-
Notifications
You must be signed in to change notification settings - Fork 9
SMB Extension Proposal
Sam Cornwell edited this page Feb 15, 2018
·
2 revisions
There are several analytics in CAR, for example, which query SMB2 information extracted from network captures. We propose that STIX add a standard SMB2 extension object for network traffic objects. The following is an example of a use case using the CAR data model and pseudocode:
flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write_pipe")
smb_write.pipe_name = smb_write.proto_info.pipe_name
output smb_write
The equivalent STIX code may look something like the following:
[ network-traffic:dst_port = 445 AND network-traffic:protocols[*] = 'microsoft-ds'
AND
network-traffic:extensions.smb2-ext.command = 'write'
AND
network-traffic:extensions.smb2-ext.path MATCHES '^\\\\\.\\pipe\\' ]
The syntax for extensions is well-defined, so only the properties need to be established. The following is a table of the relevant properties from an SMB2 message.
| Field | Description | Values (SMB2) |
|---|---|---|
| command | The opcode for the command being issued | NEGOTIATE, SESSION_SETUP, LOGOFF, TREE_CONNECT, TREE_DISCONNECT, CREATE, CLOSE, FLUSH, READ, WRITE, LOCK, IOCTL, CANCEL, ECHO, QUERY_DIRECTORY, CHANGE_NOTIFY, QUERY_INFO, SET_INFO, OPLOCK_BREAK |
| response | Determines whether the packet is reponse or request (based on SMB2 response flag SMB2_FLAGS_SERVER_TO_REDIR) | boolean |
| path | The file/pipe read, written, etc. This is actually a constructed field. During a connection, the filename is given, and then a negotiated file_id is used for the rest of the session. | string |
| length | The length of object being written or read | integer |
| offset | The offset within the object being written or read | integer |
| status | The status code for the packet (Windows NTSTATUS type) | There are many, some examples include: STATUS_SUCCESS, STATUS_NO_SUCH_FILE, STATUS_ACCESS_DENIED, STATUS_LOGON_FAILURE, STATUS_NOT_SUPPORTED, STATUS_CANCELLED, etc |
| file_id | Negotiated id for a file or pipe. May be necessary if file_id is not connected to its path during data collection. | integer |
| tree_id | Negotiated id for a share. May be necessary if tree_id is not connected to its path during data collection. | integer |
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3