Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

track offset for read_andx and write_andx commands

Browse source
This commit is contained in:
Gregor Maier 2011-06-22 13:54:56 -07:00
parent b002160f02
commit cb9623d3e1
4 changed files with 44 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

29
policy/smb.bro
View file

@ -22,8 +22,9 @@ type smb_cmd_info: record {
# this is 16 bit, so we use 0x10000 to indicate that the fid is not
# valid
fid: count;
# for read/writes: number of bytes read/written
# for read/writes: number of bytes read/written and offset
file_payload: count;
file_offset: count;
req_first_time: time;
req_last_time: time;
@ -81,6 +82,7 @@ function smb_new_cmd_info(hdr: smb_hdr, body_len: count): smb_cmd_info
info$fid = 0x10000;
info$file_payload = 0;
info$file_offset = 0;
info$req_first_time = hdr$first_time;
info$req_last_time = hdr$last_time;
@ -127,11 +129,12 @@ function fmt_msg_prefix(cid: conn_id, is_orig: bool, hdr: smb_hdr): string
function smb_log_cmd(c: connection, info: smb_cmd_info)
{
local msg = "";
msg = fmt("COMMAND %s (%d) %d:%d %.6f %.6f %d %.6f %.6f %d %s %d %s %s %d",
msg = fmt("COMMAND %s (%d) %d:%d %.6f %.6f %d %.6f %.6f %d %s %d %d %s %s %d",
info$cmdstr, info$cmd, info$pid, info$mid,
info$req_first_time, info$req_last_time, info$req_body_len,
info$rep_first_time, info$rep_last_time, info$rep_body_len,
get_fid(c$id, info$fid), info$file_payload, c$id$orig_h, c$id$resp_h, c$id$resp_p);
get_fid(c$id, info$fid), info$file_offset, info$file_payload,
c$id$orig_h, c$id$resp_h, c$id$resp_p);
print smb_log, msg;
}
@ -157,12 +160,10 @@ function mismatch_fmt_info(info: smb_cmd_info): string
return fmt("%s %d:%d", info$cmdstr, info$pid, info$mid);
}
function smb_set_fid(cid: conn_id, hdr: smb_hdr, fid: count)
function smb_set_fid_offset(cid: conn_id, hdr: smb_hdr, fid: count, offset: count)
{
# smb_messge takes care of error / mismatch handling, so we can
# just punt here
if (hdr$command == 0x2f)
print fmt("in set_fid: %d", fid);
if (cid !in smb_sessions)
return;
local cur_session = smb_sessions[cid];
@ -171,8 +172,7 @@ function smb_set_fid(cid: conn_id, hdr: smb_hdr, fid: count)
local info = cur_session[hdr$pid, hdr$mid];
info$fid = fid;
if (hdr$command == 0x2f)
print fmt("end of set_fid: %d %d", info$fid, fid);
info$file_offset = offset;
}
function smb_set_file_payload(cid: conn_id, hdr: smb_hdr, payload_len: count)
@ -253,9 +253,9 @@ event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_
}
}
event smb_com_read_andx(c: connection, hdr: smb_hdr, fid: count)
event smb_com_read_andx(c: connection, hdr: smb_hdr, fid: count, offset: count)
{
smb_set_fid(c$id, hdr, fid);
smb_set_fid_offset(c$id, hdr, fid, offset);
}
event smb_com_read_andx_response(c: connection, hdr: smb_hdr, len: count)
@ -264,9 +264,9 @@ event smb_com_read_andx_response(c: connection, hdr: smb_hdr, len: count)
smb_log_cmd2(c, hdr);
}
event smb_com_write_andx(c: connection, hdr: smb_hdr, fid: count, len: count)
event smb_com_write_andx(c: connection, hdr: smb_hdr, fid: count, offset: count, len: count)
{
smb_set_fid(c$id, hdr, fid);
smb_set_fid_offset(c$id, hdr, fid, offset);
smb_set_file_payload(c$id, hdr, len);
}
@ -276,6 +276,11 @@ event smb_com_write_andx_response(c: connection, hdr: smb_hdr)
}
event smb_com_nt_create_andx(c: connection, hdr: smb_hdr, name: string)
{
print fmt("CREATE_ANDX %s %s %s", c$id$orig_h, c$id$resp_h, name);
}
event smb_error(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, errtype: count, error: count)
{
print smb_log, fmt("ERROR: %s %s (0x%2x): %d %08x", id_string(c$id), cmd_str, cmd, errtype, error);

18
src/SMB.cc
View file

@ -157,9 +157,11 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data,
int next_command = hdr.command();
/*
fprintf(stderr, "SMB command: 0x%02x %s (%d) len %-7d dur %.6lf\n", next_command,
SMB_command_name[next_command], is_orig, len,
last_time-first_time);
*/
int ncmds = 0;
while ( data < data_end )
@ -183,7 +185,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data,
data = data_start + next;
}
fprintf(stderr, "ncmds %d\n", ncmds);
//fprintf(stderr, "ncmds %d\n", ncmds);
}
catch ( const binpac::Exception& e )
{
@ -567,15 +569,21 @@ int SMB_Session::ParseReadAndx(binpac::SMB::SMB_header const& hdr,
SMB_Body const& body)
{
binpac::SMB::SMB_read_andx req;
uint64_t offset = 0;
req.Parse(body.data(), body.data() + body.length());
set_andx(1, req.andx());
offset = req.offset_high();
offset = offset << 32;
offset += req.offset();
if ( smb_com_read_andx )
{
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(BuildHeaderVal(hdr));
vl->append(new Val(req.fid(), TYPE_COUNT));
vl->append(new Val(offset, TYPE_COUNT));
//vl->append(new StringVal(""));
analyzer->ConnectionEvent(smb_com_read_andx, vl);
@ -620,6 +628,12 @@ int SMB_Session::ParseWriteAndx(binpac::SMB::SMB_header const& hdr,
uint32_t data_len = req.data_len_high();
data_len = (data_len<<16) + req.data_len();
uint64_t offset;
offset = req.offset_high();
offset = offset << 32;
offset += req.offset();
const u_char* data = req.data().begin();
if ( smb_com_write_andx )
@ -628,6 +642,7 @@ int SMB_Session::ParseWriteAndx(binpac::SMB::SMB_header const& hdr,
vl->append(analyzer->BuildConnVal());
vl->append(BuildHeaderVal(hdr));
vl->append(new Val(req.fid(), TYPE_COUNT));
vl->append(new Val(offset, TYPE_COUNT));
vl->append(new Val(data_len, TYPE_COUNT));
//vl->append(new StringVal(data_count, (const char*) data));
@ -1230,7 +1245,6 @@ bool Contents_SMB::CheckResync(int& len, const u_char*& data, bool orig)
hdr_buf.Init(4,4);
msg_len = 0;
msg_type = 0;
fprintf(stderr, "Resync successful\n");
return true;
}

4
src/event.bif
View file

@ -221,9 +221,9 @@ event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data:
event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
event smb_com_read_andx%(c: connection, hdr: smb_hdr, fid: count%);
event smb_com_read_andx%(c: connection, hdr: smb_hdr, fid: count, offset: count%);
event smb_com_read_andx_response%(c: connection, hdr: smb_hdr, len: count%);
event smb_com_write_andx%(c: connection, hdr: smb_hdr, fid: count, len: count%);
event smb_com_write_andx%(c: connection, hdr: smb_hdr, fid: count, offset: count, len: count%);
event smb_com_write_andx_response%(c: connection, hdr: smb_hdr%);
event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%);
event smb_com_negotiate%(c: connection, hdr: smb_hdr%);

12
src/smb-protocol.pac
View file

@ -319,13 +319,15 @@ type SMB_read_andx = record {
offset : uint32;
max_count : uint16;
min_count : uint16;
max_count_high : uint16;
max_count_high_or_timeout : uint32;
remaining : uint16;
offset_high_u : case word_count of {
12-> offset_high : uint32;
12-> offset_high_tmp : uint32;
10-> null : empty;
};
byte_count : uint16;
} &let {
offset_high : uint32 = (word_count==12) ? offset_high_tmp : 0;
} &byteorder = littleendian;
type SMB_read_andx_response = record {
@ -362,13 +364,17 @@ type SMB_write_andx = record {
data_len_high : uint16;
data_len : uint16;
data_offset : uint16;
rest_words : uint8[word_count * 2 - offsetof(rest_words) + 1];
offset_high_u : case word_count of {
14-> offset_high_tmp : uint32;
12-> null : empty;
};
byte_count : uint16;
pad : padding to data_offset - smb_header_length;
#data : bytestring &length = data_length;
data : bytestring &restofdata;
} &let {
data_length = data_len_high * 0x10000 + data_len;
offset_high : uint32 = (word_count==12) ? offset_high_tmp : 0;
} &byteorder = littleendian;
type SMB_write_andx_response = record {