state_remove(c: connection)
|
|||
}
|
||||
}
|
||||
|
||||
if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
|
||||
||
|
||||
(c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
|
||||
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
|
||||
"*" !in ignored_operations[c$dce_rpc$endpoint]) )
|
||||
if ( ( c$dce_rpc?$endpoint && c$dce_rpc?$operation ) &&
|
||||
( c$dce_rpc$endpoint !in ignored_operations
|
||||
||
|
||||
( c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
|
||||
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
|
||||
"*" !in ignored_operations[c$dce_rpc$endpoint] ) ) )
|
||||
{
|
||||
Log::write(LOG, c$dce_rpc);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,20 +10,18 @@ export {
|
|||
[0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."],
|
||||
} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; };
|
||||
|
||||
## These are files names that are used for special
|
||||
## cases by the file system and would not be
|
||||
## considered "normal" files.
|
||||
const pipe_names: set[string] = {
|
||||
"\\netdfs",
|
||||
"\\spoolss",
|
||||
"\\NETLOGON",
|
||||
"\\winreg",
|
||||
"\\lsarpc",
|
||||
"\\samr",
|
||||
"\\srvsvc",
|
||||
## Heuristic detection of named pipes when the pipe
|
||||
## mapping isn't seen. This variable is defined in
|
||||
## init-bare.bro.
|
||||
redef SMB::pipe_filenames = {
|
||||
"spoolss",
|
||||
"winreg",
|
||||
"samr",
|
||||
"srvsvc",
|
||||
"netdfs",
|
||||
"lsarpc",
|
||||
"wkssvc",
|
||||
"MsFteWds",
|
||||
"\\wkssvc",
|
||||
};
|
||||
|
||||
## The UUIDs used by the various RPC endpoints
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue