SMB cleanup.

2025-10-02 14:48:21 +00:00 · 2016-07-30 01:33:40 -04:00 · 2016-07-30 01:33:40 -04:00 · fee3af419b
commit fee3af419b
parent 44496922f1
8 changed files with 17 additions and 301 deletions
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
@ -3,9 +3,6 @@
 #ifndef ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H
 #define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H
 // NOTE: This is a somewhat crude analyzer for DCE/RPC (used on Microsoft
 // Windows systems) and shouldn't be considered as stable.
 #include "NetVar.h"
 #include "analyzer/protocol/tcp/TCP.h"
 #include "analyzer/protocol/dce-rpc/events.bif.h"
@ -13,168 +10,8 @@
 #include "dce_rpc_pac.h"
 namespace analyzer { namespace dce_rpc {
 /* class UUID {
 public:
 	UUID();
 	UUID(const u_char data[16]);
 	UUID(const binpac::bytestring &uuid);
 	UUID(const char* s);
 	const char* to_string() const	{ return s.c_str(); }
 	const string& str() const	{ return s; }
 	bool operator==(const UUID& u) const
 		{ return s == u.str(); }
 	bool operator<(const UUID& u) const
 		{ return s < u.str(); }
 protected:
 	u_char data[16];
 	string s;
 };
 //const char* uuid_to_string(const u_char* uuid_data);
 struct dce_rpc_endpoint_addr {
 	// All fields are in host byteorder.
 	IPAddr addr;
 	u_short port;
 	TransportProto proto;
 	dce_rpc_endpoint_addr()
 		{
 		addr = IPAddr();
 		port = 0;
 		proto = TRANSPORT_UNKNOWN;
 		}
 	bool is_valid_addr() const
 		{ return addr != IPAddr() && port != 0 && proto != TRANSPORT_UNKNOWN; }
 	bool operator<(dce_rpc_endpoint_addr const &e) const
 		{
 		if ( addr != e.addr )
 			return addr < e.addr;
 		if ( proto != e.proto )
 			return proto < e.proto;
 		if ( port != e.port )
 			return port < e.port;
 		return false;
 		}
 	string to_string() const
 		{
 		static char buf[128];
 		snprintf(buf, sizeof(buf), "%s/%d/%s",
 			addr.AsString().c_str(), port,
 			proto == TRANSPORT_TCP ? "tcp" :
 			(proto == TRANSPORT_UDP ? "udp" : "?"));
 		return string(buf);
 		}
 }; */
 /*
 enum DCE_RPC_PTYPE {
 	DCE_RPC_REQUEST, DCE_RPC_PING, DCE_RPC_RESPONSE, DCE_RPC_FAULT,
 	DCE_RPC_WORKING, DCE_RPC_NOCALL, DCE_RPC_REJECT, DCE_RPC_ACK,
 	DCE_RPC_CL_CANCEL, DCE_RPC_FACK, DCE_RPC_CANCEL_ACK, DCE_RPC_BIND,
 	DCE_RPC_BIND_ACK, DCE_RPC_BIND_NAK, DCE_RPC_ALTER_CONTEXT,
 	DCE_RPC_ALTER_CONTEXT_RESP, DCE_RPC_SHUTDOWN, DCE_RPC_CO_CANCEL,
 	DCE_RPC_ORPHANED,
 };
 */
 /*
 #define DCE_RPC_HEADER_LENGTH 16
 class DCE_RPC_Header {
 public:
 	DCE_RPC_Header(analyzer::Analyzer* a, const u_char* bytes);
 	BifEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
 	int FragLen() const		{ return frag_len; }
 	int LittleEndian() const	{ return bytes[4] >> 4; }
 	bool Fragmented() const		{ return fragmented; }
 	void Weird(const char* msg)	{ analyzer->Weird(msg); }
 	void SetBytes(const u_char* b)	{ bytes = b; }
 protected:
 	analyzer::Analyzer* analyzer;
 	const u_char* bytes;
 	BifEnum::dce_rpc_ptype ptype;
 	int frag_len;
 	bool fragmented;
 };
 // Create a general DCE_RPC_Session class so that it can be used in
 // case the RPC conversation is tunneled through other connections,
 // e.g. through an SMB session.
 class DCE_RPC_Session {
 public:
 	DCE_RPC_Session(analyzer::Analyzer* a);
 	virtual ~DCE_RPC_Session() {}
 	virtual void DeliverPDU(int is_orig, int len, const u_char* data);
 	static bool LooksLikeRPC(int len, const u_char* msg);
 	static bool any_dce_rpc_event()
 		{ return dce_rpc_message || dce_rpc_bind || dce_rpc_request; }
 protected:
 	void DeliverBind(const binpac::DCE_RPC::DCE_RPC_PDU* pdu);
 	void DeliverRequest(const binpac::DCE_RPC::DCE_RPC_PDU* pdu);
 	void DeliverResponse(const binpac::DCE_RPC::DCE_RPC_PDU* pdu);
 	void DeliverEpmapperRequest(
 			const binpac::DCE_RPC::DCE_RPC_PDU* pdu,
 			const binpac::DCE_RPC::DCE_RPC_Request* req);
 	void DeliverEpmapperResponse(
 			const binpac::DCE_RPC::DCE_RPC_PDU* pdu,
 			const binpac::DCE_RPC::DCE_RPC_Response* resp);
 	void DeliverEpmapperMapResponse(
 			const binpac::DCE_RPC::DCE_RPC_PDU* pdu,
 			const binpac::DCE_RPC::DCE_RPC_Response* resp);
 	analyzer::Analyzer* analyzer;
 	UUID uuid;
 	BifEnum::dce_rpc_if_id if_id;
 	int opnum;
 	struct {
 		dce_rpc_endpoint_addr addr;
 		UUID uuid;
 	} mapped;
 };
 class Contents_DCE_RPC_Analyzer : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session,
 		bool speculative);
 	~Contents_DCE_RPC_Analyzer();
 protected:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void DeliverPDU(int len, const u_char* data);
 	void InitState();
 	int speculation;
 	u_char* msg_buf;
 	int msg_len;
 	int buf_n;	// number of bytes in msg_buf
 	int buf_len;	// size off msg_buf
 	DCE_RPC_Header* hdr;
 	bool ParseHeader();
 	DCE_RPC_Session* session;
 };
 */
 class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	DCE_RPC_Analyzer(Connection* conn);
--- a/src/analyzer/protocol/smb/SMB_COM.def
+++ b/src/analyzer/protocol/smb/SMB_COM.def
@ -1,77 +0,0 @@
 SMB_COMMAND(SMB_COM_CREATE_DIRECTORY, 0x00)
 SMB_COMMAND(SMB_COM_DELETE_DIRECTORY, 0x01)
 SMB_COMMAND(SMB_COM_OPEN, 0x02)
 SMB_COMMAND(SMB_COM_CREATE, 0x03)
 SMB_COMMAND(SMB_COM_CLOSE, 0x04)
 SMB_COMMAND(SMB_COM_FLUSH, 0x05)
 SMB_COMMAND(SMB_COM_DELETE, 0x06)
 SMB_COMMAND(SMB_COM_RENAME, 0x07)
 SMB_COMMAND(SMB_COM_QUERY_INFORMATION, 0x08)
 SMB_COMMAND(SMB_COM_SET_INFORMATION, 0x09)
 SMB_COMMAND(SMB_COM_READ, 0x0A)
 SMB_COMMAND(SMB_COM_WRITE, 0x0B)
 SMB_COMMAND(SMB_COM_LOCK_BYTE_RANGE, 0x0C)
 SMB_COMMAND(SMB_COM_UNLOCK_BYTE_RANGE, 0x0D)
 SMB_COMMAND(SMB_COM_CREATE_TEMPORARY, 0x0E)
 SMB_COMMAND(SMB_COM_CREATE_NEW, 0x0F)
 SMB_COMMAND(SMB_COM_CHECK_DIRECTORY, 0x10)
 SMB_COMMAND(SMB_COM_PROCESS_EXIT, 0x11)
 SMB_COMMAND(SMB_COM_SEEK, 0x12)
 SMB_COMMAND(SMB_COM_LOCK_AND_READ, 0x13)
 SMB_COMMAND(SMB_COM_WRITE_AND_UNLOCK, 0x14)
 SMB_COMMAND(SMB_COM_READ_RAW, 0x1A)
 SMB_COMMAND(SMB_COM_READ_MPX, 0x1B)
 SMB_COMMAND(SMB_COM_READ_MPX_SECONDARY, 0x1C)
 SMB_COMMAND(SMB_COM_WRITE_RAW, 0x1D)
 SMB_COMMAND(SMB_COM_WRITE_MPX, 0x1E)
 SMB_COMMAND(SMB_COM_WRITE_MPX_SECONDARY, 0x1F)
 SMB_COMMAND(SMB_COM_WRITE_COMPLETE, 0x20)
 SMB_COMMAND(SMB_COM_QUERY_SERVER, 0x21)
 SMB_COMMAND(SMB_COM_SET_INFORMATION2, 0x22)
 SMB_COMMAND(SMB_COM_QUERY_INFORMATION2, 0x23)
 SMB_COMMAND(SMB_COM_LOCKING_ANDX, 0x24)
 SMB_COMMAND(SMB_COM_TRANSACTION, 0x25)
 SMB_COMMAND(SMB_COM_TRANSACTION_SECONDARY, 0x26)
 SMB_COMMAND(SMB_COM_IOCTL, 0x27)
 SMB_COMMAND(SMB_COM_IOCTL_SECONDARY, 0x28)
 SMB_COMMAND(SMB_COM_COPY, 0x29)
 SMB_COMMAND(SMB_COM_MOVE, 0x2A)
 SMB_COMMAND(SMB_COM_ECHO, 0x2B)
 SMB_COMMAND(SMB_COM_WRITE_AND_CLOSE, 0x2C)
 SMB_COMMAND(SMB_COM_OPEN_ANDX, 0x2D)
 SMB_COMMAND(SMB_COM_READ_ANDX, 0x2E)
 SMB_COMMAND(SMB_COM_WRITE_ANDX, 0x2F)
 SMB_COMMAND(SMB_COM_NEW_FILE_SIZE, 0x30)
 SMB_COMMAND(SMB_COM_CLOSE_AND_TREE_DISC, 0x31)
 SMB_COMMAND(SMB_COM_TRANSACTION2, 0x32)
 SMB_COMMAND(SMB_COM_TRANSACTION2_SECONDARY, 0x33)
 SMB_COMMAND(SMB_COM_FIND_CLOSE2, 0x34)
 SMB_COMMAND(SMB_COM_FIND_NOTIFY_CLOSE, 0x35)
 // Used by Xenix/Unix 0x60 - 0x6E.
 SMB_COMMAND(SMB_COM_TREE_CONNECT, 0x70)
 SMB_COMMAND(SMB_COM_TREE_DISCONNECT, 0x71)
 SMB_COMMAND(SMB_COM_NEGOTIATE, 0x72)
 SMB_COMMAND(SMB_COM_SESSION_SETUP_ANDX, 0x73)
 SMB_COMMAND(SMB_COM_LOGOFF_ANDX, 0x74)
 SMB_COMMAND(SMB_COM_TREE_CONNECT_ANDX, 0x75)
 SMB_COMMAND(SMB_COM_QUERY_INFORMATION_DISK, 0x80)
 SMB_COMMAND(SMB_COM_SEARCH, 0x81)
 SMB_COMMAND(SMB_COM_FIND, 0x82)
 SMB_COMMAND(SMB_COM_FIND_UNIQUE, 0x83)
 SMB_COMMAND(SMB_COM_FIND_CLOSE, 0x84)
 SMB_COMMAND(SMB_COM_NT_TRANSACT, 0xA0)
 SMB_COMMAND(SMB_COM_NT_TRANSACT_SECONDARY, 0xA1)
 SMB_COMMAND(SMB_COM_NT_CREATE_ANDX, 0xA2)
 SMB_COMMAND(SMB_COM_NT_CANCEL, 0xA4)
 SMB_COMMAND(SMB_COM_NT_RENAME, 0xA5)
 SMB_COMMAND(SMB_COM_OPEN_PRINT_FILE, 0xC0)
 SMB_COMMAND(SMB_COM_WRITE_PRINT_FILE, 0xC1)
 SMB_COMMAND(SMB_COM_CLOSE_PRINT_FILE, 0xC2)
 SMB_COMMAND(SMB_COM_GET_PRINT_QUEUE, 0xC3)
 SMB_COMMAND(SMB_COM_READ_BULK, 0xD8)
 SMB_COMMAND(SMB_COM_WRITE_BULK, 0xD9)
 SMB_COMMAND(SMB_COM_WRITE_BULK_DATA, 0xDA)
 SMB_COMMAND(SMB_COM_INVALID, 0xFE)
 SMB_COMMAND(SMB_COM_NO_ANDX_COMMAND, 0xFF)
--- a/src/analyzer/protocol/smb/smb-common.pac
+++ b/src/analyzer/protocol/smb/smb-common.pac
@ -238,43 +238,15 @@ enum SMB_Status {
 function determine_transaction_type(setup_count: int, name: SMB_string): TransactionType
 	%{
 	// This logic needs to be verified! the relationship between
 	// setup_count and type is very unclear.
 	if ( name == NULL )
 		{
 		return SMB_UNKNOWN;
 		}
-	//if ( bytestring_caseprefix( extract_string(name),
+
 	//		"\\PIPE\\LANMAN" ) )
 	//	{
 	//	return SMB_RAP;
 	//	}
 	//
 	//if ( bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\LANMAN" ) )
 	//	{
 	//	return SMB_MAILSLOT_LANMAN;
 	//	//return SMB_MAILSLOT_BROWSE;
 	//	}
 	//
 	//if ( bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\NET\\NETLOGON" ) )
 	//	{
 	//	/* Don't really know what to do here, its got a Mailslot
 	//	 * type but its a deprecated packet format that handles
 	//	 * old windows logon
 	//	 */
 	//	return SMB_UNKNOWN;
 	//	}
 	//
 	if ( ${name.u.s}->size() == 14 && ${name.u.s[0]} == '\\' && ${name.u.s[2]} == 'P' && ${name.u.s[4]} == 'I' && ${name.u.s[6]} == 'P' && ${name.u.s[8]} == 'E' && ${name.u.s[10]} == '\\')
 		{
 		return SMB_PIPE;
 		}
 	//if ( setup_count == 3 ||
 	//     bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\" ) )
 	//	{
 	//	return SMB_MAILSLOT_BROWSE;
 	//	}
 	return SMB_UNKNOWN;
 	%}
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@ -29,6 +29,7 @@
 #include "smb2_com_close.bif.h"
 #include "smb2_com_create.bif.h"
 //#include "smb2_com_ioctl.bif.h"
 //#include "smb2_com_lock.bif.h"
 #include "smb2_com_negotiate.bif.h"
 #include "smb2_com_read.bif.h"
--- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
@ -3,21 +3,6 @@ refine connection SMB_Conn += {
 		%{
 		if ( smb1_nt_create_andx_request )
 			{
 			// name_length         : uint16;
 			// flags               : uint32;
 			// root_dir_file_id    : uint32;
 			// desired_access      : uint32;
 			// alloc_size          : uint64;
 			// ext_file_attrs      : uint32;
 			// share_access        : uint32;
 			// create_disposition  : uint32;
 			// create_options      : uint32;
 			// impersonation_level : uint32;
 			// security_flags      : uint8;
 			//
 			// byte_count          : uint16;
 			// filename            : SMB_string(header.unicode, offsetof(filename)) &length=name_length;
 			BifEvent::generate_smb1_nt_create_andx_request(bro_analyzer(),
 			                                              bro_analyzer()->Conn(),
 			                                              BuildHeaderVal(header),
--- a/src/analyzer/protocol/smb/smb2_com_lock.bif
+++ b/src/analyzer/protocol/smb/smb2_com_lock.bif
@ -0,0 +1 @@
 # Empty.
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log
@ -3,11 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smb_files
-#open	2016-04-03-19-43-52
+#open	2016-07-28-07-50-04
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	times.modified	times.accessed	times.created	times.changed
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed
-#types	time	string	addr	port	addr	port	string	enum	string	string	count	time	time	time	time
+#types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
-1403194573.483536	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	<share_root>	0	1403193605.830790	1403193605.830790	1403193211.405449	1403193605.830790
+1403194573.483536	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	<share_root>	0	-	1403193605.830790	1403193605.830790	1403193211.405449	1403193605.830790
-1403194573.484701	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test	0	1403193632.973276	1403193632.973276	1403193604.628965	1403193632.973276
+1403194573.484701	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test	0	-	1403193632.973276	1403193632.973276	1403193604.628965	1403193632.973276
-1403194574.150293	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test\\2009-12 Payroll.xlsx	25940	1403148950.000000	1403193623.046524	1403148950.000000	1403193632.973276
+1403194574.150293	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test\\2009-12 Payroll.xlsx	25940	-	1403148950.000000	1403193623.046524	1403148950.000000	1403193632.973276
-1403194574.232191	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	FyxE5A19VJyangfN54	SMB::FILE_CLOSE	-	Test\\2009-12 Payroll.xlsx	25940	1403148950.000000	1403193623.046524	1403148950.000000	1403193632.973276
+#close	2016-07-28-07-50-04
 #close	2016-04-03-19-43-52
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log
@ -3,12 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smb_files
-#open	2016-04-01-08-31-01
+#open	2016-07-28-07-50-22
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	times.modified	times.accessed	times.created	times.changed
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed
-#types	time	string	addr	port	addr	port	string	enum	string	string	count	time	time	time	time
+#types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
-1323202695.377459	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	1323202604.512058	1323202604.512058	1322343963.945297	1323202604.512058
+1323202695.377459	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	-	1323202604.512058	1323202604.512058	1322343963.945297	1323202604.512058
-1323202695.432192	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	WP_SMBPlugin.pdf	0	1323202695.427034	1323202695.427034	1323202695.427034	1323202695.427034
+1323202695.432192	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	WP_SMBPlugin.pdf	0	-	1323202695.427034	1323202695.427034	1323202695.427034	1323202695.427034
-1323202695.432192	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	FUU9mc3Ub5uZdcqg1d	SMB::FILE_CLOSE	\\\\10.0.0.12\\smb2	WP_SMBPlugin.pdf	0	1323202695.427034	1323202695.427034	1323202695.427034	1323202695.427034
+1323202695.599914	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	-	1323202695.427034	1323202695.427034	1322343963.945297	1323202695.427034
-1323202695.599914	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	1323202695.427034	1323202695.427034	1322343963.945297	1323202695.427034
+#close	2016-07-28-07-50-22
 1323202695.599914	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_CLOSE	\\\\10.0.0.12\\smb2	<share_root>	8192	1323202695.427034	1323202695.427034	1322343963.945297	1323202695.427034
 #close	2016-04-01-08-31-01