mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
4f3fe047f4
SMB error handling improved. The analyzer isn't destroyed when a problem is encoutered anymore. The flowbuffer in the parser is now flushed and the analyzer is set to resync against an SMB command. This was needed because there is some state about open files that is kept within the parser itself which was being destroyed and that was causing analysis after content gaps or parse errors to be faulty. The new mechanism doesn't detroy the parser so parsing after gaps is improved. DCE_RPC handling in SMB is improved in the edge case where a drive mapping isn't seen. There is a new const named SMB::pipe_filenames which is used as a heuristic for identifying "files" opened on named pipe shares. If the share mapping type isn't known and a filename in this set is found, the share type will change to "PIPE" by generating an event named "smb_pipe_connect_heuristic". Reads and writes to that file will be sent to the DCE_RPC analyzer instead of to the files framework. The concept of "unknown" share types has been removed due to the new heuristic detection of share types. Some general clean up of how the SMB cmd log is written and when. |
||
|---|---|---|
| .. | ||
| conn | ||
| dce-rpc | ||
| dhcp | ||
| dnp3 | ||
| dns | ||
| ftp | ||
| http | ||
| imap | ||
| irc | ||
| krb | ||
| modbus | ||
| mysql | ||
| ntlm | ||
| pop3 | ||
| radius | ||
| rdp | ||
| rfb | ||
| sip | ||
| smb | ||
| smtp | ||
| snmp | ||
| socks | ||
| ssh | ||
| ssl | ||
| syslog | ||
| tunnels | ||
| xmpp | ||