mitre-attack · johnwunder · Apr 10, 2019 · Apr 10, 2019
diff --git a/implementations/bzar/bzar_dce-rpc.bro b/implementations/bzar/bzar_dce-rpc.bro
@@ -1,7 +1,7 @@
 #
 # File: bzar_dce-rpc.bro
 # Created: 20180701
-# Updated: 20190225
+# Updated: 20190403
 #
 # Copyright 2018 The MITRE Corporation.  All Rights Reserved.
 # Approved for public release.  Distribution unlimited.  Case number 18-2489.
@@ -34,7 +34,6 @@ export
 	# 
 	# Relevant ATT&CK Technique(s):
 	#    T1070 Indicator Removal on Host
-	#
 
 	const rpc_defense_evasion : set[string] =
 	{
@@ -173,7 +172,6 @@ export
 	#    T1035 Service Execution
 	#    T1047 Windows Management Instrumentation
 	#    T1053 Scheduled Tasks
-	#
 
 	const rpc_execution : set[string] = 
 	{
@@ -203,7 +201,6 @@ export
 	# Relevant ATT&CK Technique(s):
 	#    T1004 Winlogon Helper DLL
 	#    T1013 Port Monitors
-	#
 
 	const rpc_persistence : set[string] = 
 	{
@@ -221,8 +218,19 @@ export
 #end export
 
 
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+
+# Use this syntax for Bro v2.5.x and below
 event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=3
 {
+
+@else
+
+# Use this syntax for Bro v2.6.x and above
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=3
+{
+
+@endif
 	# priority==3 ... We want to execute before writing to dce_rpc.log
 	# because default Bro script deletes 'c$dce_rpc' after writing to log
 

diff --git a/implementations/bzar/bzar_smb.bro b/implementations/bzar/bzar_smb.bro
@@ -1,7 +1,7 @@
 #
 # File: bzar_smb.bro
 # Created: 20180701
-# Updated: 20190225
+# Updated: 20190403
 #
 # Copyright 2018 The MITRE Corporation.  All Rights Reserved.
 # Approved for public release.  Distribution unlimited.  Case number 18-2489.
@@ -19,7 +19,6 @@ export
 	# Relevant ATT&CK Technique(s):
 	#    T1077 Windows Admin Shares [File Shares Only]
 	#    T1105 Remote File Copy
-	#
 
 	const smb_admin_file_shares : set[string] = 
 	{
@@ -36,7 +35,10 @@ export
 	# overwritten in its entirety, or just a smaller sub-section is
 	# overwritten, which would be an interesting diagnostic to detect.
 
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+	# Use this syntax for Bro v2.5.x and below
 	redef SMB::write_cmd_log	=  T &redef;
+@endif
 	redef SMB::logged_file_actions	+= { SMB::FILE_WRITE, } &redef;
 
 	redef record SMB::FileInfo	+= 
@@ -249,8 +251,19 @@ event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string)
 }
 
 
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+
+# Use this syntax for Bro v2.5.x and below
 event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=3
 {
+
+@else
+
+# Use this syntax for Bro v2.6.x and above
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=3
+{
+
+@endif
 	# Copied this snippet from Bro default handler:
 	# policy/protocols/smb/smb1-main.bro#smb1_write_andx_request.
 	# It is important to know the full file path at SMB::FILE_OPEN time,

diff --git a/implementations/bzar/main.bro b/implementations/bzar/main.bro
@@ -1,13 +1,24 @@
 #
 # File: main.bro
 # Created: 20180701
-# Updated: 20190225
+# Updated: 20190403
 #
 # Copyright 2018 The MITRE Corporation.  All Rights Reserved.
 # Approved for public release.  Distribution unlimited.  Case number 18-2489.
 #
 
+@if ((Version::info$major == 2) && (Version::info$minor <= 5))
+
+# Use this syntax for Bro v2.5.x and below
 @load policy/protocols/smb
+
+@else
+
+# Use this syntax for Bro v2.6.x and above
+@load base/protocols/smb
+
+@endif
+
 @load base/protocols/dce-rpc
 @load base/frameworks/files
 @load base/frameworks/notice
@@ -193,7 +204,7 @@ event bro_init()
 	# Relevant Indicator(s) Detected by Bro/Zeek:
 	#    (a) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains 
 	#        any of the following: (see BZAR::rpc_dicsovery set).
-	#
+	# 
 	# Globals (defined in main.bro above):
 	#    bzar3_epoch
 	#    bzar3_limit