Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
6872 commits 387 branches 195 tags 259 MiB
Commit graph

32 commits

Author SHA1 Message Date
Seth Hall
520ac8d92c Merge remote-tracking branch 'origin/master' into topic/seth/smb 
# Conflicts:
#	scripts/base/protocols/dce-rpc/main.bro
#	scripts/base/protocols/ntlm/main.bro
#	scripts/policy/protocols/smb/smb1-main.bro
#	src/analyzer/protocol/smb/smb-common.pac
#	src/analyzer/protocol/smb/smb-strings.pac
#	src/analyzer/protocol/smb/smb1-com-locking-andx.pac
#	src/analyzer/protocol/smb/smb1-com-logoff-andx.pac
#	src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
#	src/analyzer/protocol/smb/smb1-com-open-andx.pac
#	src/analyzer/protocol/smb/smb1-com-read-andx.pac
#	src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
#	src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
#	src/analyzer/protocol/smb/smb1-com-transaction.pac
#	src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
#	src/analyzer/protocol/smb/smb1-com-write-andx.pac
#	src/analyzer/protocol/smb/smb1-protocol.pac
 2016-08-08 15:46:49 -04:00
Robin Sommer
2a854acd2b Revert "Merge branch 'topic/seth/smb'" 
This reverts commit 9d9c7bafd3, reversing
changes made to eeb8c0cbb0.

The SMB analyzer wasn't ready yet.
 2016-08-05 15:04:49 -07:00
Seth Hall
cfe3bddd75 Fixing SMB tests again. 2016-06-28 11:03:16 -04:00
Seth Hall
91161f790c SMB test clean up and docs 2016-06-28 10:30:41 -04:00
Seth Hall
134d0922d5 Move the SMB analyzer out of the default load. 
This also adds a note in the local.bro script about enabling
the SMB analyzer.
 2016-06-14 15:34:00 -04:00
Seth Hall
68d0f697eb Move some of the last DCE_RPC scripts out of SMB scripts. 2016-04-03 15:48:47 -04:00
Seth Hall
143eee5d8d Removed SMB Auth stuff and changed "DISK" to be the default share type. 
- SMB auth information is now present in the ntlm.log.
 - Still need a heuristic to switch this to PIPE or other
   for non-DISK mounts.
 2016-04-03 15:46:02 -04:00
Seth Hall
5b5589e167 Complete breakout of SMB, GSSAPI, and NTLM 
- Looser coupling between these analyzers.
 - New ntlm.log (still pretty early)
 - Improved string handling for NTLM (convert UTF16 to UTF8)
 - SMB2 analyzer now supports GSSAPI.
 - Improved abstraction of DCE_RPC operations (still not finished)
 - Lots of whitespace cleanup.
 2016-04-03 04:17:20 -04:00
Seth Hall
e70a528ad6 Removing some left over debugging prints. 2016-04-01 09:48:46 -04:00
Seth Hall
e2dfaf8a5b Fixes to SMB file handling and logging. 
There were some cases where the log would be missing a field
or data wouldn't get sent to file analysis.  At least some of
this is fixed now and I get confused a bit less when I look
at the logs now.

Also, I made the default handling "FILE" so that things like
FILE_UNKNOWN wouldn't show up in the logs so regularly.  It's
technically correct that way, but it doesn't look good and it's
correct as FILE often enough that it make sense to make it the
default I think.
 2016-04-01 09:43:13 -04:00
Seth Hall
d249b76390 Added uid and conn_id to smb_auth log. 
Thanks for Mike Reeves and Aaron Eppert for noticing.
 2016-03-26 22:15:23 -04:00
Seth Hall
9c6402bd91 More smb_files.log improvements. 
- Actually get the path into the smb_files.log now.
 - When a share root is having the "create" message used on it,
   instead of giving a null file name, now give a special
   indicator of "<share_root>".
 - Update test baselines.
 2016-03-09 04:49:48 -05:00
Seth Hall
90559a3372 Disabled the attempt at support for the SMB2 SetInfo message. 
It was causing reporter warnings and was so wildly incomplete
that it provided no benefit.
 2016-03-08 11:28:32 -05:00
Seth Hall
c63ad1cdcf Add a signature for SMB 2016-03-07 16:03:31 -05:00
Seth Hall
c8818da09a Fix a bug that resulted in recursion in the type system. 
- There is a bit of other minor reorganization cleanup here too.
 2016-03-07 13:50:12 -05:00
Seth Hall
ca58dc84d5 Create an smb_auth.log. 
- Brings the SMB NTLM support all the way to a log.
 - Only support SMB1 right now.
 - A bit more clean up of logged file actions and code organization.
 2016-03-07 11:17:51 -05:00
Seth Hall
462316acdf Prevent some extra smb logging of cmd messages. 2016-03-03 16:33:29 -05:00
Seth Hall
b9afc01d91 Fixed a problem with file names and path names containing nulls. 
This would come up when a string is UTF-16 containing characters
outside of straight ASCII.  The file analysis framework uses
CheckString to create file IDs which can't cope with the NULL bytes.
 2016-03-03 15:52:34 -05:00
Seth Hall
e02c612742 Fix some SMB1 "field missing" expression errors. 2016-03-03 15:31:26 -05:00
Seth Hall
d453dc149c A lot of changes to SMB analyzer. 
- Add beginning of infrastructure for pipe support in SMB2.
 - Improve identification of non-file tree mappings.
 - Stop passing pipe data to the file analysis framework.
 - Reduce log volume in smb_files.log by watching for repeated
   files being seen so that you don't end up with nearly
   the exact same log line over and over and over.
 - Lots of little whitespace and indentation changes.
 2016-03-03 14:27:15 -05:00
Seth Hall
41e2eaa02d Source clean up and some fixes for SMB. 
- Remove the separate string handling for NTLM.
 - Fixed a crash in RPC Bind handling when no context
   elements are included.
 2016-03-01 14:16:45 -05:00
Seth Hall
2e2fb6831f Merge remote-tracking branch 'origin/topic/vladg/smb' into topic/seth/smb 
# Conflicts:
#	scripts/base/protocols/smb/files.bro
#	scripts/base/protocols/smb/main.bro
#	scripts/base/protocols/smb/smb1-main.bro
#	scripts/base/protocols/smb/smb2-main.bro
 2016-03-01 11:11:50 -05:00
Seth Hall
dbb5992f43 Disable the smb_cmd.log by default. 2016-02-19 00:23:05 -05:00
Vlad Grigorescu
9a73033b19 Redo DCE/RPC code. 2014-10-09 21:06:38 -04:00
Vlad Grigorescu
c4eb7e2377 Add support for TRANSACTION subcommands. 2014-10-08 18:01:55 -04:00
Vlad Grigorescu
10db1b552d Add username tracking 2014-10-08 17:23:20 -04:00
Vlad Grigorescu
f38a580c8c Add support for transaction2 Find_First2. 2014-10-08 16:29:51 -04:00
Vlad Grigorescu
261f6e8c45 Fix a segfault, and add script-level support for some more commands. 2014-10-08 12:06:33 -04:00
Vlad Grigorescu
0d615b0319 Add more SMB subcommands and arguments. Log SMB1 error messages too. 2014-10-07 17:32:01 -04:00
Vlad Grigorescu
a6de23aaa3 Refine transaction2 support, rewrite SMB scripts. 2014-10-07 16:31:02 -04:00
Seth Hall
e4ca588127 Does the initial effort to add the SMB2 SetInfo command and better handle file lengths. 2014-09-27 03:11:01 -04:00
Vlad Grigorescu
6a34de5dd8 SMB & NTLM analyzers. 2014-07-24 21:46:38 -04:00