base/protocols/smb/main.zeek¶
-
SMB¶
| Namespace: | SMB |
|---|---|
| Imports: | base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek |
Summary¶
Runtime Options¶
SMB::logged_file_actions: set &redef |
The file actions which are logged. |
Types¶
SMB::Action: enum |
Abstracted actions for SMB file actions. |
SMB::CmdInfo: record |
This record is for the smb_cmd.log |
SMB::FileInfo: record |
This record is for the smb_files.log |
SMB::State: record |
This record stores the SMB state of in-flight commands, the file and tree map of the connection. |
SMB::TreeInfo: record |
This record is for the smb_mapping.log |
Redefinitions¶
Log::ID: enum |
|||
SMB::FileInfo: record |
|
||
connection: record |
Everything below here is used internally in the SMB scripts.
|
||
likely_server_ports: set &redef |
Functions¶
SMB::set_current_file: function &redef |
This is an internally used function. |
SMB::write_file_log: function &redef |
This is an internally used function. |
Detailed Interface¶
Runtime Options¶
-
SMB::logged_file_actions¶ Type: Attributes: Default: { SMB::PRINT_CLOSE, SMB::FILE_DELETE, SMB::FILE_OPEN, SMB::FILE_RENAME, SMB::PRINT_OPEN }The file actions which are logged.
Types¶
-
SMB::Action¶ Type: -
SMB::FILE_READ¶
-
SMB::FILE_WRITE¶
-
SMB::FILE_OPEN¶
-
SMB::FILE_CLOSE¶
-
SMB::FILE_DELETE¶
-
SMB::FILE_RENAME¶
-
SMB::FILE_SET_ATTRIBUTE¶
-
SMB::PIPE_READ¶
-
SMB::PIPE_WRITE¶
-
SMB::PIPE_OPEN¶
-
SMB::PIPE_CLOSE¶
-
SMB::PRINT_READ¶
-
SMB::PRINT_WRITE¶
-
SMB::PRINT_OPEN¶
-
SMB::PRINT_CLOSE¶
Abstracted actions for SMB file actions.
-
-
SMB::CmdInfo¶ Type: - ts:
time&log Timestamp of the command request.
- uid:
string&log Unique ID of the connection the request was sent over.
- id:
conn_id&log ID of the connection the request was sent over.
- command:
string&log The command sent by the client.
- sub_command:
string&log&optional The subcommand sent by the client, if present.
- argument:
string&log&optional Command argument sent by the client, if any.
- status:
string&log&optional Server reply to the client’s command.
- rtt:
interval&log&optional Round trip time from the request to the response.
- version:
string&log Version of SMB for the command.
- username:
string&log&optional Authenticated username, if available.
- tree:
string&log&optional If this is related to a tree, this is the tree that was used for the current command.
- tree_service:
string&log&optional The type of tree (disk share, printer share, named pipe, etc.).
- referenced_file:
SMB::FileInfo&log&optional If the command referenced a file, store it here.
- referenced_tree:
SMB::TreeInfo&optional If the command referenced a tree, store it here.
- smb1_offered_dialects:
string_vec&optional (present if base/protocols/smb/smb1-main.zeek is loaded)
Dialects offered by the client.
- smb2_offered_dialects:
index_vec&optional (present if base/protocols/smb/smb2-main.zeek is loaded)
Dialects offered by the client.
This record is for the smb_cmd.log
- ts:
-
SMB::FileInfo¶ Type: - ts:
time&log Time when the file was first discovered.
- uid:
string&log Unique ID of the connection the file was sent over.
- id:
conn_id&log ID of the connection the file was sent over.
- fuid:
string&log&optional Unique ID of the file.
- action:
SMB::Action&log&optional Action this log record represents.
- path:
string&log&optional Path pulled from the tree this file was transferred to or from.
- name:
string&log&optional Filename if one was seen.
- size:
count&log&default=0&optional Total size of the file.
- prev_name:
string&log&optional If the rename action was seen, this will be the file’s previous name.
- times:
SMB::MACTimes&log&optional Last time this file was modified.
- fid:
count&optional ID referencing this file.
- uuid:
string&optional UUID referencing this file if DCE/RPC.
This record is for the smb_files.log
- ts:
-
SMB::State¶ Type: - current_cmd:
SMB::CmdInfo&optional A reference to the current command.
- current_file:
SMB::FileInfo&optional A reference to the current file.
- current_tree:
SMB::TreeInfo&optional A reference to the current tree.
- pending_cmds:
table[count] ofSMB::CmdInfo&optional Indexed on MID to map responses to requests.
- fid_map:
table[count] ofSMB::FileInfo&optional File map to retrieve file information based on the file ID.
- tid_map:
table[count] ofSMB::TreeInfo&optional Tree map to retrieve tree information based on the tree ID.
- uid_map:
table[count] ofstring&optional User map to retrieve user name based on the user ID.
- pipe_map:
table[count] ofstring&optional Pipe map to retrieve UUID based on the file ID of a pipe.
- recent_files:
set[string]&default={ }&optional&read_expire=3.0 mins A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.
This record stores the SMB state of in-flight commands, the file and tree map of the connection.
- current_cmd:
-
SMB::TreeInfo¶ Type: - ts:
time&log&optional Time when the tree was mapped.
- uid:
string&log Unique ID of the connection the tree was mapped over.
- id:
conn_id&log ID of the connection the tree was mapped over.
- path:
string&log&optional Name of the tree path.
- service:
string&log&optional The type of resource of the tree (disk share, printer share, named pipe, etc.).
- native_file_system:
string&log&optional File system of the tree.
- share_type:
string&log&default="DISK"&optional If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.
This record is for the smb_mapping.log
- ts: