From 015eec8c71a0dc422a2e981d0d90a2d94b1600d1 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 19 Jan 2018 17:06:37 +0100
Subject: [PATCH] add test for smb1_com_transaction_response event changes

---
 .../.stdout                                      |   1 +
 .../Traces/smb/smb1_transaction_response.pcap    | Bin 0 -> 1748 bytes
 .../protocols/smb/smb1-transaction-response.test |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
 create mode 100644 testing/btest/Traces/smb/smb1_transaction_response.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
new file mode 100644
index 0000000000..f4d00733bf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
@@ -0,0 +1 @@
+smb1_transaction_response hdr: [command=37, status=0, flags=128, flags2=0, tid=41669, pid=1, uid=17768, mid=2], params: some_params, data: some_data
diff --git a/testing/btest/Traces/smb/smb1_transaction_response.pcap b/testing/btest/Traces/smb/smb1_transaction_response.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c28689b76cc478bb2051fdf4d40efdbc31d4ea94
GIT binary patch
literal 1748
zcmbVNT}TvB6h1RM{tT;TKJ81}L?#lp>auJgMQgQfTe%JGhF}Xh{(zg=%8sQJ(V_$v
z^kC$pL<ymbLKG4`7}6hMy=C<v_!9Ig5{MQxopbN*<j&-ST{xHf`^|U0@7_BLubw;*
zL4sT{3;+Q;^V`~526jo{$2P_M?-$EU(@WD-7ef%BnwA9$*RRb@fPf*6g@oB0iYh9Q
zyv<QY5TyYpDENMk#ZYPx15ut25CS0yvtyyf75xG(7FsJZnW4J?qGWs_K3|{y2Oj~^
zy47+86gTHHxhg>d;VEocoy%r*+>#YXaVZe^jN1TejcC*16t!GbZ7igo2v7oIB&M8d
zQtCYQUMA-}emEzmO^9lLAqg>b#UeyEqWRSFOlCB|>Azi*;64sg*ic6NMGU3npD3<O
zrr(F#06I<j!;SzOF)L1gJAlKBT1bsFA%GW$e|=AbTc22L82Ko?Hi{J(oO*xr^r4@j
z7@mhH#BkvW)`~)yP6$gHz7?8D+tl9d4EfNr1@dg?AV-PqD}rZ;NMS>n<eshluz1E%
z(6g&}hOk_xq;+b!D9Me5CtYelD|9)%*_qs>D8T-1P&Hi-oef4Y&E~|Vj%2^C_&jxa
zZ3*uVS}#BaKs??Yj(AVT!|IVrz>0}cTVDieTti{=F6A#~-tDz`w}6XhRM+&o<ww{8
zIA*3X>|g_bD*?KKA~=YK06R=>eos9_wVpN&8SnS_AVyixg^I}X*3Fq&T<LR@Ic{`=
zP(DRu=*Le|*vv_AbJiOy=5Q1==VdA5e~_}e%$nAUXT`*&yfzbeN|m7t_fpuzZSl)Y
z+{S!y`|wSGRT4Ki!#?XVX{7VTee*C++ydq)OaF0=bL%3mqKGOJ@o4sh-*dt^QlPMj
zIGPo)%pxL3K@rE3jD3RG?_tgSD#yOe33C1nIN=PAwc@#jD#NJ4gR6$sVEm%4rFz=|
z^kh%x`Ccuh_0Y{>y$-EUBj0azmcktzq_7EoBTKo`BDjhcwyQ|_1O6VcL`}+R);B8)
VWhWfKDH&fF_PQcfe0Vn@_XoA~=Dh#_

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
new file mode 100644
index 0000000000..ef00ed3772
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_response.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction_response requests are parsed correctly
+
+event smb1_transaction_response(c: connection, hdr: SMB1::Header, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_response hdr: %s, params: %s, data: %s", hdr, parameters, data);
+}