added smb2-com-transform-header for smb3.x

2025-10-02 06:38:20 +00:00 · 2019-02-06 10:19:05 +01:00 · 2019-02-06 10:19:05 +01:00 · f1cdae2829
commit f1cdae2829
parent 1ee96516e8
10 changed files with 90 additions and 4 deletions
--- a/aux/broker
+++ b/aux/broker
@ -1 +1 @@
-Subproject commit bf734622dceaafaf7a481185efd22bd7cc805f9b
+Subproject commit c7b1dfd38ec6c42729f8c462eef6457a8dd948b6
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 5acafa0d340a6f4096dccbe69b8fb62d7c9ce87f
+Subproject commit c0092fab7b28c029eddb6b9b654f6096d8e4456a
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -3327,6 +3327,30 @@ export {
 		## The action taken in establishing the open.
 		create_action : count;
 	};
+
+	## An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
+	##
+	## For more information, see MS-SMB2:2.2.41
+	##
+	## .. bro:see:: smb2_header smb2_message smb2_close_request smb2_close_response
+	##    smb2_create_request smb2_create_response smb2_negotiate_request
+	##    smb2_negotiate_response smb2_read_request
+	##    smb2_session_setup_request smb2_session_setup_response
+	##    smb2_file_rename smb2_file_delete
+	##    smb2_tree_connect_request smb2_tree_connect_response
+	##    smb2_write_request
+	type SMB2::Transform_header: record {
+		## The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.
+		signature     : string;
+		## An implementation specific value assigned for every encrypted message.
+		nonce         : string;
+		## The size, in bytes, of the SMB2 message.
+		orig_msg_size : count;
+		## A flags field, interpreted in different ways depending of the SMB2 dialect.
+		flags         : count;
+		## A value that uniquely identifies the established session for the command.
+		session_id    : count;
+	};
 }

 module GLOBAL;
--- a/src/3rdparty
+++ b/src/3rdparty
@ -1 +1 @@
-Subproject commit 6e93c5546a4770d513fb57213d7b29e39e12bf4d
+Subproject commit b822eeed58c4a1ee3781f1f8c8a19fd590dc4a04
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@ -35,6 +35,7 @@ bro_plugin_bif(
 	smb2_com_tree_connect.bif
 	smb2_com_tree_disconnect.bif
 	smb2_com_write.bif
+	smb2_com_transform_header.bif
 	smb2_events.bif

 	events.bif
@ -84,5 +85,6 @@ bro_plugin_pac(
 	smb2-com-tree-connect.pac
 	smb2-com-tree-disconnect.pac
 	smb2-com-write.pac
+	smb2-com-transform-header.pac
 )
 bro_plugin_end()
--- a/src/analyzer/protocol/smb/smb-common.pac
+++ b/src/analyzer/protocol/smb/smb-common.pac
@ -1,6 +1,7 @@
 enum SMBVersion {
 	SMB1 = 0xff534d42, # \xffSMB
 	SMB2 = 0xfe534d42, # \xfeSMB
+	SMB3 = 0xfd534d42, # \xfdSMB
 };

 enum TransactionType {
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@ -40,6 +40,7 @@
 #include "smb2_com_tree_connect.bif.h"
 #include "smb2_com_tree_disconnect.bif.h"
 #include "smb2_com_write.bif.h"
+#include "smb2_com_transform_header.bif.h"
 %}

 analyzer SMB withcontext {
@ -93,6 +94,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb2-com-tree-connect.pac
 %include smb2-com-tree-disconnect.pac
 %include smb2-com-write.pac
+%include smb2-com-transform-header.pac

 type uint24 = record {
 	byte1 : uint8;
@ -128,6 +130,7 @@ type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record {
 	smb_1_or_2        : case protocol of {
 		SMB1    -> smb1    : SMB_PDU(is_orig, msg_len);
 		SMB2    -> smb2    : SMB2_PDU(is_orig);
+		SMB3    -> smb3    : SMB2_transform_header;	# if smb 3.x with encryption enabled, a different smb header (SMB2_transform_header) is used
 		default -> unknown : empty;
 	};
 };
--- a/src/analyzer/protocol/smb/smb2-com-transform-header.pac
+++ b/src/analyzer/protocol/smb/smb2-com-transform-header.pac
@ -0,0 +1,41 @@
+refine connection SMB_Conn += {
+
+	function BuildSMB2TransformHeaderVal(hdr: SMB2_transform_header): BroVal
+		%{
+		RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header);
+
+		//r->Assign(0, uint8s_to_stringval(${hdr.signature}));
+		//r->Assign(1, uint8s_to_stringval(${hdr.nonce}));
+		r->Assign(0, bytestring_to_val(${hdr.signature}));
+		r->Assign(1, bytestring_to_val(${hdr.nonce}));	
+		r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size}));
+		r->Assign(3, val_mgr->GetCount(${hdr.flags}));
+		r->Assign(4, val_mgr->GetCount(${hdr.session_id}));
+
+		return r;
+		%}
+
+	function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool
+		%{
+		if ( smb2_transform_header )
+			BifEvent::generate_smb2_transform_header(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+							      BuildSMB2TransformHeaderVal(hdr));
+
+		return true;
+		%}
+
+};
+
+type SMB2_transform_header = record {
+	signature         : bytestring &length = 16;
+	nonce             : bytestring &length = 16;
+	#signature         : uint8[16];
+	#nonce             : uint8[16];
+	orig_msg_size     : uint32;
+	reserved          : uint16;
+	flags             : uint16;
+	session_id	  : uint64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_transform_header(this);
+} &byteorder = littleendian;
--- a/src/analyzer/protocol/smb/smb2_com_transform_header.bif
+++ b/src/analyzer/protocol/smb/smb2_com_transform_header.bif
@ -0,0 +1,15 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 3.x *transform_header*. This is used by the client or server when sending 
+## encrypted messages.
+##
+## For more information, see MS-SMB2:2.2.41
+##
+## c: The connection.
+##
+## hdr: The parsed transformed header message, which is starting with \xfd534d42 and different from SMB1 and SMB2 headers.
+##
+## .. bro:see:: smb2_message
+event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%);
+
+type SMB2::Transform_header: record;
+