mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
BIT-1815: move SMB::write_cmd_log functionality into policy/ script
The option is removed, but same functionality is now enabled simply by loading policy/protocols/smb/log-cmds.bro
This commit is contained in:
Jon Siwek
parent
fc7d3cd981
commit
fcabd72b92
9 changed files with 115 additions and 90 deletions
|
|
@ -6,7 +6,6 @@ module SMB;
|
|||
|
||||
export {
|
||||
redef enum Log::ID += {
|
||||
CMD_LOG,
|
||||
AUTH_LOG,
|
||||
MAPPING_LOG,
|
||||
FILES_LOG
|
||||
|
|
@ -43,11 +42,6 @@ export {
|
|||
PRINT_CLOSE,
|
||||
} &redef;
|
||||
|
||||
## The server response statuses which are *not* logged.
|
||||
const ignored_command_statuses: set[string] = {
|
||||
"MORE_PROCESSING_REQUIRED",
|
||||
} &redef;
|
||||
|
||||
## This record is for the smb_files.log
|
||||
type FileInfo: record {
|
||||
## Time when the file was first discovered.
|
||||
|
|
@ -159,25 +153,12 @@ export {
|
|||
recent_files : set[string] &default=string_set() &read_expire=3min;
|
||||
};
|
||||
|
||||
## Optionally write out the SMB commands log. This is
|
||||
## primarily useful for debugging so is disabled by default.
|
||||
const write_cmd_log = F &redef;
|
||||
|
||||
## Everything below here is used internally in the SMB scripts.
|
||||
|
||||
redef record connection += {
|
||||
smb_state : State &optional;
|
||||
};
|
||||
|
||||
## Internal use only.
|
||||
## Some commands shouldn't be logged by the smb1_message event.
|
||||
const deferred_logging_cmds: set[string] = {
|
||||
"NEGOTIATE",
|
||||
"READ_ANDX",
|
||||
"SESSION_SETUP_ANDX",
|
||||
"TREE_CONNECT_ANDX",
|
||||
};
|
||||
|
||||
## This is an internally used function.
|
||||
const set_current_file: function(smb_state: State, file_id: count) &redef;
|
||||
|
||||
|
|
@ -198,7 +179,6 @@ redef likely_server_ports += { ports };
|
|||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
|
||||
Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
|
||||
Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
|
||||
|
||||
|
|
|
|||
|
|
@ -68,17 +68,10 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
|
|||
|
||||
event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
|
||||
{
|
||||
# Is this a response?
|
||||
if ( !is_orig )
|
||||
{
|
||||
if ( SMB::write_cmd_log &&
|
||||
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
|
||||
c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
|
||||
{
|
||||
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
|
||||
}
|
||||
delete c$smb_state$pending_cmds[hdr$mid];
|
||||
}
|
||||
if ( is_orig )
|
||||
return;
|
||||
|
||||
delete c$smb_state$pending_cmds[hdr$mid];
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -325,18 +318,3 @@ event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)
|
|||
|
||||
c$smb_state$current_cmd$argument = arg;
|
||||
}
|
||||
|
||||
event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
|
||||
{
|
||||
if ( ! is_orig )
|
||||
{
|
||||
# This is for deferred commands only.
|
||||
# The more specific messages won't fire for errors
|
||||
if ( SMB::write_cmd_log &&
|
||||
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
|
||||
c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
|
||||
{
|
||||
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,25 +65,16 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
|
|||
|
||||
event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
|
||||
{
|
||||
# Is this a response?
|
||||
if ( !is_orig )
|
||||
{
|
||||
# If the command that is being looked at right now was
|
||||
# marked as PENDING, then we'll skip all of this and wait
|
||||
# for a reply that isn't marked pending.
|
||||
if ( c$smb_state$current_cmd$status == "PENDING" )
|
||||
{
|
||||
return;
|
||||
}
|
||||
if ( is_orig )
|
||||
return;
|
||||
|
||||
if ( SMB::write_cmd_log &&
|
||||
c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
|
||||
c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
|
||||
{
|
||||
Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
|
||||
}
|
||||
delete c$smb_state$pending_cmds[hdr$message_id];
|
||||
}
|
||||
# If the command that is being looked at right now was
|
||||
# marked as PENDING, then we'll skip all of this and wait
|
||||
# for a reply that isn't marked pending.
|
||||
if ( c$smb_state$current_cmd$status == "PENDING" )
|
||||
return;
|
||||
|
||||
delete c$smb_state$pending_cmds[hdr$message_id];
|
||||
}
|
||||
|
||||
event smb2_negotiate_request(c: connection, hdr: SMB2::Header, dialects: index_vec) &priority=5
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue