Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fixing SMB tests again.

Browse source
This commit is contained in:
Seth Hall 2016-06-28 11:03:16 -04:00
parent 7936cdd958
commit cfe3bddd75
12 changed files with 27 additions and 85 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/dce-rpc/__load__.bro
View file

@ -1,4 +1,2 @@
@load ./consts
@load ./main
@load ./endpoint-atsvc

52
scripts/base/protocols/dce-rpc/endpoint-atsvc.bro
View file

@ -1,52 +0,0 @@
module DCE_RPC;
export {
redef enum Log::ID += {
ATSVC_LOG,
};
type ATSvcInfo: record {
ts : time &log; ##< Time of the request
uid : string &log; ##< UID of the connection
id : conn_id &log; ##< Connection info
command : string &log; ##< Command (add, enum, delete, etc.)
arg : string &log; ##< Argument
server : string &log; ##< Server the command was issued to
result : string &log &optional; ##< Result of the command
};
}
redef record DCE_RPC::State += {
endpoint_atsvc: ATSvcInfo &optional;
};
event bro_init() &priority=5
{
Log::create_stream(ATSVC_LOG, [$columns=ATSvcInfo, $path="dce_rpc_atsvc"]);
}
event atsvc_job_add(c: connection, server: string, job: string) &priority=5
{
local info = ATSvcInfo($ts=network_time(),
$uid = c$uid,
$id = c$id,
$command = "Add job",
$arg = job,
$server = server);
c$dce_rpc_state$endpoint_atsvc = info;
}
event atsvc_job_id(c: connection, id: count, status: count) &priority=5
{
if ( c$dce_rpc_state?$endpoint_atsvc )
c$dce_rpc_state$endpoint_atsvc$result = (status==0) ? "success" : "failed";
}
event atsvc_job_id(c: connection, id: count, status: count) &priority=-5
{
if ( c$dce_rpc_state?$endpoint_atsvc )
{
Log::write(ATSVC_LOG, c$dce_rpc_state$endpoint_atsvc);
delete c$dce_rpc_state$endpoint_atsvc;
}
}

1
scripts/base/protocols/smb/const-dos-error.bro
View file

@ -1,4 +1,5 @@
# DOS error codes.
@load ./consts
module SMB;

1
scripts/base/protocols/smb/const-nt-status.bro
View file

@ -1,4 +1,5 @@
# NT status codes.
@load ./consts
module SMB;

1
scripts/policy/protocols/smb/files.bro
View file

@ -1,4 +1,5 @@
@load base/frameworks/files
@load ./main
module SMB;

7
scripts/policy/protocols/smb/main.bro
View file

@ -1,3 +1,4 @@
@load base/protocols/smb
module SMB;
@ -200,9 +201,9 @@ redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(CMD_LOG, [$columns=SMB::CmdInfo]);
Log::create_stream(FILES_LOG, [$columns=SMB::FileInfo]);
Log::create_stream(MAPPING_LOG, [$columns=SMB::TreeInfo]);
Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo]);
Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo]);
Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, ports);
}

4
scripts/policy/protocols/smb/smb1-main.bro
View file

@ -1,3 +1,5 @@
@load ./main
module SMB1;
redef record SMB::CmdInfo += {
@ -257,7 +259,7 @@ event smb1_close_request(c: connection, hdr: SMB1::Header, file_id: count) &prio
}
}
event smb1_trans2_get_dfs_referral_request(c: connection, hdr: SMB1::Header, file_name: string, max_referral_level: count)
event smb1_trans2_get_dfs_referral_request(c: connection, hdr: SMB1::Header, file_name: string)
{
c$smb_state$current_cmd$argument = file_name;
}

2
scripts/policy/protocols/smb/smb2-main.bro
View file

@ -1,3 +1,5 @@
@load ./main
module SMB2;
redef record SMB::CmdInfo += {

8
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2016-06-24-17-42-28
#open 2016-06-28-15-02-03
#fields name
#types string
scripts/base/init-bare.bro
@ -123,17 +123,13 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_ioctl.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_lock.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb_pipe.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro
build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
@ -169,4 +165,4 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
scripts/policy/misc/loaded-scripts.bro
scripts/base/utils/paths.bro
#close 2016-06-24-17-42-28
#close 2016-06-28-15-02-03

9
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2016-06-24-17-59-13
#open 2016-06-28-15-01-50
#fields name
#types string
scripts/base/init-bare.bro
@ -123,17 +123,13 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_ioctl.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_lock.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb_pipe.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro
build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
@ -263,7 +259,6 @@ scripts/base/init-default.bro
scripts/base/protocols/dce-rpc/__load__.bro
scripts/base/protocols/dce-rpc/consts.bro
scripts/base/protocols/dce-rpc/main.bro
scripts/base/protocols/dce-rpc/endpoint-atsvc.bro
scripts/base/protocols/dhcp/__load__.bro
scripts/base/protocols/dhcp/consts.bro
scripts/base/protocols/dhcp/main.bro
@ -355,4 +350,4 @@ scripts/base/init-default.bro
scripts/base/misc/find-checksum-offloading.bro
scripts/base/misc/find-filtered-trace.bro
scripts/policy/misc/loaded-scripts.bro
#close 2016-06-24-17-59-13
#close 2016-06-28-15-01-50

5
testing/btest/Baseline/coverage.find-bro-logs/out
View file

@ -4,6 +4,7 @@ capture_loss
cluster
communication
conn
dce__r_pc
dhcp
dnp3
dns
@ -28,6 +29,7 @@ netcontrol_drop
netcontrol_shunt
notice
notice_alarm
ntlm
open_flow
packet_filter
pe
@ -37,6 +39,9 @@ reporter
rfb
signatures
sip
smb_cmd
smb_files
smb_mapping
smtp
snmp
socks

20
testing/btest/Baseline/plugins.hooks/output
View file

@ -247,7 +247,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1467055470.330961, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1467124664.5544, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@ -377,7 +377,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1467055470.330961, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1467124664.5544, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(NetControl::init, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -492,17 +492,13 @@
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_close.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_create.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_ioctl.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_lock.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_read.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_write.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.smb_pipe.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMB.types.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMTP.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SMTP.functions.bif.bro) -> -1
@ -964,7 +960,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1467055470.330961, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1467124664.5544, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@ -1094,7 +1090,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1467055470.330961, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1467124664.5544, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, <frame>, ())
0.000000 MetaHookPre CallFunction(NetControl::init, <null>, ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, <frame>, ())
@ -1209,17 +1205,13 @@
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_events.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_close.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_create.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_ioctl.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_lock.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_read.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_write.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_events.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.smb_pipe.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMB.types.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMTP.events.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_SMTP.functions.bif.bro)
@ -1680,7 +1672,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1467055470.330961, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1467124664.5544, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1810,7 +1802,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1467055470.330961, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1467124664.5544, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction NetControl::check_plugins()
0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()