diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro index ba11629daa..2e20641547 100644 --- a/scripts/base/protocols/smb/files.bro +++ b/scripts/base/protocols/smb/files.bro @@ -12,14 +12,15 @@ export { function get_file_handle(c: connection, is_orig: bool): string { + print "getting a file handle"; +print c$smb_state$current_cmd$referenced_file; if ( ! (c$smb_state?$current_file && - ((c$smb_state$current_file?$name && c$smb_state$current_file$name !in pipe_names) || + (c$smb_state$current_file?$name || c$smb_state$current_file?$path)) ) { # TODO - figure out what are the cases where this happens. return ""; } - local current_file = c$smb_state$current_file; local path_name = current_file?$path ? current_file$path : ""; local file_name = current_file?$name ? current_file$name : ""; diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro index 8d52a2347a..66cca136c1 100644 --- a/scripts/base/protocols/smb/main.bro +++ b/scripts/base/protocols/smb/main.bro @@ -16,7 +16,8 @@ export { FILE_WRITE, FILE_OPEN, FILE_CLOSE, - FILE_UNKNOWN, + FILE_DELETE, + FILE_RENAME, PIPE_READ, PIPE_WRITE, @@ -91,7 +92,8 @@ export { service : string &log &optional; ## File system of the tree. native_file_system : string &log &optional; - ## If this is SMB2, a share type will be included. + ## If this is SMB2, a share type will be included. For SMB1, + ## the type of share will be deduced and included as well. share_type : string &log &default="UNKNOWN"; }; @@ -137,7 +139,7 @@ export { tree_service : string &log &optional; ## If the command referenced a file, store it here. - referenced_file : FileInfo &optional; + referenced_file : FileInfo &log &optional; ## If the command referenced a tree, store it here. referenced_tree : TreeInfo &optional; }; @@ -226,7 +228,8 @@ function set_current_file(smb_state: State, file_id: count) smb_state$fid_map[file_id]$fid = file_id; } - smb_state$current_file = smb_state$fid_map[file_id]; + smb_state$current_cmd$referenced_file = smb_state$fid_map[file_id]; + smb_state$current_file = smb_state$current_cmd$referenced_file; } function write_file_log(state: State) diff --git a/scripts/base/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro index 6c9fcf5b34..a6deeee812 100644 --- a/scripts/base/protocols/smb/smb1-main.bro +++ b/scripts/base/protocols/smb/smb1-main.bro @@ -31,8 +31,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5 if ( tid !in smb_state$tid_map ) { - local tmp_tree: SMB::TreeInfo = [$uid=c$uid, $id=c$id]; - smb_state$tid_map[tid] = tmp_tree; + smb_state$tid_map[tid] = SMB::TreeInfo($uid=c$uid, $id=c$id); } smb_state$current_tree = smb_state$tid_map[tid]; if ( smb_state$current_tree?$path ) @@ -47,9 +46,9 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5 if ( mid !in smb_state$pending_cmds ) { - local tmp_cmd: SMB::CmdInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB1", $command = SMB1::commands[hdr$command]]; + local tmp_cmd = SMB::CmdInfo($ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB1", $command = SMB1::commands[hdr$command]); - local tmp_file: SMB::FileInfo = [$ts=network_time(), $uid=c$uid, $id=c$id]; + local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id); tmp_cmd$referenced_file = tmp_file; tmp_cmd$referenced_tree = smb_state$current_tree; @@ -63,7 +62,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5 smb_state$current_cmd$rtt = network_time() - smb_state$current_cmd$ts; smb_state$current_cmd$status = SMB::statuses[hdr$status]$id; } -} + } event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5 { @@ -116,7 +115,7 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1:: event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5 { - local tmp_tree: SMB::TreeInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, $path=path, $service=service]; + local tmp_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id, $path=path, $service=service); c$smb_state$current_cmd$referenced_tree = tmp_tree; c$smb_state$current_cmd$argument = path; @@ -125,9 +124,13 @@ event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: str event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=5 { c$smb_state$current_cmd$referenced_tree$service = service; + if ( service == "IPC" ) + c$smb_state$current_cmd$referenced_tree$share_type = "PIPE"; + c$smb_state$current_cmd$tree_service = service; - c$smb_state$current_cmd$referenced_tree$native_file_system = native_file_system; + if ( native_file_system != "" ) + c$smb_state$current_cmd$referenced_tree$native_file_system = native_file_system; c$smb_state$current_tree = c$smb_state$current_cmd$referenced_tree; c$smb_state$tid_map[hdr$tid] = c$smb_state$current_tree; @@ -146,7 +149,7 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5 { - local tmp_file: SMB::FileInfo = [$ts=network_time(), $uid=c$uid, $id=c$id]; + local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id); c$smb_state$current_cmd$referenced_file = tmp_file; c$smb_state$current_cmd$referenced_file$name = name; diff --git a/scripts/base/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.bro index acc654ae58..1d0c60e117 100644 --- a/scripts/base/protocols/smb/smb2-main.bro +++ b/scripts/base/protocols/smb/smb2-main.bro @@ -21,30 +21,37 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5 local pid = hdr$process_id; local mid = hdr$message_id; local sid = hdr$session_id; - - if ( tid !in smb_state$tid_map ) - { - local tmp_tree: SMB::TreeInfo = [$uid=c$uid, $id=c$id]; - smb_state$tid_map[tid] = tmp_tree; - } - smb_state$current_tree = smb_state$tid_map[tid]; if ( mid !in smb_state$pending_cmds ) { - local tmp_cmd = SMB::CmdInfo($ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB2", $command = SMB2::commands[hdr$command]); - local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id); - if ( smb_state$current_tree?$path ) - tmp_file$path = smb_state$current_tree$path; - + local tmp_cmd = SMB::CmdInfo($ts=network_time(), $uid=c$uid, $id=c$id, $version="SMB2", $command = SMB2::commands[hdr$command]); tmp_cmd$referenced_file = tmp_file; - tmp_cmd$referenced_tree = smb_state$current_tree; - smb_state$pending_cmds[mid] = tmp_cmd; } - smb_state$current_cmd = smb_state$pending_cmds[mid]; + if ( tid > 0 ) + { + if ( smb_state$current_cmd?$referenced_tree ) + { + smb_state$tid_map[tid] = smb_state$current_cmd$referenced_tree; + } + else if ( tid !in smb_state$tid_map ) + { + local tmp_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id); + smb_state$tid_map[tid] = tmp_tree; + } + smb_state$current_cmd$referenced_tree = smb_state$tid_map[tid]; + } + else + { + smb_state$current_cmd$referenced_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id); + } + + smb_state$current_file = smb_state$current_cmd$referenced_file; + smb_state$current_tree = smb_state$current_cmd$referenced_tree; + if ( !is_orig ) { smb_state$current_cmd$rtt = network_time() - smb_state$current_cmd$ts; @@ -99,16 +106,12 @@ event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2:: event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=5 { - local tmp_tree = SMB::TreeInfo($ts=network_time(), $uid=c$uid, $id=c$id, $path=path); - - c$smb_state$current_cmd$referenced_tree = tmp_tree; + c$smb_state$current_tree$path = path; } event smb2_tree_connect_response(c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse) &priority=5 { - c$smb_state$current_cmd$referenced_tree$share_type = SMB2::share_types[response$share_type]; - c$smb_state$current_tree = c$smb_state$current_cmd$referenced_tree; - c$smb_state$tid_map[hdr$tree_id] = c$smb_state$current_tree; + c$smb_state$current_tree$share_type = SMB2::share_types[response$share_type]; } event smb2_tree_connect_response(c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse) &priority=-5 @@ -121,42 +124,43 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior if ( name == "") name = ""; - local tmp_file = SMB::FileInfo($ts=network_time(), $uid=c$uid, $id=c$id, $name=name); + c$smb_state$current_file$name = name; - switch ( c$smb_state$current_cmd$referenced_tree$share_type ) + switch ( c$smb_state$current_tree$share_type ) { case "DISK": - tmp_file$action = SMB::FILE_OPEN; + c$smb_state$current_file$action = SMB::FILE_OPEN; break; case "PIPE": - tmp_file$action = SMB::PIPE_OPEN; + c$smb_state$current_file$action = SMB::PIPE_OPEN; break; case "PRINT": - tmp_file$action = SMB::PRINT_OPEN; + c$smb_state$current_file$action = SMB::PRINT_OPEN; break; default: - tmp_file$action = SMB::UNKNOWN_OPEN; + #c$smb_state$current_file$action = SMB::UNKNOWN_OPEN; + c$smb_state$current_file$action = SMB::FILE_OPEN; break; } - c$smb_state$current_cmd$referenced_file = tmp_file; - c$smb_state$current_file = c$smb_state$current_cmd$referenced_file; } event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5 { - c$smb_state$current_cmd$referenced_file$fid = file_id$persistent+file_id$volatile; - c$smb_state$current_cmd$referenced_file$size = file_size; + c$smb_state$current_file$fid = file_id$persistent+file_id$volatile; + c$smb_state$current_file$size = file_size; + + if ( c$smb_state$current_tree?$path ) + c$smb_state$current_file$path = c$smb_state$current_tree$path; # I'm seeing negative data from IPC tree transfers if ( time_to_double(times$modified) > 0.0 ) - c$smb_state$current_cmd$referenced_file$times = times; + c$smb_state$current_file$times = times; # We can identify the file by its file id now so let's stick it # in the file map. - c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_cmd$referenced_file; + c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_file; c$smb_state$current_file = c$smb_state$fid_map[file_id$persistent+file_id$volatile]; - SMB::write_file_log(c$smb_state); } @@ -171,7 +175,7 @@ event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, o { SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); - switch ( c$smb_state$current_cmd$referenced_tree$share_type ) + switch ( c$smb_state$current_tree$share_type ) { case "DISK": c$smb_state$current_file$action = SMB::FILE_READ; @@ -183,25 +187,21 @@ event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, o c$smb_state$current_file$action = SMB::PRINT_READ; break; default: - c$smb_state$current_file$action = SMB::UNKNOWN_OPEN; + #c$smb_state$current_file$action = SMB::UNKNOWN_OPEN; + c$smb_state$current_file$action = SMB::FILE_OPEN; break; } } event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5 { - if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path ) - c$smb_state$current_file$path = c$smb_state$current_tree$path; - - # TODO - Why is this commented out? - #write_file_log(c$smb_state); } event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=5 { SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); - switch ( c$smb_state$current_cmd$referenced_tree$share_type ) + switch ( c$smb_state$current_tree$share_type ) { case "DISK": c$smb_state$current_file$action = SMB::FILE_WRITE; @@ -213,25 +213,21 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, c$smb_state$current_file$action = SMB::PRINT_WRITE; break; default: - c$smb_state$current_file$action = SMB::UNKNOWN_WRITE; + #c$smb_state$current_file$action = SMB::UNKNOWN_WRITE; + c$smb_state$current_file$action = SMB::FILE_WRITE; break; } } event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5 { - if ( c$smb_state$current_tree?$path && ! c$smb_state$current_file?$path ) - c$smb_state$current_file$path = c$smb_state$current_tree$path; - - # TODO - Why is this commented out? - #write_file_log(c$smb_state); } event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) &priority=5 { SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); - switch ( c$smb_state$current_cmd$referenced_tree$share_type ) + switch ( c$smb_state$current_tree$share_type ) { case "DISK": c$smb_state$current_file$action = SMB::FILE_CLOSE; @@ -243,7 +239,8 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) c$smb_state$current_file$action = SMB::PRINT_CLOSE; break; default: - c$smb_state$current_file$action = SMB::UNKNOWN_CLOSE; + #c$smb_state$current_file$action = SMB::UNKNOWN_CLOSE; + c$smb_state$current_file$action = SMB::FILE_CLOSE; break; } } diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc index 19e7dec13f..cb35afcf07 100644 --- a/src/analyzer/protocol/smb/SMB.cc +++ b/src/analyzer/protocol/smb/SMB.cc @@ -13,7 +13,7 @@ SMB_Analyzer::SMB_Analyzer(Connection *conn) interp = new binpac::SMB::SMB_Conn(this); AddSupportAnalyzer(new Contents_SMB(conn, true)); AddSupportAnalyzer(new Contents_SMB(conn, false)); -} + } SMB_Analyzer::~SMB_Analyzer() { diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log index ca5e9e9cc8..46781576ac 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log @@ -3,11 +3,12 @@ #empty_field (empty) #unset_field - #path smb_files -#open 2016-03-09-09-45-49 +#open 2016-04-01-13-33-43 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size times.modified times.accessed times.created times.changed #types time string addr port addr port string enum string string count time time time time -1403194573.483536 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::UNKNOWN_OPEN - 0 1403193605.830790 1403193605.830790 1403193211.405449 1403193605.830790 -1403194573.484701 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::UNKNOWN_OPEN - Test 0 1403193632.973276 1403193632.973276 1403193604.628965 1403193632.973276 -1403194574.150293 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::UNKNOWN_OPEN - Test\\2009-12 Payroll.xlsx 25940 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276 -1403194574.232191 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 FyxE5A19VJyangfN54 SMB::UNKNOWN_OPEN - Test\\2009-12 Payroll.xlsx 25940 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276 -#close 2016-03-09-09-45-49 +1403194573.483536 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - 0 1403193605.830790 1403193605.830790 1403193211.405449 1403193605.830790 +1403194573.484701 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - Test 0 1403193632.973276 1403193632.973276 1403193604.628965 1403193632.973276 +1403194574.150293 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - Test\\2009-12 Payroll.xlsx 25940 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276 +1403194574.232191 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 FyxE5A19VJyangfN54 SMB::FILE_OPEN - Test\\2009-12 Payroll.xlsx 25940 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276 +1403194574.232191 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 FyxE5A19VJyangfN54 SMB::FILE_CLOSE - Test\\2009-12 Payroll.xlsx 25940 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276 +#close 2016-04-01-13-33-43 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log index 2898285056..8b7349718b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log @@ -3,12 +3,12 @@ #empty_field (empty) #unset_field - #path smb_files -#open 2016-03-09-09-45-59 +#open 2016-04-01-08-31-01 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size times.modified times.accessed times.created times.changed #types time string addr port addr port string enum string string count time time time time -1323202695.377459 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - 8192 1323202604.512058 1323202604.512058 1322343963.945297 1323202604.512058 -1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - WP_SMBPlugin.pdf 0 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034 +1323202695.377459 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 8192 1323202604.512058 1323202604.512058 1322343963.945297 1323202604.512058 +1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 WP_SMBPlugin.pdf 0 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 FUU9mc3Ub5uZdcqg1d SMB::FILE_CLOSE \\\\10.0.0.12\\smb2 WP_SMBPlugin.pdf 0 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034 -1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN - 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034 +1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034 1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_CLOSE \\\\10.0.0.12\\smb2 8192 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034 -#close 2016-03-09-09-45-59 +#close 2016-04-01-08-31-01 diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test index b935175204..5684d7ddf8 100644 --- a/testing/btest/scripts/base/protocols/smb/smb2.test +++ b/testing/btest/scripts/base/protocols/smb/smb2.test @@ -6,3 +6,4 @@ # @TEST-EXEC: test ! -f weird.log @load base/protocols/smb +