base/protocols/smb/main.zeek

SMB
Namespace

SMB

Imports

base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek

Summary

Runtime Options

SMB::enable_clear_script_state: bool &redef

Whether to reset a connection’s SMB script state whenever a smb2_discarded_messages_state event is raised.

SMB::logged_file_actions: set &redef

The file actions which are logged.

Types

SMB::Action: enum

Abstracted actions for SMB file actions.

SMB::CmdInfo: record

This record is for the smb_cmd.log

SMB::FileInfo: record

This record is for the smb_files.log

SMB::State: record

This record stores the SMB state of in-flight commands, the file and tree map of the connection.

SMB::TreeInfo: record

This record is for the smb_mapping.log

Redefinitions

Log::ID: enum

SMB::FileInfo: record

New Fields

SMB::FileInfo

fid: count &optional

ID referencing this file.

uuid: string &optional

UUID referencing this file if DCE/RPC.

connection: record

Everything below here is used internally in the SMB scripts.

New Fields

connection

smb_state: SMB::State &optional

likely_server_ports: set &redef

Hooks

SMB::log_policy_files: Log::PolicyHook

SMB::log_policy_mapping: Log::PolicyHook

Functions

SMB::set_current_file: function &redef

This is an internally used function.

SMB::write_file_log: function &redef

This is an internally used function.

Detailed Interface

Runtime Options

SMB::enable_clear_script_state
Type

bool

Attributes

&redef

Default

T

Whether to reset a connection’s SMB script state whenever a smb2_discarded_messages_state event is raised.

This setting protects from unbounded script state growth in environments with high capture loss or traffic anomalies.

SMB::logged_file_actions
Type

set [SMB::Action]

Attributes

&redef

Default
{
   SMB::PRINT_CLOSE,
   SMB::FILE_DELETE,
   SMB::FILE_OPEN,
   SMB::FILE_RENAME,
   SMB::PRINT_OPEN
}

The file actions which are logged.

Types

SMB::Action
Type

enum

SMB::FILE_READ
SMB::FILE_WRITE
SMB::FILE_OPEN
SMB::FILE_CLOSE
SMB::FILE_DELETE
SMB::FILE_RENAME
SMB::FILE_SET_ATTRIBUTE
SMB::PIPE_READ
SMB::PIPE_WRITE
SMB::PIPE_OPEN
SMB::PIPE_CLOSE
SMB::PRINT_READ
SMB::PRINT_WRITE
SMB::PRINT_OPEN
SMB::PRINT_CLOSE

Abstracted actions for SMB file actions.

SMB::CmdInfo
Type

record

ts: time &log &default = 0.0 &optional

Timestamp of the command request.

uid: string &log

Unique ID of the connection the request was sent over.

id: conn_id &log

ID of the connection the request was sent over.

command: string &log

The command sent by the client.

sub_command: string &log &optional

The subcommand sent by the client, if present.

argument: string &log &optional

Command argument sent by the client, if any.

status: string &log &optional

Server reply to the client’s command.

rtt: interval &log &optional

Round trip time from the request to the response.

version: string &log

Version of SMB for the command.

username: string &log &optional

Authenticated username, if available.

tree: string &log &optional

If this is related to a tree, this is the tree that was used for the current command.

tree_service: string &log &optional

The type of tree (disk share, printer share, named pipe, etc.).

referenced_file: SMB::FileInfo &log &optional

If the command referenced a file, store it here.

referenced_tree: SMB::TreeInfo &optional

If the command referenced a tree, store it here.

smb1_offered_dialects: string_vec &optional

(present if base/protocols/smb/smb1-main.zeek is loaded)

Dialects offered by the client.

smb2_offered_dialects: index_vec &optional

(present if base/protocols/smb/smb2-main.zeek is loaded)

Dialects offered by the client.

smb2_create_options: count &default = 0 &optional

(present if base/protocols/smb/smb2-main.zeek is loaded)

Keep the create_options in the command for referencing later.

This record is for the smb_cmd.log

SMB::FileInfo
Type

record

ts: time &log &default = 0.0 &optional

Time when the file was first discovered.

uid: string &log

Unique ID of the connection the file was sent over.

id: conn_id &log

ID of the connection the file was sent over.

fuid: string &log &optional

Unique ID of the file.

action: SMB::Action &log &optional

Action this log record represents.

path: string &log &optional

Path pulled from the tree this file was transferred to or from.

name: string &log &optional

Filename if one was seen.

size: count &log &default = 0 &optional

Total size of the file.

prev_name: string &log &optional

If the rename action was seen, this will be the file’s previous name.

times: SMB::MACTimes &log &optional

Last time this file was modified.

fid: count &optional

ID referencing this file.

uuid: string &optional

UUID referencing this file if DCE/RPC.

This record is for the smb_files.log

SMB::State
Type

record

current_cmd: SMB::CmdInfo &optional

A reference to the current command.

current_file: SMB::FileInfo &optional

A reference to the current file.

current_tree: SMB::TreeInfo &optional

A reference to the current tree.

pending_cmds: table [count] of SMB::CmdInfo &optional

Indexed on MID to map responses to requests.

fid_map: table [count] of SMB::FileInfo &optional

File map to retrieve file information based on the file ID.

tid_map: table [count] of SMB::TreeInfo &optional

Tree map to retrieve tree information based on the tree ID.

pipe_map: table [count] of string &optional

Pipe map to retrieve UUID based on the file ID of a pipe.

recent_files: set [string] &default = {  } &optional

A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.

This record stores the SMB state of in-flight commands, the file and tree map of the connection.

SMB::TreeInfo
Type

record

ts: time &log &default = 0.0 &optional

Time when the tree was mapped.

uid: string &log

Unique ID of the connection the tree was mapped over.

id: conn_id &log

ID of the connection the tree was mapped over.

path: string &log &optional

Name of the tree path.

service: string &log &optional

The type of resource of the tree (disk share, printer share, named pipe, etc.).

native_file_system: string &log &optional

File system of the tree.

share_type: string &log &default = "DISK" &optional

If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.

This record is for the smb_mapping.log

Hooks

SMB::log_policy_files
Type

Log::PolicyHook

SMB::log_policy_mapping
Type

Log::PolicyHook

Functions

SMB::set_current_file
Type

function (smb_state: SMB::State, file_id: count) : void

Attributes

&redef

This is an internally used function.

SMB::write_file_log
Type

function (state: SMB::State) : void

Attributes

&redef

This is an internally used function.