From 74bf453d6d3ea3654cff3987681de537d6f7f31d Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sat, 18 May 2024 14:13:52 -0700
Subject: [PATCH] Fix for suppressing SMB logging of previously-logged files

---
 scripts/base/protocols/smb/main.zeek                      | 8 +++++++-
 .../smb_files.log                                         | 7 -------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/scripts/base/protocols/smb/main.zeek b/scripts/base/protocols/smb/main.zeek
index 9d37312862..15228c50af 100644
--- a/scripts/base/protocols/smb/main.zeek
+++ b/scripts/base/protocols/smb/main.zeek
@@ -215,12 +215,18 @@ function write_file_log(state: State)
 		# seen files in the SMB::State $recent_files field.
 		if ( f?$times )
 			{
+			# For repeated reads of the same file, the access
+			# time can change, so make a copy of the various times
+			# and zero that one out.
+			local times = copy(f$times);
+			times$accessed_raw = 0;
+			times$accessed = double_to_time(0.0);
 			local file_ident = cat(f$action,
 			                       f?$fuid ? f$fuid : "",
 			                       f?$name ? f$name : "",
 			                       f?$path ? f$path : "",
 			                       f$size,
-			                       f$times);
+			                       times);
 			if ( file_ident in state$recent_files )
 				{
 				# We've already seen this file and don't want to log it again.
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3-multichannel/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb3-multichannel/smb_files.log
index ecd3859941..7ea06dc3a9 100644
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb3-multichannel/smb_files.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3-multichannel/smb_files.log
@@ -10,12 +10,10 @@
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	<share_root>	4096	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.exe	77824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.exe	77824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	00bfsvc.exe	77824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	01bootstat.docx	67584	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	<share_root>	4096	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	01bootstat.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	01bootstat.docx	67584	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	01bootstat.docx	67584	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	02DtcInstall.doc	1947	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	02DtcInstall.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
@@ -28,11 +26,9 @@ XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::F
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	06lsasetup.pdf	1376	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	07mib.pdf	43131	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	07mib.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	07mib.pdf	43131	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	07mib.pdf	43131	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	08notepad.exe	202240	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	08notepad.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	08notepad.exe	202240	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	08notepad.exe	202240	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	09PFRO.doc	4772	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	09PFRO.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
@@ -41,17 +37,14 @@ XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::F
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	10Professional.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	10Professional.docx	30831	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	11regedit.exe	369664	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	11regedit.exe	369664	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	11regedit.exe	369664	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	12splwow64.exe	135168	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	12splwow64.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	12splwow64.exe	135168	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.17.0.184	57093	172.17.0.189	445	-	SMB::FILE_OPEN	-	13system.pdf	219	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	13system.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	172.17.0.184	57095	172.17.0.189	445	-	SMB::FILE_OPEN	-	13system.pdf	219	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	14twain_32.pdf	65024	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.17.0.184	57093	172.17.0.189	445	-	SMB::FILE_OPEN	-	14twain_32.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	14twain_32.pdf	65024	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	<share_root>	4096	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	00bfsvc.enc	103968	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.enc	103968	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX