Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Clean up and moving a few SMB2 commands out into their own files.

Browse source 
I assume that the upcoming SMB lock thing might be something
related to the SMB2 LOCK command...
This commit is contained in:
Seth Hall 2016-04-01 22:45:07 -04:00
parent dbb4404b7d
commit ff3437d157
11 changed files with 120 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/dce-rpc/consts.bro
View file

@ -55,9 +55,7 @@ export {
["423ec01e-2e35-11d2-b604-00104b703efd"] = "IWbemWCOSmartEnum interface", ["423ec01e-2e35-11d2-b604-00104b703efd"] = "IWbemWCOSmartEnum interface",
["1c1c45ee-4395-11d2-b60b-00104b703efd"] = "IWbemFetchSmartEnum interface", ["1c1c45ee-4395-11d2-b60b-00104b703efd"] = "IWbemFetchSmartEnum interface",
["541679AB-2E5F-11d3-B34E-00104BCC4B4A"] = "IWbemLoginHelper interface", ["541679AB-2E5F-11d3-B34E-00104BCC4B4A"] = "IWbemLoginHelper interface",
# KMS?
["51c82175-844e-4750-b0d8-ec255555bc06"] = "KMS", ["51c82175-844e-4750-b0d8-ec255555bc06"] = "KMS",
["50abc2a4-574d-40b3-9d66-ee4fd5fba076"] = "dnsserver", ["50abc2a4-574d-40b3-9d66-ee4fd5fba076"] = "dnsserver",
["3faf4738-3a21-4307-b46c-fdda9bb8c0d5"] = "AudioSrv", ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5"] = "AudioSrv",
["c386ca3e-9061-4a72-821e-498d83be188f"] = "AudioRpc", ["c386ca3e-9061-4a72-821e-498d83be188f"] = "AudioRpc",

7
src/analyzer/protocol/dce-rpc/CMakeLists.txt
View file

@ -6,6 +6,11 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
bro_plugin_begin(Bro DCE_RPC) bro_plugin_begin(Bro DCE_RPC)
bro_plugin_cc(DCE_RPC.cc Plugin.cc) bro_plugin_cc(DCE_RPC.cc Plugin.cc)
bro_plugin_bif(types.bif events.bif) bro_plugin_bif(types.bif events.bif)
bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) bro_plugin_pac(
dce_rpc.pac
dce_rpc-protocol.pac
dce_rpc-analyzer.pac
endpoint-epmapper.pac
endpoint-atsvc.pac)
bro_plugin_end() bro_plugin_end()

38
src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac Normal file
View file

@ -0,0 +1,38 @@
type ATSVC_Request(unicode: bool, opnum: uint8) = record {
empty: padding[1];
op: case opnum of {
0 -> add : ATSVC_NetrJobAdd(unicode);
default -> unknown : bytestring &restofdata;
};
};
type ATSVC_String_Pointer(unicode: bool) = record {
referent_id : uint32;
max_count : uint32;
offset : uint32;
actual_count : uint32;
string : SMB_string(unicode, offsetof(string));
};
type ATSVC_NetrJobAdd(unicode: bool) = record {
server : ATSVC_String_Pointer(unicode);
unknown : padding[2];
job_time : uint32;
days_of_month : uint32;
days_of_week : uint8;
flags : uint8;
unknown2 : padding[2];
command : ATSVC_String_Pointer(unicode);
};
type ATSVC_Reply(unicode: bool, opnum: uint16) = record {
op: case opnum of {
0 -> add: ATSVC_JobID(unicode);
default -> unknown: bytestring &restofdata;
};
};
type ATSVC_JobID(unicode: bool) = record {
id : uint32;
status : uint32;
};

0
src/analyzer/protocol/dce-rpc/epmapper.pac → src/analyzer/protocol/dce-rpc/endpoint-epmapper.pac
View file

4
src/analyzer/protocol/smb/CMakeLists.txt
View file

@ -29,6 +29,8 @@ bro_plugin_bif(
smb2_com_close.bif smb2_com_close.bif
smb2_com_create.bif smb2_com_create.bif
smb2_com_ioctl.bif
smb2_com_lock.bif
smb2_com_negotiate.bif smb2_com_negotiate.bif
smb2_com_read.bif smb2_com_read.bif
smb2_com_session_setup.bif smb2_com_session_setup.bif
@ -72,6 +74,8 @@ bro_plugin_pac(
smb2-protocol.pac smb2-protocol.pac
smb2-com-close.pac smb2-com-close.pac
smb2-com-create.pac smb2-com-create.pac
smb2-com-ioctl.pac
smb2-com-lock.pac
smb2-com-negotiate.pac smb2-com-negotiate.pac
smb2-com-read.pac smb2-com-read.pac
smb2-com-session-setup.pac smb2-com-session-setup.pac

4
src/analyzer/protocol/smb/smb.pac
View file

@ -33,6 +33,8 @@
#include "smb2_com_close.bif.h" #include "smb2_com_close.bif.h"
#include "smb2_com_create.bif.h" #include "smb2_com_create.bif.h"
#include "smb2_com_ioctl.bif.h"
#include "smb2_com_lock.bif.h"
#include "smb2_com_negotiate.bif.h" #include "smb2_com_negotiate.bif.h"
#include "smb2_com_read.bif.h" #include "smb2_com_read.bif.h"
#include "smb2_com_session_setup.bif.h" #include "smb2_com_session_setup.bif.h"
@ -86,6 +88,8 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
# SMB2 Commands # SMB2 Commands
%include smb2-com-close.pac %include smb2-com-close.pac
%include smb2-com-create.pac %include smb2-com-create.pac
%include smb2-com-ioctl.pac
%include smb2-com-lock.pac
%include smb2-com-negotiate.pac %include smb2-com-negotiate.pac
%include smb2-com-read.pac %include smb2-com-read.pac
%include smb2-com-session-setup.pac %include smb2-com-session-setup.pac

45
src/analyzer/protocol/smb/smb2-com-ioctl.pac Normal file
View file

@ -0,0 +1,45 @@
refine connection SMB_Conn += {
};
type SMB2_ioctl_request(header: SMB2_Header) = record {
structure_size : uint16;
reserved : uint16;
ctl_code : uint32;
file_id : SMB2_guid;
input_offset : uint32;
input_count : uint32;
max_input_resp : uint32;
output_offset : uint32;
output_count : uint32;
max_output_resp : uint32;
flags : uint32;
reserved2 : uint32;
pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset));
input_buffer : bytestring &length=input_count;
pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
output_buffer : bytestring &length=output_count;
} &let {
is_pipe: bool = ((ctl_code >> 16) == 0x11);
pipe_proc : bool = $context.connection.forward_dce_rpc(input_buffer, true) &if(is_pipe);
};
type SMB2_ioctl_response(header: SMB2_Header) = record {
structure_size : uint16;
reserved : uint16;
ctl_code : uint32;
file_id : SMB2_guid;
input_offset : uint32;
input_count : uint32;
output_offset : uint32;
output_count : uint32;
flags : uint32;
reserved2 : uint32;
pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset));
input_buffer : bytestring &length=input_count;
pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
output_buffer : bytestring &length=output_count;
} &let {
is_pipe: bool = ((ctl_code >> 16) == 0x11);
pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, false) &if(is_pipe);
};

23
src/analyzer/protocol/smb/smb2-com-lock.pac Normal file
View file

@ -0,0 +1,23 @@
refine connection SMB_Conn += {
};
type SMB2_lock = record {
offset : uint64;
len : uint64;
flags : uint32;
};
type SMB2_lock_request(header: SMB2_Header) = record {
structure_size : uint16;
lock_count : uint16;
lock_seq : uint32;
file_id : SMB2_guid;
locks : SMB2_lock[lock_count];
};
type SMB2_lock_response(header: SMB2_Header) = record {
structure_size : uint16;
reserved : uint16; # ignore
};

60
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -216,11 +216,6 @@ type SMB2_guid = record {
_volatile : uint64; _volatile : uint64;
}; };
type SMB2_lock = record {
offset : uint64;
len : uint64;
flags : uint32;
};
type SMB2_File_Notify_Information = record { type SMB2_File_Notify_Information = record {
next_entry_offset : uint32; next_entry_offset : uint32;
@ -280,61 +275,6 @@ type SMB2_flush_response(header: SMB2_Header) = record {
reserved1 : uint16; reserved1 : uint16;
}; };
type SMB2_lock_request(header: SMB2_Header) = record {
structure_size : uint16;
lock_count : uint16;
lock_seq : uint32;
file_id : SMB2_guid;
locks : SMB2_lock[lock_count];
};
type SMB2_lock_response(header: SMB2_Header) = record {
structure_size : uint16;
reserved : uint16; # ignore
};
type SMB2_ioctl_request(header: SMB2_Header) = record {
structure_size : uint16;
reserved : uint16;
ctl_code : uint32;
file_id : SMB2_guid;
input_offset : uint32;
input_count : uint32;
max_input_resp : uint32;
output_offset : uint32;
output_count : uint32;
max_output_resp : uint32;
flags : uint32;
reserved2 : uint32;
pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset));
input_buffer : bytestring &length=input_count;
pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
output_buffer : bytestring &length=output_count;
} &let {
is_pipe: bool = ((ctl_code >> 16) == 0x11);
pipe_proc : bool = $context.connection.forward_dce_rpc(input_buffer, true) &if(is_pipe);
};
type SMB2_ioctl_response(header: SMB2_Header) = record {
structure_size : uint16;
reserved : uint16;
ctl_code : uint32;
file_id : SMB2_guid;
input_offset : uint32;
input_count : uint32;
output_offset : uint32;
output_count : uint32;
flags : uint32;
reserved2 : uint32;
pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset));
input_buffer : bytestring &length=input_count;
pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
output_buffer : bytestring &length=output_count;
} &let {
is_pipe: bool = ((ctl_code >> 16) == 0x11);
pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, false) &if(is_pipe);
};
type SMB2_cancel_request(header: SMB2_Header) = record { type SMB2_cancel_request(header: SMB2_Header) = record {
structure_size : uint16; structure_size : uint16;
reserved : uint16; reserved : uint16;

0
src/analyzer/protocol/smb/smb2_com_ioctl.bif Normal file
View file

0
src/analyzer/protocol/smb/smb2_com_lock.bif Normal file
View file