main.zeek

SMB

Namespace:: SMB
Imports:: base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek

Summary

Runtime Options

`SMB::enable_clear_script_state`: `bool` `&redef`	Whether to reset a connection’s SMB script state whenever a `smb2_discarded_messages_state` event is raised.
`SMB::logged_file_actions`: `set` `&redef`	The file actions which are logged.

Types

`SMB::Action`: `enum`	Abstracted actions for SMB file actions.
`SMB::CmdInfo`: `record`	This record is for the smb_cmd.log
`SMB::FileInfo`: `record`	This record is for the smb_files.log
`SMB::State`: `record`	This record stores the SMB state of in-flight commands, the file and tree map of the connection.
`SMB::TreeInfo`: `record`	This record is for the smb_mapping.log

Redefinitions

`Log::ID`: `enum`	`SMB::FILES_LOG` `SMB::MAPPING_LOG`
`SMB::FileInfo`: `record`	New Fields: `SMB::FileInfo` fid: `count` `&optional` ID referencing this file. uuid: `string` `&optional` UUID referencing this file if DCE/RPC.
`connection`: `record`	Everything below here is used internally in the SMB scripts. New Fields: `connection` smb_state: `SMB::State` `&optional`
`likely_server_ports`: `set` `&redef`

Hooks

`SMB::log_policy_files`: `Log::PolicyHook`
`SMB::log_policy_mapping`: `Log::PolicyHook`

Functions

`SMB::set_current_file`: `function` `&redef`	This is an internally used function.
`SMB::write_file_log`: `function` `&redef`	This is an internally used function.

Detailed Interface

Runtime Options

SMB::enable_clear_script_state 

Type:: bool
Attributes:: &redef
Default:: T

Whether to reset a connection’s SMB script state whenever a smb2_discarded_messages_state event is raised.

This setting protects from unbounded script state growth in environments with high capture loss or traffic anomalies.

SMB::logged_file_actions 

Type:

set [SMB::Action]

Attributes:

&redef

Default:

{
   SMB::PRINT_CLOSE,
   SMB::FILE_DELETE,
   SMB::FILE_OPEN,
   SMB::FILE_RENAME,
   SMB::PRINT_OPEN
}

The file actions which are logged.

Types

SMB::Action 

Type:

enum

SMB::FILE_READ

SMB::FILE_WRITE

SMB::FILE_OPEN

SMB::FILE_CLOSE

SMB::FILE_DELETE

SMB::FILE_RENAME

SMB::FILE_SET_ATTRIBUTE

SMB::PIPE_READ

SMB::PIPE_WRITE

SMB::PIPE_OPEN

SMB::PIPE_CLOSE

SMB::PRINT_READ

SMB::PRINT_WRITE

SMB::PRINT_OPEN

SMB::PRINT_CLOSE

Abstracted actions for SMB file actions.

SMB::CmdInfo 

Type:

record

Fields:

ts: time &log &default = 0.0 &optional: Timestamp of the command request.

uid: string &log: Unique ID of the connection the request was sent over.

id: conn_id &log: ID of the connection the request was sent over.

command: string &log: The command sent by the client.

sub_command: string &log &optional: The subcommand sent by the client, if present.

argument: string &log &optional: Command argument sent by the client, if any.

status: string &log &optional: Server reply to the client’s command.

rtt: interval &log &optional: Round trip time from the request to the response.

version: string &log: Version of SMB for the command.

username: string &log &optional: Authenticated username, if available.

tree: string &log &optional: If this is related to a tree, this is the tree that was used for the current command.

tree_service: string &log &optional: The type of tree (disk share, printer share, named pipe, etc.).

referenced_file: SMB::FileInfo &log &optional: If the command referenced a file, store it here.

referenced_tree: SMB::TreeInfo &optional: If the command referenced a tree, store it here.

smb1_offered_dialects: string_vec &optional

(present if base/protocols/smb/smb1-main.zeek is loaded)

Dialects offered by the client.

smb2_offered_dialects: index_vec &optional

(present if base/protocols/smb/smb2-main.zeek is loaded)

Dialects offered by the client.

smb2_create_options: count &default = 0 &optional

(present if base/protocols/smb/smb2-main.zeek is loaded)

Keep the create_options in the command for referencing later.

This record is for the smb_cmd.log

SMB::FileInfo 

Type:

record

Fields:

ts: time &log &default = 0.0 &optional: Time when the file was first discovered.

uid: string &log: Unique ID of the connection the file was sent over.

id: conn_id &log: ID of the connection the file was sent over.

fuid: string &log &optional: Unique ID of the file.

action: SMB::Action &log &optional: Action this log record represents.

path: string &log &optional: Path pulled from the tree this file was transferred to or from.

name: string &log &optional: Filename if one was seen.

size: count &log &default = 0 &optional: Total size of the file.

prev_name: string &log &optional: If the rename action was seen, this will be the file’s previous name.

times: SMB::MACTimes &log &optional: Last time this file was modified.

fid: count &optional: ID referencing this file.

uuid: string &optional: UUID referencing this file if DCE/RPC.

This record is for the smb_files.log

SMB::State 

Type:

record

Fields:

current_cmd: SMB::CmdInfo &optional: A reference to the current command.

current_file: SMB::FileInfo &optional: A reference to the current file.

current_tree: SMB::TreeInfo &optional: A reference to the current tree.

pending_cmds: table [count] of SMB::CmdInfo &optional: Indexed on MID to map responses to requests.

fid_map: table [count] of SMB::FileInfo &optional: File map to retrieve file information based on the file ID.

tid_map: table [count] of SMB::TreeInfo &optional: Tree map to retrieve tree information based on the tree ID.

pipe_map: table [count] of string &optional: Pipe map to retrieve UUID based on the file ID of a pipe.

recent_files: set [string] &default = { } &optional: A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.

This record stores the SMB state of in-flight commands, the file and tree map of the connection.

SMB::TreeInfo 

Type:

record

Fields:

ts: time &log &default = 0.0 &optional: Time when the tree was mapped.

uid: string &log: Unique ID of the connection the tree was mapped over.

id: conn_id &log: ID of the connection the tree was mapped over.

path: string &log &optional: Name of the tree path.

service: string &log &optional: The type of resource of the tree (disk share, printer share, named pipe, etc.).

native_file_system: string &log &optional: File system of the tree.

share_type: string &log &default = "DISK" &optional: If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.

This record is for the smb_mapping.log

Hooks

SMB::log_policy_files 

Type:: Log::PolicyHook

SMB::log_policy_mapping 

Type:: Log::PolicyHook

Functions

SMB::set_current_file 

Type:: function (smb_state: SMB::State, file_id: count) : void
Attributes:: &redef

This is an internally used function.

SMB::write_file_log 

Type:: function (state: SMB::State) : void
Attributes:: &redef

This is an internally used function.