Project

General

Profile

Actions

Feature #4213

open

smb: higher level logging

Added by Odin Jenseg about 4 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Similar to https://redmine.openinfosecfoundation.org/issues/4175 , and maybe some ideas can be taken from this issue for how this also can be achieved with dcerpc.

As a POC to add share and named_pipe field to other logs the only Tree connect:

diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs
index 162dbe3..bc5611f 100644
--- a/rust/src/smb/log.rs
+++ b/rust/src/smb/log.rs
@@ -191,6 +191,18 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
 Some(SMBTransactionTypeData::CREATE(ref x)) => {
   let mut name_raw = x.filename.to_vec();
   name_raw.retain(|&i|i != 0x00);
+  let tree_key = SMBCommonHdr::new(SMBHDR_TYPE_SHARE,
+    tx.hdr.ssn_id as u64, tx.hdr.tree_id as u32, 0);
+  let (tmp_share_name, is_pipe) = match state.ssn2tree_map.get(&tree_key) {
+    Some(n) => (n.name.to_vec(), n.is_pipe),
+    _ => { (Vec::new(), false) },
+   };
+  let share_name = String::from_utf8_lossy(&tmp_share_name);
+  if is_pipe {
+   jsb.set_string("named_pipe", &share_name)?;
+  } else {
+   jsb.set_string("share", &share_name)?;
+  }
   if name_raw.len() > 0 {
    let name = String::from_utf8_lossy(&name_raw);
   if x.directory {

This is one way of doing this, and helps a lot for post analysis in SIEM tools, as we now if the CREATE request is related to an IPC event or on which share the filename is related to.


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #4175: dcerpc: higher level loggingNewCommunity TicketActions
Actions

Also available in: Atom PDF