diff --git a/implementations/bzar/bzar_dce-rpc.bro b/implementations/bzar/bzar_dce-rpc.bro index 884da853..b200ff5b 100755 --- a/implementations/bzar/bzar_dce-rpc.bro +++ b/implementations/bzar/bzar_dce-rpc.bro @@ -1,7 +1,7 @@ # # File: bzar_dce-rpc.bro # Created: 20180701 -# Updated: 20190225 +# Updated: 20190403 # # Copyright 2018 The MITRE Corporation. All Rights Reserved. # Approved for public release. Distribution unlimited. Case number 18-2489. @@ -34,7 +34,6 @@ export # # Relevant ATT&CK Technique(s): # T1070 Indicator Removal on Host - # const rpc_defense_evasion : set[string] = { @@ -173,7 +172,6 @@ export # T1035 Service Execution # T1047 Windows Management Instrumentation # T1053 Scheduled Tasks - # const rpc_execution : set[string] = { @@ -203,7 +201,6 @@ export # Relevant ATT&CK Technique(s): # T1004 Winlogon Helper DLL # T1013 Port Monitors - # const rpc_persistence : set[string] = { @@ -221,8 +218,19 @@ export #end export +@if ((Version::info$major == 2) && (Version::info$minor <= 5)) + +# Use this syntax for Bro v2.5.x and below event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=3 { + +@else + +# Use this syntax for Bro v2.6.x and above +event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=3 +{ + +@endif # priority==3 ... We want to execute before writing to dce_rpc.log # because default Bro script deletes 'c$dce_rpc' after writing to log diff --git a/implementations/bzar/bzar_smb.bro b/implementations/bzar/bzar_smb.bro index d7327142..378dc258 100755 --- a/implementations/bzar/bzar_smb.bro +++ b/implementations/bzar/bzar_smb.bro @@ -1,7 +1,7 @@ # # File: bzar_smb.bro # Created: 20180701 -# Updated: 20190225 +# Updated: 20190403 # # Copyright 2018 The MITRE Corporation. All Rights Reserved. # Approved for public release. Distribution unlimited. Case number 18-2489. @@ -19,7 +19,6 @@ export # Relevant ATT&CK Technique(s): # T1077 Windows Admin Shares [File Shares Only] # T1105 Remote File Copy - # const smb_admin_file_shares : set[string] = { @@ -36,7 +35,10 @@ export # overwritten in its entirety, or just a smaller sub-section is # overwritten, which would be an interesting diagnostic to detect. +@if ((Version::info$major == 2) && (Version::info$minor <= 5)) + # Use this syntax for Bro v2.5.x and below redef SMB::write_cmd_log = T &redef; +@endif redef SMB::logged_file_actions += { SMB::FILE_WRITE, } &redef; redef record SMB::FileInfo += @@ -249,8 +251,19 @@ event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) } +@if ((Version::info$major == 2) && (Version::info$minor <= 5)) + +# Use this syntax for Bro v2.5.x and below event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=3 { + +@else + +# Use this syntax for Bro v2.6.x and above +event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=3 +{ + +@endif # Copied this snippet from Bro default handler: # policy/protocols/smb/smb1-main.bro#smb1_write_andx_request. # It is important to know the full file path at SMB::FILE_OPEN time, diff --git a/implementations/bzar/main.bro b/implementations/bzar/main.bro index 711d5c56..bafffbf0 100755 --- a/implementations/bzar/main.bro +++ b/implementations/bzar/main.bro @@ -1,13 +1,24 @@ # # File: main.bro # Created: 20180701 -# Updated: 20190225 +# Updated: 20190403 # # Copyright 2018 The MITRE Corporation. All Rights Reserved. # Approved for public release. Distribution unlimited. Case number 18-2489. # +@if ((Version::info$major == 2) && (Version::info$minor <= 5)) + +# Use this syntax for Bro v2.5.x and below @load policy/protocols/smb + +@else + +# Use this syntax for Bro v2.6.x and above +@load base/protocols/smb + +@endif + @load base/protocols/dce-rpc @load base/frameworks/files @load base/frameworks/notice @@ -193,7 +204,7 @@ event bro_init() # Relevant Indicator(s) Detected by Bro/Zeek: # (a) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains # any of the following: (see BZAR::rpc_dicsovery set). - # + # # Globals (defined in main.bro above): # bzar3_epoch # bzar3_limit