(formerly Bro) is a flexible network analysis framework focusing on network security monitoring. Feature release.
| smb2-protocol.pac (zeek-3.2.2) | : | smb2-protocol.pac (zeek-3.2.4) |
|---|
| | |
| skipping to change at line 165 | | skipping to change at line 165 |
|---|
| }; | | }; |
| | |
| enum smb2_share_types { | | enum smb2_share_types { |
| SMB2_SHARE_TYPE_DISK = 0x01, | | SMB2_SHARE_TYPE_DISK = 0x01, |
| SMB2_SHARE_TYPE_PIPE = 0x02, | | SMB2_SHARE_TYPE_PIPE = 0x02, |
| SMB2_SHARE_TYPE_PRINT = 0x03, | | SMB2_SHARE_TYPE_PRINT = 0x03, |
| }; | | }; |
| | |
| type SMB2_PDU(is_orig: bool) = record { | | type SMB2_PDU(is_orig: bool) = record { |
| header : SMB2_Header(is_orig); | | header : SMB2_Header(is_orig); |
|
| message : case header.status of { | | message : case $context.connection.is_error_response(header, is_orig) |
| # Status 0 indicates success. In the case of a | | of { |
| # request this should just happen to work out due to | | true -> err : SMB2_error_response(header); |
| # how the fields are set. | | false -> msg : SMB2_Message(header, is_orig); |
| 0 -> msg : SMB | | |
| 2_Message(header, is_orig); | | |
| STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB | | |
| 2_Message(header, is_orig); | | |
| STATUS_MORE_PROCESSING_REQUIRED -> more_processing_required : SMB | | |
| 2_Message(header, is_orig); | | |
| default -> err : SMB | | |
| 2_error_response(header); | | |
| }; | | }; |
| }; | | }; |
| | |
| type SMB2_Message(header: SMB2_Header, is_orig: bool) = case is_orig of { | | type SMB2_Message(header: SMB2_Header, is_orig: bool) = case is_orig of { |
| true -> request : SMB2_Message_Request(header); | | true -> request : SMB2_Message_Request(header); |
| false -> response : SMB2_Message_Response(header); | | false -> response : SMB2_Message_Response(header); |
| } &byteorder = littleendian; | | } &byteorder = littleendian; |
| | |
| type SMB2_Message_Request(header: SMB2_Header) = case header.command of { | | type SMB2_Message_Request(header: SMB2_Header) = case header.command of { |
| SMB2_NEGOTIATE_PROTOCOL -> negotiate_protocol : SMB2_negotiate_request(h
eader); | | SMB2_NEGOTIATE_PROTOCOL -> negotiate_protocol : SMB2_negotiate_request(h
eader); |
| | |
| skipping to change at line 269 | | skipping to change at line 264 |
|---|
| function get_request_tree_id(message_id: uint64): uint64 | | function get_request_tree_id(message_id: uint64): uint64 |
| %{ | | %{ |
| // This is stored at the request and used at the reply. | | // This is stored at the request and used at the reply. |
| auto it = smb2_request_tree_id.find(message_id); | | auto it = smb2_request_tree_id.find(message_id); |
| | |
| if ( it == smb2_request_tree_id.end() ) | | if ( it == smb2_request_tree_id.end() ) |
| return 0; | | return 0; |
| | |
| return it->second; | | return it->second; |
| %} | | %} |
|
| | |
| | function is_error_response(header: SMB2_Header, is_orig: bool): bool |
| | %{ |
| | // In an request, we ignore this field. Relevant documentation is |
| | // at [MS-SMB2] 2.2.1.1 SMB2 Packet Header |
| | |
| | // For SMB 3.x, it's the ChannelSequence field, followed by |
| | // the reserved field. In older dialects, the client MUST set |
| | // it to 0, and the server MUST ignore it. |
| | |
| | // I don't believe that we care about the ChannelSequence, |
| | // since that seems inconsequential to our parsing. |
| | |
| | if ( is_orig ) |
| | return false; |
| | |
| | // In a response, this is parsed as the status of the request. |
| | |
| | // Non-zero USUALLY means an error, except for the specific cases |
| | detailed in |
| | // [MS-SMB2] 3.3.4.4 Sending an Error Response |
| | |
| | auto status = static_cast<SMB_Status>(${header.status}); |
| | |
| | switch (status ) { |
| | case 0: |
| | // No error. |
| | return false; |
| | case STATUS_BUFFER_OVERFLOW: |
| | // SMB2_IOCTL is a bit loose, as it's only acceptable if |
| | the IOCTL |
| | // CtlCode is {FSCTL_PIPE_TRANSCEIVE, FSCTL_PIPE_PEEK, or |
| | // FSCTL_DFS_GETREFERRALS}, but we haven't parsed that ye |
| | t. |
| | return ( ${header.command} != SMB2_IOCTL && |
| | ${header.command} != SMB2_QUERY_INFO && |
| | ${header.command} != SMB2_READ ); |
| | case STATUS_INVALID_PARAMETER: |
| | // This is a bit loose, as it's only acceptable if the IO |
| | CTL |
| | // CtlCode is {FSCTL_SRV_COPYCHUNK or |
| | // FSCTL_SRV_COPYCHUNK_WRITE}, but we haven't parsed that |
| | yet. |
| | return ${header.command} != SMB2_IOCTL; |
| | case STATUS_MORE_PROCESSING_REQUIRED: |
| | // Return true (is_error) if it does NOT match this comma |
| | nd |
| | return ${header.command} != SMB2_SESSION_SETUP; |
| | case STATUS_NOTIFY_ENUM_DIR: |
| | return ${header.command} != SMB2_CHANGE_NOTIFY; |
| | default: |
| | return true; |
| | } |
| | %} |
| }; | | }; |
| | |
| type SMB2_file_attributes = record { | | type SMB2_file_attributes = record { |
| flags : uint32; | | flags : uint32; |
| } &let { | | } &let { |
| read_only : bool = ( flags & 0x00000001 ) > 0; | | read_only : bool = ( flags & 0x00000001 ) > 0; |
| hidden : bool = ( flags & 0x00000002 ) > 0; | | hidden : bool = ( flags & 0x00000002 ) > 0; |
| system : bool = ( flags & 0x00000004 ) > 0; | | system : bool = ( flags & 0x00000004 ) > 0; |
| directory : bool = ( flags & 0x00000010 ) > 0; | | directory : bool = ( flags & 0x00000010 ) > 0; |
| archive : bool = ( flags & 0x00000020 ) > 0; | | archive : bool = ( flags & 0x00000020 ) > 0; |
| | | |
| End of changes. 2 change blocks. |
|---|
| 12 lines changed or deleted | | 58 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 