[Bro-Dev] SMB analyzer
nicolas.retrain at cea.fr
nicolas.retrain at cea.fr
Fri May 24 02:04:35 PDT 2013
Hi, sorry to bother you again.
Today I am looking at the SMB Analyzer, and I have few questions.
-Why did you choose to anlayse the SNIA-CIFS version, and not the others
? (http://www.cifs.org/wiki/SMB/CIFS_References). Some of them have new
dialects and don't match anymore :s . (I know, the SMB documentation is
a real mess.. ).
-Some events are not well written into the event.bif :
For instance, the smb_com_negotiate event is build with 3 arguments
336 vl->append(analyzer->BuildConnVal());
337 vl->append(BuildHeaderVal(hdr));
338 vl->append(t); // which are the possible dialects
339
340 analyzer->ConnectionEvent(smb_com_negotiate, vl);
But in the event.bif the event is declared as follow without the last
argument:
3851 event smb_com_negotiate%(c: connection, hdr: smb_hdr%);
-If I would add some parts of an other dialect, how should I implement
it ? Add a dialect field in the SMB_session, and duplicate binpac if the
protocols are different?
Nicolas
More information about the bro-dev
mailing list