From f041c97cdcf23449039fbe6c402ca4a062b2f2eb Mon Sep 17 00:00:00 2001 From: Julien Wallior Date: Thu, 11 Jan 2018 14:23:10 -0500 Subject: [PATCH] Change smb2_create_request event arguments to single request struct. Added disposition and create_option fields. --- scripts/base/init-bare.bro | 14 ++++++++++++++ scripts/policy/protocols/smb/smb2-main.bro | 8 ++++---- src/analyzer/protocol/smb/smb2-com-create.pac | 6 +++++- src/analyzer/protocol/smb/smb2_com_create.bif | 8 ++++++-- 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f2ea2ed29a..4cd061e737 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3054,6 +3054,20 @@ export { ## The type of share being accessed. Physical disk, named pipe, or printer. share_type: count; }; + + ## The request sent by the client to request either creation of or access to a file. + ## + ## For more information, see MS-SMB2:2.2.13 + ## + ## .. bro:see:: smb2_create_request + type SMB2::CreateRequest: record { + ## Name of the file + filename : string; + ## Defines the action the server MUST take if the file that is specified already exists. + disposition : count; + ## Specifies the options to be applied when creating or opening the file. + create_options : count; + }; } module GLOBAL; diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro index 1dc3a10654..55b6da5534 100644 --- a/scripts/policy/protocols/smb/smb2-main.bro +++ b/scripts/policy/protocols/smb/smb2-main.bro @@ -129,12 +129,12 @@ event smb2_tree_disconnect_request(c: connection, hdr: SMB2::Header) &priority=5 } } -event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=5 +event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=5 { - if ( name == "") - name = ""; + if ( request$filename == "") + request$filename = ""; - c$smb_state$current_file$name = name; + c$smb_state$current_file$name = request$filename; switch ( c$smb_state$current_tree$share_type ) { diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 4d7c70bbe7..afa6dbcfec 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -13,10 +13,14 @@ refine connection SMB_Conn += { if ( smb2_create_request ) { + RecordVal* requestinfo = new RecordVal(BifType::Record::SMB2::CreateRequest); + requestinfo->Assign(0, filename); + requestinfo->Assign(1, new Val(${val.disposition}, TYPE_COUNT)); + requestinfo->Assign(2, new Val(${val.create_options}, TYPE_COUNT)); BifEvent::generate_smb2_create_request(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), - filename); + requestinfo); } else { diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif index dea5b118ca..ef7d8d93ff 100644 --- a/src/analyzer/protocol/smb/smb2_com_create.bif +++ b/src/analyzer/protocol/smb/smb2_com_create.bif @@ -8,10 +8,10 @@ ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## -## file_name: The name of the file being requested. +## request: A record with more information related to the request. ## ## .. bro:see:: smb2_message smb2_create_response -event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%); +event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` ## version 2 responses of type *create*. This is sent by the server to notify the client of @@ -33,3 +33,7 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%) ## ## .. bro:see:: smb2_message smb2_create_request event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); + +#### Types + +type SMB2::CreateRequest: record;