Commit graph

9 commits

Author SHA1 Message Date
Arne Welzel
3ac877e20d scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state()
This is similar to what the external corelight/zeek-smb-clear-state script
does, but leverages the smb2_discarded_messages_state() event instead of
regularly checking on the state of SMB connections.

The pcap was created using the dperson/samba container image and mounting
a share with Linux's CIFS filesystem, then copying the content of a
directory with 100 files. The test uses a BPF filter to imitate mostly
"half-duplex" traffic.
2023-05-03 11:22:01 +02:00
Arne Welzel
8698a00f03 smb: Drop references to uid_map in state.
This isn't ever written to and probably was meant to be removed during
the following commit: 5b5589e167
2022-11-23 18:19:53 +01:00
Josh Soref
21e0d777b3 Spelling fixes: scripts
* accessing
* across
* adding
* additional
* addresses
* afterwards
* analyzer
* ancillary
* answer
* associated
* attempts
* because
* belonging
* buffer
* cleanup
* committed
* connects
* database
* destination
* destroy
* distinguished
* encoded
* entries
* entry
* hopefully
* image
* include
* incorrect
* information
* initial
* initiate
* interval
* into
* java
* negotiation
* nodes
* nonexistent
* ntlm
* occasional
* omitted
* otherwise
* ourselves
* paragraphs
* particular
* perform
* received
* receiver
* referring
* release
* repetitions
* request
* responded
* retrieval
* running
* search
* separate
* separator
* should
* synchronization
* target
* that
* the
* threshold
* timeout
* transaction
* transferred
* transmission
* triggered
* vetoes
* virtual

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-11-02 17:36:39 -04:00
Arne Welzel
3dae8ab086 smb2: Raise smb2_file_delete for CREATE with FILE_DELETE_ON_CLOSE
When a CREATE request contains the FILE_DELETE_ON_CLOSE option and
the subsequent CREATE response indicates success, we now raise the
smb2_file_delete event to log a delete action in smb_files.log and
also give users a way to handle this scenario.

The provided pcap was generated locally by recording a smbtorture run
of the smb2.delete-on-close-perms test case.

Placed the create_options into the CmdInfo record for potential
exposure in smb_cmd.log (wasn't sure how that would look so left it
for the future).

Fixes #2276.
2022-07-16 17:14:13 +02:00
Tim Wojtulewicz
a6378531db Remove trailing whitespace from script files 2021-10-20 09:57:09 -07:00
Seth Hall
db7aba0835 ts fields in SMB logs now default to network_time()
This avoids a problem identified by amanbansal2709 in pull
request #1288. I fixed it in a different way than that pull request
by making sure the ts field is always set so that this isssue doesn't
return in the future.
2021-03-10 13:52:44 +00:00
Vern Paxson
4f2b138e72 removing unused assignments from base scripts 2021-02-06 10:59:37 -08:00
M.Shirk
9cd914b5cf Duplicate smb2_negotiate_response events defined. 2020-03-16 11:47:39 -04:00
Daniel Thayer
18bd74454b Rename all scripts to have ".zeek" file extension 2019-04-11 21:12:40 -05:00
Renamed from scripts/base/protocols/smb/smb2-main.bro (Browse further)