base/protocols/smb/main.zeek
- SMB
- Namespace
SMB
- Imports
base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek
Summary
Runtime Options
Whether to reset a connection’s SMB script state whenever a
|
|
The file actions which are logged. |
Types
Abstracted actions for SMB file actions. |
|
This record is for the smb_cmd.log |
|
This record is for the smb_files.log |
|
This record stores the SMB state of in-flight commands, the file and tree map of the connection. |
|
This record is for the smb_mapping.log |
Redefinitions
|
|
Everything below here is used internally in the SMB scripts.
|
|
Hooks
Functions
This is an internally used function. |
|
This is an internally used function. |
Detailed Interface
Runtime Options
- SMB::enable_clear_script_state
-
Whether to reset a connection’s SMB script state whenever a
smb2_discarded_messages_state
event is raised.This setting protects from unbounded script state growth in environments with high capture loss or traffic anomalies.
- SMB::logged_file_actions
- Type
- Attributes
- Default
{ SMB::PRINT_CLOSE, SMB::FILE_DELETE, SMB::FILE_OPEN, SMB::FILE_RENAME, SMB::PRINT_OPEN }
The file actions which are logged.
Types
- SMB::Action
- Type
-
- SMB::FILE_READ
- SMB::FILE_WRITE
- SMB::FILE_OPEN
- SMB::FILE_CLOSE
- SMB::FILE_DELETE
- SMB::FILE_RENAME
- SMB::FILE_SET_ATTRIBUTE
- SMB::PIPE_READ
- SMB::PIPE_WRITE
- SMB::PIPE_OPEN
- SMB::PIPE_CLOSE
- SMB::PRINT_READ
- SMB::PRINT_WRITE
- SMB::PRINT_OPEN
- SMB::PRINT_CLOSE
Abstracted actions for SMB file actions.
- SMB::CmdInfo
- Type
-
- ts:
time
&log
&default
=0.0
&optional
Timestamp of the command request.
- uid:
string
&log
Unique ID of the connection the request was sent over.
- id:
conn_id
&log
ID of the connection the request was sent over.
- command:
string
&log
The command sent by the client.
- sub_command:
string
&log
&optional
The subcommand sent by the client, if present.
- argument:
string
&log
&optional
Command argument sent by the client, if any.
- status:
string
&log
&optional
Server reply to the client’s command.
- rtt:
interval
&log
&optional
Round trip time from the request to the response.
- version:
string
&log
Version of SMB for the command.
- username:
string
&log
&optional
Authenticated username, if available.
- tree:
string
&log
&optional
If this is related to a tree, this is the tree that was used for the current command.
- tree_service:
string
&log
&optional
The type of tree (disk share, printer share, named pipe, etc.).
- referenced_file:
SMB::FileInfo
&log
&optional
If the command referenced a file, store it here.
- referenced_tree:
SMB::TreeInfo
&optional
If the command referenced a tree, store it here.
- smb1_offered_dialects:
string_vec
&optional
(present if base/protocols/smb/smb1-main.zeek is loaded)
Dialects offered by the client.
- smb2_offered_dialects:
index_vec
&optional
(present if base/protocols/smb/smb2-main.zeek is loaded)
Dialects offered by the client.
- smb2_create_options:
count
&default
=0
&optional
(present if base/protocols/smb/smb2-main.zeek is loaded)
Keep the create_options in the command for referencing later.
- ts:
This record is for the smb_cmd.log
- SMB::FileInfo
- Type
-
- ts:
time
&log
&default
=0.0
&optional
Time when the file was first discovered.
- uid:
string
&log
Unique ID of the connection the file was sent over.
- id:
conn_id
&log
ID of the connection the file was sent over.
- fuid:
string
&log
&optional
Unique ID of the file.
- action:
SMB::Action
&log
&optional
Action this log record represents.
- path:
string
&log
&optional
Path pulled from the tree this file was transferred to or from.
- name:
string
&log
&optional
Filename if one was seen.
- size:
count
&log
&default
=0
&optional
Total size of the file.
- prev_name:
string
&log
&optional
If the rename action was seen, this will be the file’s previous name.
- times:
SMB::MACTimes
&log
&optional
Last time this file was modified.
- fid:
count
&optional
ID referencing this file.
- uuid:
string
&optional
UUID referencing this file if DCE/RPC.
- ts:
This record is for the smb_files.log
- SMB::State
- Type
-
- current_cmd:
SMB::CmdInfo
&optional
A reference to the current command.
- current_file:
SMB::FileInfo
&optional
A reference to the current file.
- current_tree:
SMB::TreeInfo
&optional
A reference to the current tree.
- pending_cmds:
table
[count
] ofSMB::CmdInfo
&optional
Indexed on MID to map responses to requests.
- fid_map:
table
[count
] ofSMB::FileInfo
&optional
File map to retrieve file information based on the file ID.
- tid_map:
table
[count
] ofSMB::TreeInfo
&optional
Tree map to retrieve tree information based on the tree ID.
- pipe_map:
table
[count
] ofstring
&optional
Pipe map to retrieve UUID based on the file ID of a pipe.
- recent_files:
set
[string
]&default
={ }
&optional
A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.
- current_cmd:
This record stores the SMB state of in-flight commands, the file and tree map of the connection.
- SMB::TreeInfo
- Type
-
- ts:
time
&log
&default
=0.0
&optional
Time when the tree was mapped.
- uid:
string
&log
Unique ID of the connection the tree was mapped over.
- id:
conn_id
&log
ID of the connection the tree was mapped over.
- path:
string
&log
&optional
Name of the tree path.
- service:
string
&log
&optional
The type of resource of the tree (disk share, printer share, named pipe, etc.).
- native_file_system:
string
&log
&optional
File system of the tree.
- share_type:
string
&log
&default
="DISK"
&optional
If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.
- ts:
This record is for the smb_mapping.log
Hooks
Functions
- SMB::set_current_file
- Type
function
(smb_state:SMB::State
, file_id:count
) :void
- Attributes
This is an internally used function.
- SMB::write_file_log
- Type
function
(state:SMB::State
) :void
- Attributes
This is an internally used function.