Does the initial effort to add the SMB2 SetInfo command and better handle file lengths.

2025-10-05 08:08:19 +00:00 · 2014-09-27 03:11:01 -04:00 · 2014-09-27 03:11:01 -04:00 · e4ca588127
commit e4ca588127
parent 6ee2ec666f
11 changed files with 83 additions and 28 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2706,6 +2706,10 @@ export {
 		flags: SMB2::SessionSetupFlags;
 	};

+	type SMB2::SetInfoRequest: record {
+		eof: count;
+	};
+
 	type SMB2::TreeConnectResponse: record {
 		share_type: count;
 	};
--- a/scripts/base/protocols/smb/files.bro
+++ b/scripts/base/protocols/smb/files.bro
@ -57,6 +57,9 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		{
 		c$smb$current_file$fuid = f$id;

+		if ( c$smb$current_file$size > 0 )
+			f$total_bytes = c$smb$current_file$size;
+
 		if ( c$smb$current_file?$name )
 			f$info$filename = c$smb$current_file$name;
 		}
--- a/scripts/base/protocols/smb/smb1-main.bro
+++ b/scripts/base/protocols/smb/smb1-main.bro
@ -127,7 +127,10 @@ event smb1_nt_create_andx_response(c: connection, hdr: SMB1::Header, file_id: co
 	# We can identify the file by its file id now so let's stick it 
 	# in the file map.
 	c$smb$fid_map[file_id] = c$smb$current_file;
+	}
 	
+event smb1_nt_create_andx_response(c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes) &priority=-5
+	{
 	SMB::write_file_log(c$smb$current_file);
 	}

--- a/scripts/base/protocols/smb/smb2-main.bro
+++ b/scripts/base/protocols/smb/smb2-main.bro
@ -131,10 +131,18 @@ event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID
 	# We can identify the file by its file id now so let's stick it 
 	# in the file map.
 	c$smb$fid_map[file_id$persistent+file_id$volatile] = c$smb$current_file;
+	}

+event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+	{
 	SMB::write_file_log(c$smb$current_file);
 	}

+event smb2_set_info_request(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest) &priority=5
+	{
+	c$smb$current_file$size = request$eof;
+	}
+
 event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=5
 	{
 	SMB::set_current_file(c$smb, file_id$persistent+file_id$volatile);
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@ -30,6 +30,7 @@ bro_plugin_bif(
 	smb2_com_negotiate.bif
 	smb2_com_read.bif
 	smb2_com_session_setup.bif
+	smb2_com_set_info.bif
 	smb2_com_tree_connect.bif
 	smb2_com_tree_disconnect.bif
 	smb2_com_write.bif
@ -72,6 +73,7 @@ bro_plugin_pac(
 	smb2-com-negotiate.pac
 	smb2-com-read.pac
 	smb2-com-session-setup.pac
+	smb2-com-set-info.pac
 	smb2-com-tree-connect.pac
 	smb2-com-tree-disconnect.pac
 	smb2-com-write.pac
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@ -30,6 +30,7 @@
 #include "smb2_com_negotiate.bif.h"
 #include "smb2_com_read.bif.h"
 #include "smb2_com_session_setup.bif.h"
+#include "smb2_com_set_info.bif.h"
 #include "smb2_com_tree_connect.bif.h"
 #include "smb2_com_tree_disconnect.bif.h"
 #include "smb2_com_write.bif.h"
@ -81,6 +82,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb2-com-negotiate.pac
 %include smb2-com-read.pac
 %include smb2-com-session-setup.pac
+%include smb2-com-set-info.pac
 %include smb2-com-tree-connect.pac
 %include smb2-com-tree-disconnect.pac
 %include smb2-com-write.pac
--- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
@ -60,10 +60,10 @@ refine connection SMB_Conn += {

 		if ( ${val.end_of_file} > 0 )
 			{
-			file_mgr->SetSize(${val.end_of_file}, 
-			                  bro_analyzer()->GetAnalyzerTag(),
-			                  bro_analyzer()->Conn(),
-			                  header->is_orig());
+			//file_mgr->SetSize(${val.end_of_file}, 
+			//                  bro_analyzer()->GetAnalyzerTag(),
+			//                  bro_analyzer()->Conn(),
+			//                  header->is_orig());
 			}

 		return true;
--- a/src/analyzer/protocol/smb/smb2-com-create.pac
+++ b/src/analyzer/protocol/smb/smb2-com-create.pac
@ -31,10 +31,10 @@ refine connection SMB_Conn += {

 		if ( ${val.eof} > 0 )
 			{
-			file_mgr->SetSize(${val.eof}, 
-			                  bro_analyzer()->GetAnalyzerTag(),
-			                  bro_analyzer()->Conn(),
-			                  h->is_orig());
+			//file_mgr->SetSize(${val.eof}, 
+			//                  bro_analyzer()->GetAnalyzerTag(),
+			//                  bro_analyzer()->Conn(),
+			//                  h->is_orig());
 			}

 		return true;
--- a/src/analyzer/protocol/smb/smb2-com-set-info.pac
+++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac
@ -0,0 +1,48 @@
+enum smb2_set_info_type {
+	SMB2_0_INFO_FILE       = 0x01,
+	SMB2_0_INFO_FILESYSTEM = 0x02,
+	SMB2_0_INFO_SECURITY   = 0x03,
+	SMB2_0_INFO_QUOTA      = 0x04
+};
+
+refine connection SMB_Conn += {
+
+	function proc_smb2_set_info_request(h: SMB2_Header, val: SMB2_set_info_request): bool
+		%{
+		if ( smb2_set_info_request && 
+		     ${val.info_type} == SMB2_0_INFO_FILE &&
+		     ${val.file_info_class} == 0x14 )
+			{
+			RecordVal* req = new RecordVal(BifType::Record::SMB2::SetInfoRequest);
+			req->Assign(0, new Val(${val.eof}, TYPE_COUNT));
+
+			BifEvent::generate_smb2_set_info_request(bro_analyzer(),
+			                                         bro_analyzer()->Conn(),
+			                                         BuildSMB2HeaderVal(h),
+			                                         req);
+			}
+
+		return true;
+		%}
+};
+
+type SMB2_set_info_request(header: SMB2_Header) = record {
+	structure_size      : uint16;
+	info_type           : uint8;
+	file_info_class     : uint8; # this needs a switch below
+	buffer_len          : uint32;
+	buffer_offset       : uint16;
+	reserved            : uint16;
+	additional_info     : uint32;
+	file_id             : SMB2_guid;
+	pad                 : padding to buffer_offset - header.head_length;
+
+	# TODO: a new structure needs to be created for this.
+	eof                 : uint64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request(header, this);
+};
+
+type SMB2_set_info_response(header: SMB2_Header) = record {
+	structure_size      : uint16;
+};
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@ -399,24 +399,6 @@ type SMB2_query_info_response(header: SMB2_Header) = record {
 	buffer              : bytestring &length = buffer_len;
 };

-type SMB2_set_info_request(header: SMB2_Header) = record {
-	structure_size      : uint16;
-	info_type           : uint8;
-	file_info_class     : uint8;
-	buffer_len          : uint32;
-	buffer_offset       : uint16;
-	reserved            : uint16;
-	additional_info     : uint32;
-	file_id             : SMB2_guid;
-	pad                 : padding to buffer_offset - header.head_length;
-	# TODO: a new structure needs to be created for this.
-	buffer              : bytestring &length = buffer_len;
-};
-
-type SMB2_set_info_response(header: SMB2_Header) = record {
-	structure_size      : uint16;
-};
-
 type SMB2_oplock_break(header: SMB2_Header) = record {
 	structure_size      : uint16;
 	oplock_level        : uint8;
--- a/src/analyzer/protocol/smb/smb2_com_set_info.bif
+++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif
@ -0,0 +1,3 @@
+event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%);
+
+type SMB2::SetInfoRequest: record;