policy/protocols/smb/main.bro

SMB
Namespace:SMB
Imports:base/protocols/smb
Source File:/scripts/policy/protocols/smb/main.bro

Summary

Options

SMB::ignored_command_statuses: set &redef The server response statuses which are not logged.
SMB::logged_file_actions: set &redef The file actions which are logged.
SMB::write_cmd_log: bool &redef Optionally write out the SMB commands log.

Constants

SMB::deferred_logging_cmds: set Internal use only.

Types

SMB::Action: enum Abstracted actions for SMB file actions.
SMB::CmdInfo: record This record is for the smb_cmd.log
SMB::FileInfo: record This record is for the smb_files.log
SMB::State: record This record stores the SMB state of in-flight commands, the file and tree map of the connection.
SMB::TreeInfo: record This record is for the smb_mapping.log

Redefinitions

Log::ID: enum  
SMB::FileInfo: record  
connection: record Everything below here is used internally in the SMB scripts.
likely_server_ports: set &redef  

Functions

SMB::set_current_file: function &redef This is an internally used function.
SMB::write_file_log: function &redef This is an internally used function.

Detailed Interface

Options

SMB::ignored_command_statuses
Type:set [string]
Attributes:&redef
Default:
{
   "MORE_PROCESSING_REQUIRED"
}

The server response statuses which are not logged.

SMB::logged_file_actions
Type:set [SMB::Action]
Attributes:&redef
Default:
{
   SMB::PRINT_CLOSE,
   SMB::FILE_DELETE,
   SMB::PRINT_OPEN,
   SMB::FILE_RENAME,
   SMB::FILE_OPEN
}

The file actions which are logged.

SMB::write_cmd_log
Type:bool
Attributes:&redef
Default:F

Optionally write out the SMB commands log. This is primarily useful for debugging so is disabled by default.

Constants

SMB::deferred_logging_cmds
Type:set [string]
Default:
{
   "READ_ANDX",
   "SESSION_SETUP_ANDX",
   "TREE_CONNECT_ANDX",
   "NEGOTIATE"
}

Internal use only. Some commands shouldn’t be logged by the smb1_message event.

Types

SMB::Action
Type:

enum

SMB::FILE_READ
SMB::FILE_WRITE
SMB::FILE_OPEN
SMB::FILE_CLOSE
SMB::FILE_DELETE
SMB::FILE_RENAME
SMB::PIPE_READ
SMB::PIPE_WRITE
SMB::PIPE_OPEN
SMB::PIPE_CLOSE
SMB::PRINT_READ
SMB::PRINT_WRITE
SMB::PRINT_OPEN
SMB::PRINT_CLOSE

Abstracted actions for SMB file actions.

SMB::CmdInfo
Type:

record

ts: time &log

Timestamp of the command request.

uid: string &log

Unique ID of the connection the request was sent over.

id: conn_id &log

ID of the connection the request was sent over.

command: string &log

The command sent by the client.

sub_command: string &log &optional

The subcommand sent by the client, if present.

argument: string &log &optional

Command argument sent by the client, if any.

status: string &log &optional

Server reply to the client’s command.

rtt: interval &log &optional

Round trip time from the request to the response.

version: string &log

Version of SMB for the command.

username: string &log &optional

Authenticated username, if available.

tree: string &log &optional

If this is related to a tree, this is the tree that was used for the current command.

tree_service: string &log &optional

The type of tree (disk share, printer share, named pipe, etc.).

referenced_file: SMB::FileInfo &log &optional

If the command referenced a file, store it here.

referenced_tree: SMB::TreeInfo &optional

If the command referenced a tree, store it here.

smb1_offered_dialects: string_vec &optional

(present if policy/protocols/smb/smb1-main.bro is loaded)

Dialects offered by the client.

smb2_offered_dialects: index_vec &optional

(present if policy/protocols/smb/smb2-main.bro is loaded)

Dialects offered by the client.

This record is for the smb_cmd.log

SMB::FileInfo
Type:

record

ts: time &log

Time when the file was first discovered.

uid: string &log

Unique ID of the connection the file was sent over.

id: conn_id &log

ID of the connection the file was sent over.

fuid: string &log &optional

Unique ID of the file.

action: SMB::Action &log &optional

Action this log record represents.

path: string &log &optional

Path pulled from the tree this file was transferred to or from.

name: string &log &optional

Filename if one was seen.

size: count &log &default = 0 &optional

Total size of the file.

prev_name: string &log &optional

If the rename action was seen, this will be the file’s previous name.

times: SMB::MACTimes &log &optional

Last time this file was modified.

fid: count &optional

ID referencing this file.

uuid: string &optional

UUID referencing this file if DCE/RPC.

This record is for the smb_files.log

SMB::State
Type:

record

current_cmd: SMB::CmdInfo &optional

A reference to the current command.

current_file: SMB::FileInfo &optional

A reference to the current file.

current_tree: SMB::TreeInfo &optional

A reference to the current tree.

pending_cmds: table [count] of SMB::CmdInfo &optional

Indexed on MID to map responses to requests.

fid_map: table [count] of SMB::FileInfo &optional

File map to retrieve file information based on the file ID.

tid_map: table [count] of SMB::TreeInfo &optional

Tree map to retrieve tree information based on the tree ID.

uid_map: table [count] of string &optional

User map to retrieve user name based on the user ID.

pipe_map: table [count] of string &optional

Pipe map to retrieve UUID based on the file ID of a pipe.

recent_files: set [string] &default = {  } &optional &read_expire = 3.0 mins

A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.

This record stores the SMB state of in-flight commands, the file and tree map of the connection.

SMB::TreeInfo
Type:

record

ts: time &log &optional

Time when the tree was mapped.

uid: string &log

Unique ID of the connection the tree was mapped over.

id: conn_id &log

ID of the connection the tree was mapped over.

path: string &log &optional

Name of the tree path.

service: string &log &optional

The type of resource of the tree (disk share, printer share, named pipe, etc.).

native_file_system: string &log &optional

File system of the tree.

share_type: string &log &default = "DISK" &optional

If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.

This record is for the smb_mapping.log

Functions

SMB::set_current_file
Type:function (smb_state: SMB::State, file_id: count) : void
Attributes:&redef

This is an internally used function.

SMB::write_file_log
Type:function (state: SMB::State) : void
Attributes:&redef

This is an internally used function.

Copyright 2016, The Bro Project. Last updated on December 08, 2017. Created using Sphinx 1.5.2.