add smb1_transaction_secondary_request event

expose SMB_COM_TRANSACTION_SECONDARY (0x26) message to script
language. See MS-CIFS section 2.2.4.34.1.

scripts/base/init-bare.bro

@@ -2861,6 +2861,25 @@ export {
 	     setup_count: count;
 	};
 
+	type SMB1::Trans_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	};
+
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
 		search_attrs		: count;

src/analyzer/protocol/smb/CMakeLists.txt

@@ -18,6 +18,7 @@ bro_plugin_bif(
 	smb1_com_read_andx.bif
 	smb1_com_session_setup_andx.bif
 	smb1_com_transaction.bif
+	smb1_com_transaction_secondary.bif
 	smb1_com_transaction2.bif
 	smb1_com_tree_connect_andx.bif
 	smb1_com_tree_disconnect.bif

src/analyzer/protocol/smb/smb.pac

@@ -24,6 +24,7 @@
 #include "smb1_com_read_andx.bif.h"
 #include "smb1_com_session_setup_andx.bif.h"
 #include "smb1_com_transaction.bif.h"
+#include "smb1_com_transaction_secondary.bif.h"
 #include "smb1_com_transaction2.bif.h"
 #include "smb1_com_tree_connect_andx.bif.h"
 #include "smb1_com_tree_disconnect.bif.h"

src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac

@@ -1,3 +1,66 @@
+refine connection SMB_Conn += {
+
+       function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool
+       %{
+	RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+
+	StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+	StringVal *payload_str = nullptr;
+	SMB1_transaction_data *payload = nullptr;
+
+	if ( !parameters )
+	{
+		parameters = new StringVal("");
+	}
+
+	if ( ${val.data_count > 0} )
+	{
+		payload = ${val.data};
+	}
+
+	if ( payload )
+	{
+		switch ( payload->trans_type() )
+		{
+		case SMB_PIPE:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+			break;
+		case SMB_UNKNOWN:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+			break;
+		default:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+			break;
+		}
+	}
+
+	if ( !payload_str )
+	{
+		payload_str = new StringVal("");
+	}
+
+	if ( smb1_transaction_secondary_request )
+	{
+		BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
+								      bro_analyzer()->Conn(),
+								      BuildHeaderVal(header),
+								      args,
+								      parameters,
+								      payload_str);
+	}
+
+	return true;
+       %}
+};
+
 type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -14,4 +77,6 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	parameters          : bytestring &length = param_count;
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN, false);
+} &let {
+  proc : bool = $context.connection.proc_smb1_transaction_secondary_request(header, this);
 };

src/analyzer/protocol/smb/smb1-protocol.pac

@@ -170,7 +170,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_QUERY_INFORMATION2       -> query_information2     : SMB_query_information2_request(header);
 	SMB_COM_LOCKING_ANDX             -> locking_andx           : SMB1_locking_andx_request(header, offset);
 	SMB_COM_TRANSACTION              -> transaction            : SMB1_transaction_request(header);
-#	SMB_COM_TRANSACTION_SECONDARY    -> transaction_secondary  : SMB1_transaction_secondary_request(header);
+	SMB_COM_TRANSACTION_SECONDARY     -> transaction_secondary  : SMB1_transaction_secondary_request(header);
 #	#SMB_COM_IOCTL                    -> ioctl                  : SMB_ioctl_request(header);
 #	#SMB_COM_IOCTL_SECONDARY          -> ioctl_secondary        : SMB_ioctl_secondary_request(header);
 #	#SMB_COM_COPY                     -> copy                   : SMB_copy_request(header);

src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif

@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction_secondary*. This command
+## serves as an additional request data container for the
+## Transaction Subprotocol Commands (carried by *transaction* requests).
+##
+## For more information, see MS-CIFS:2.2.4.34
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: the SMB_Data.Trans_Parameters field content
+##
+## data: the SMB_Data.Trans_Data field content
+##
+event smb1_transaction_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string%);
+
+## Types
+type SMB1::Trans_Sec_Args: record;