main.zeek¶

SMB¶

Namespace:	SMB
Imports:	base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek

Summary¶

Runtime Options¶

SMB::logged_file_actions: set &redef The file actions which are logged.

Types¶

`SMB::Action`: `enum`	Abstracted actions for SMB file actions.
`SMB::CmdInfo`: `record`	This record is for the smb_cmd.log
`SMB::FileInfo`: `record`	This record is for the smb_files.log
`SMB::State`: `record`	This record stores the SMB state of in-flight commands, the file and tree map of the connection.
`SMB::TreeInfo`: `record`	This record is for the smb_mapping.log

Redefinitions¶

`Log::ID`: `enum`
`SMB::FileInfo`: `record`
`connection`: `record`	Everything below here is used internally in the SMB scripts.
`likely_server_ports`: `set` `&redef`

Functions¶

`SMB::set_current_file`: `function` `&redef`	This is an internally used function.
`SMB::write_file_log`: `function` `&redef`	This is an internally used function.

Detailed Interface¶

Runtime Options¶

SMB::logged_file_actions¶

Type:	`set` [`SMB::Action`]
Attributes:	`&redef`
Default:	{ SMB::PRINT_CLOSE, SMB::FILE_DELETE, SMB::FILE_OPEN, SMB::FILE_RENAME, SMB::PRINT_OPEN }

The file actions which are logged.

Types¶

SMB::Action¶

Type:

enum

SMB::FILE_READ¶

SMB::FILE_WRITE¶

SMB::FILE_OPEN¶

SMB::FILE_CLOSE¶

SMB::FILE_DELETE¶

SMB::FILE_RENAME¶

SMB::FILE_SET_ATTRIBUTE¶

SMB::PIPE_READ¶

SMB::PIPE_WRITE¶

SMB::PIPE_OPEN¶

SMB::PIPE_CLOSE¶

SMB::PRINT_READ¶

SMB::PRINT_WRITE¶

SMB::PRINT_OPEN¶

SMB::PRINT_CLOSE¶

Abstracted actions for SMB file actions.

SMB::CmdInfo¶

Type:

record

ts: time &log

Timestamp of the command request.

uid: string &log

Unique ID of the connection the request was sent over.

id: conn_id &log

ID of the connection the request was sent over.

command: string &log

The command sent by the client.

sub_command: string &log &optional

The subcommand sent by the client, if present.

argument: string &log &optional

Command argument sent by the client, if any.

status: string &log &optional

Server reply to the client’s command.

rtt: interval &log &optional

Round trip time from the request to the response.

version: string &log

Version of SMB for the command.

username: string &log &optional

Authenticated username, if available.

tree: string &log &optional

If this is related to a tree, this is the tree that was used for the current command.

tree_service: string &log &optional

The type of tree (disk share, printer share, named pipe, etc.).

referenced_file: SMB::FileInfo &log &optional

If the command referenced a file, store it here.

referenced_tree: SMB::TreeInfo &optional

If the command referenced a tree, store it here.

smb1_offered_dialects: string_vec &optional

(present if base/protocols/smb/smb1-main.zeek is loaded)

Dialects offered by the client.

smb2_offered_dialects: index_vec &optional

(present if base/protocols/smb/smb2-main.zeek is loaded)

Dialects offered by the client.

This record is for the smb_cmd.log

SMB::FileInfo¶

Type:

record

ts: time &log: Time when the file was first discovered.
uid: string &log: Unique ID of the connection the file was sent over.
id: conn_id &log: ID of the connection the file was sent over.
fuid: string &log &optional: Unique ID of the file.
action: SMB::Action &log &optional: Action this log record represents.
path: string &log &optional: Path pulled from the tree this file was transferred to or from.
name: string &log &optional: Filename if one was seen.
size: count &log &default = 0 &optional: Total size of the file.
prev_name: string &log &optional: If the rename action was seen, this will be the file’s previous name.
times: SMB::MACTimes &log &optional: Last time this file was modified.
fid: count &optional: ID referencing this file.
uuid: string &optional: UUID referencing this file if DCE/RPC.

This record is for the smb_files.log

SMB::State¶

Type:

record

current_cmd: SMB::CmdInfo &optional: A reference to the current command.
current_file: SMB::FileInfo &optional: A reference to the current file.
current_tree: SMB::TreeInfo &optional: A reference to the current tree.
pending_cmds: table [count] of SMB::CmdInfo &optional: Indexed on MID to map responses to requests.
fid_map: table [count] of SMB::FileInfo &optional: File map to retrieve file information based on the file ID.
tid_map: table [count] of SMB::TreeInfo &optional: Tree map to retrieve tree information based on the tree ID.
uid_map: table [count] of string &optional: User map to retrieve user name based on the user ID.
pipe_map: table [count] of string &optional: Pipe map to retrieve UUID based on the file ID of a pipe.
recent_files: set [string] &default = { } &optional &read_expire = 3.0 mins: A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.

This record stores the SMB state of in-flight commands, the file and tree map of the connection.

SMB::TreeInfo¶

Type:

record

ts: time &log &optional: Time when the tree was mapped.
uid: string &log: Unique ID of the connection the tree was mapped over.
id: conn_id &log: ID of the connection the tree was mapped over.
path: string &log &optional: Name of the tree path.
service: string &log &optional: The type of resource of the tree (disk share, printer share, named pipe, etc.).
native_file_system: string &log &optional: File system of the tree.
share_type: string &log &default = "DISK" &optional: If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.

This record is for the smb_mapping.log

Functions¶

SMB::set_current_file¶

Type:	`function` (smb_state: `SMB::State`, file_id: `count`) : `void`
Attributes:	`&redef`

This is an internally used function.

SMB::write_file_log¶

Type:	`function` (state: `SMB::State`) : `void`
Attributes:	`&redef`

This is an internally used function.