base/protocols/smb/main.zeek¶
- SMB¶
- Namespace
SMB
- Imports
base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek
Summary¶
Runtime Options¶
The file actions which are logged. |
Types¶
Abstracted actions for SMB file actions. |
|
This record is for the smb_cmd.log |
|
This record is for the smb_files.log |
|
This record stores the SMB state of in-flight commands, the file and tree map of the connection. |
|
This record is for the smb_mapping.log |
Redefinitions¶
|
|
Everything below here is used internally in the SMB scripts.
|
|
Hooks¶
Functions¶
This is an internally used function. |
|
This is an internally used function. |
Detailed Interface¶
Runtime Options¶
- SMB::logged_file_actions¶
- Type
- Attributes
- Default
{ SMB::PRINT_CLOSE, SMB::FILE_DELETE, SMB::FILE_OPEN, SMB::FILE_RENAME, SMB::PRINT_OPEN }
The file actions which are logged.
Types¶
- SMB::Action¶
- Type
-
- SMB::FILE_READ¶
- SMB::FILE_WRITE¶
- SMB::FILE_OPEN¶
- SMB::FILE_CLOSE¶
- SMB::FILE_DELETE¶
- SMB::FILE_RENAME¶
- SMB::FILE_SET_ATTRIBUTE¶
- SMB::PIPE_READ¶
- SMB::PIPE_WRITE¶
- SMB::PIPE_OPEN¶
- SMB::PIPE_CLOSE¶
- SMB::PRINT_READ¶
- SMB::PRINT_WRITE¶
- SMB::PRINT_OPEN¶
- SMB::PRINT_CLOSE¶
Abstracted actions for SMB file actions.
- SMB::CmdInfo¶
- Type
-
- ts:
time&log&default=0.0&optional Timestamp of the command request.
- uid:
string&log Unique ID of the connection the request was sent over.
- id:
conn_id&log ID of the connection the request was sent over.
- command:
string&log The command sent by the client.
- sub_command:
string&log&optional The subcommand sent by the client, if present.
- argument:
string&log&optional Command argument sent by the client, if any.
- status:
string&log&optional Server reply to the client’s command.
- rtt:
interval&log&optional Round trip time from the request to the response.
- version:
string&log Version of SMB for the command.
- username:
string&log&optional Authenticated username, if available.
- tree:
string&log&optional If this is related to a tree, this is the tree that was used for the current command.
- tree_service:
string&log&optional The type of tree (disk share, printer share, named pipe, etc.).
- referenced_file:
SMB::FileInfo&log&optional If the command referenced a file, store it here.
- referenced_tree:
SMB::TreeInfo&optional If the command referenced a tree, store it here.
- smb1_offered_dialects:
string_vec&optional (present if base/protocols/smb/smb1-main.zeek is loaded)
Dialects offered by the client.
- smb2_offered_dialects:
index_vec&optional (present if base/protocols/smb/smb2-main.zeek is loaded)
Dialects offered by the client.
- smb2_create_options:
count&default=0&optional (present if base/protocols/smb/smb2-main.zeek is loaded)
Keep the create_options in the command for referencing later.
- ts:
This record is for the smb_cmd.log
- SMB::FileInfo¶
- Type
-
- ts:
time&log&default=0.0&optional Time when the file was first discovered.
- uid:
string&log Unique ID of the connection the file was sent over.
- id:
conn_id&log ID of the connection the file was sent over.
- fuid:
string&log&optional Unique ID of the file.
- action:
SMB::Action&log&optional Action this log record represents.
- path:
string&log&optional Path pulled from the tree this file was transferred to or from.
- name:
string&log&optional Filename if one was seen.
- size:
count&log&default=0&optional Total size of the file.
- prev_name:
string&log&optional If the rename action was seen, this will be the file’s previous name.
- times:
SMB::MACTimes&log&optional Last time this file was modified.
- fid:
count&optional ID referencing this file.
- uuid:
string&optional UUID referencing this file if DCE/RPC.
- ts:
This record is for the smb_files.log
- SMB::State¶
- Type
-
- current_cmd:
SMB::CmdInfo&optional A reference to the current command.
- current_file:
SMB::FileInfo&optional A reference to the current file.
- current_tree:
SMB::TreeInfo&optional A reference to the current tree.
- pending_cmds:
table[count] ofSMB::CmdInfo&optional Indexed on MID to map responses to requests.
- fid_map:
table[count] ofSMB::FileInfo&optional File map to retrieve file information based on the file ID.
- tid_map:
table[count] ofSMB::TreeInfo&optional Tree map to retrieve tree information based on the tree ID.
- pipe_map:
table[count] ofstring&optional Pipe map to retrieve UUID based on the file ID of a pipe.
- recent_files:
set[string]&default={ }&optional&read_expire=3.0 mins A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.
- current_cmd:
This record stores the SMB state of in-flight commands, the file and tree map of the connection.
- SMB::TreeInfo¶
- Type
-
- ts:
time&log&default=0.0&optional Time when the tree was mapped.
- uid:
string&log Unique ID of the connection the tree was mapped over.
- id:
conn_id&log ID of the connection the tree was mapped over.
- path:
string&log&optional Name of the tree path.
- service:
string&log&optional The type of resource of the tree (disk share, printer share, named pipe, etc.).
- native_file_system:
string&log&optional File system of the tree.
- share_type:
string&log&default="DISK"&optional If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.
- ts:
This record is for the smb_mapping.log
Hooks¶
Functions¶
- SMB::set_current_file¶
- Type
function(smb_state:SMB::State, file_id:count) :void- Attributes
This is an internally used function.
- SMB::write_file_log¶
- Type
function(state:SMB::State) :void- Attributes
This is an internally used function.