mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/vlad/gh-1286'
Merge adjustments: - Rewrote the check for error response as a switch statement to fix compiler warning about signed/unsigned comparison and also to just simplify/clarify the logic. - Changed the btest to use `zeek -b`. * origin/topic/vlad/gh-1286: Add tests for new SMB3 multichannel support Fix SMB2 response status parsing. Fixes #1286
This commit is contained in:
Jon Siwek
commit
0b8535b879
6 changed files with 146 additions and 9 deletions
6
CHANGES
6
CHANGES
|
|
@ -1,4 +1,10 @@
|
||||||
|
|
||||||
|
3.3.0-dev.629 | 2020-12-07 16:03:25 -0800
|
||||||
|
|
||||||
|
* Add tests for new SMB3 multichannel support (Vlad Grigorescu)
|
||||||
|
|
||||||
|
* Fix SMB2 response status parsing. Fixes #1286 (Vlad Grigorescu)
|
||||||
|
|
||||||
3.3.0-dev.624 | 2020-12-07 18:17:34 +0000
|
3.3.0-dev.624 | 2020-12-07 18:17:34 +0000
|
||||||
|
|
||||||
* Switch test baselines to canonified baselines
|
* Switch test baselines to canonified baselines
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
3.3.0-dev.624
|
3.3.0-dev.629
|
||||||
|
|
|
||||||
|
|
@ -162,14 +162,9 @@ enum smb2_share_types {
|
||||||
|
|
||||||
type SMB2_PDU(is_orig: bool) = record {
|
type SMB2_PDU(is_orig: bool) = record {
|
||||||
header : SMB2_Header(is_orig);
|
header : SMB2_Header(is_orig);
|
||||||
message : case header.status of {
|
message : case $context.connection.is_error_response(header, is_orig) of {
|
||||||
# Status 0 indicates success. In the case of a
|
true -> err : SMB2_error_response(header);
|
||||||
# request this should just happen to work out due to
|
false -> msg : SMB2_Message(header, is_orig);
|
||||||
# how the fields are set.
|
|
||||||
0 -> msg : SMB2_Message(header, is_orig);
|
|
||||||
STATUS_BUFFER_OVERFLOW -> buffer_overflow : SMB2_Message(header, is_orig);
|
|
||||||
STATUS_MORE_PROCESSING_REQUIRED -> more_processing_required : SMB2_Message(header, is_orig);
|
|
||||||
default -> err : SMB2_error_response(header);
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -266,6 +261,52 @@ refine connection SMB_Conn += {
|
||||||
|
|
||||||
return it->second;
|
return it->second;
|
||||||
%}
|
%}
|
||||||
|
|
||||||
|
function is_error_response(header: SMB2_Header, is_orig: bool): bool
|
||||||
|
%{
|
||||||
|
// In an request, we ignore this field. Relevant documentation is
|
||||||
|
// at [MS-SMB2] 2.2.1.1 SMB2 Packet Header
|
||||||
|
|
||||||
|
// For SMB 3.x, it's the ChannelSequence field, followed by
|
||||||
|
// the reserved field. In older dialects, the client MUST set
|
||||||
|
// it to 0, and the server MUST ignore it.
|
||||||
|
|
||||||
|
// I don't believe that we care about the ChannelSequence,
|
||||||
|
// since that seems inconsequential to our parsing.
|
||||||
|
|
||||||
|
if ( is_orig )
|
||||||
|
return false;
|
||||||
|
|
||||||
|
// In a response, this is parsed as the status of the request.
|
||||||
|
|
||||||
|
// Non-zero USUALLY means an error, except for the specific cases detailed in
|
||||||
|
// [MS-SMB2] 3.3.4.4 Sending an Error Response
|
||||||
|
|
||||||
|
switch ( ${header.status} ) {
|
||||||
|
case 0:
|
||||||
|
// No error.
|
||||||
|
return false;
|
||||||
|
case STATUS_BUFFER_OVERFLOW:
|
||||||
|
// SMB2_IOCTL is a bit loose, as it's only acceptable if the IOCTL
|
||||||
|
// CtlCode is {FSCTL_PIPE_TRANSCEIVE, FSCTL_PIPE_PEEK, or
|
||||||
|
// FSCTL_DFS_GETREFERRALS}, but we haven't parsed that yet.
|
||||||
|
return ( ${header.command} != SMB2_IOCTL &&
|
||||||
|
${header.command} != SMB2_QUERY_INFO &&
|
||||||
|
${header.command} != SMB2_READ );
|
||||||
|
case STATUS_INVALID_PARAMETER:
|
||||||
|
// This is a bit loose, as it's only acceptable if the IOCTL
|
||||||
|
// CtlCode is {FSCTL_SRV_COPYCHUNK or
|
||||||
|
// FSCTL_SRV_COPYCHUNK_WRITE}, but we haven't parsed that yet.
|
||||||
|
return ${header.command} != SMB2_IOCTL;
|
||||||
|
case STATUS_MORE_PROCESSING_REQUIRED:
|
||||||
|
// Return true (is_error) if it does NOT match this command
|
||||||
|
return ${header.command} != SMB2_SESSION_SETUP;
|
||||||
|
case STATUS_NOTIFY_ENUM_DIR:
|
||||||
|
return ${header.command} != SMB2_CHANGE_NOTIFY;
|
||||||
|
default:
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
%}
|
||||||
};
|
};
|
||||||
|
|
||||||
type SMB2_file_attributes = record {
|
type SMB2_file_attributes = record {
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,82 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path smb_files
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed
|
||||||
|
#types time string addr port addr port string enum string string count string time time time time
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 <share_root> 4096 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.exe 77824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.exe 77824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 00bfsvc.exe 77824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 01bootstat.docx 67584 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 <share_root> 4096 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 01bootstat.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 01bootstat.docx 67584 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 01bootstat.docx 67584 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 02DtcInstall.doc 1947 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 02DtcInstall.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 02DtcInstall.doc 1947 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 05hh.exe 18432 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 05hh.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 05hh.exe 18432 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 06lsasetup.pdf 1376 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 06lsasetup.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 06lsasetup.pdf 1376 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 07mib.pdf 43131 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 07mib.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 07mib.pdf 43131 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 07mib.pdf 43131 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 08notepad.exe 202240 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 08notepad.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 08notepad.exe 202240 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 08notepad.exe 202240 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 09PFRO.doc 4772 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 09PFRO.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 09PFRO.doc 4772 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 10Professional.docx 30831 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 10Professional.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 10Professional.docx 30831 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 11regedit.exe 369664 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 11regedit.exe 369664 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_DELETE \\\\172.17.0.189\\share2 11regedit.exe 369664 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 12splwow64.exe 135168 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 12splwow64.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 12splwow64.exe 135168 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.17.0.184 57093 172.17.0.189 445 - SMB::FILE_OPEN - 13system.pdf 219 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 13system.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 172.17.0.184 57095 172.17.0.189 445 - SMB::FILE_OPEN - 13system.pdf 219 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 14twain_32.pdf 65024 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.17.0.184 57093 172.17.0.189 445 - SMB::FILE_OPEN - 14twain_32.enc 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 14twain_32.pdf 65024 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 <share_root> 4096 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 00bfsvc.enc 103968 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 00bfsvc.enc 103968 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 01bootstat.enc 90288 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 01bootstat.enc 90288 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 02DtcInstall.enc 2736 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 02DtcInstall.enc 2736 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 05hh.enc 24624 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 05hh.enc 24624 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 06lsasetup.enc 2736 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 06lsasetup.enc 2736 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 07mib.enc 58824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 07mib.enc 58824 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 08notepad.enc 270864 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 08notepad.enc 270864 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 09PFRO.enc 6840 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 09PFRO.enc 6840 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 10Professional.enc 42408 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 10Professional.enc 42408 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 11regedit.enc 493848 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 11regedit.enc 493848 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 12splwow64.enc 180576 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 12splwow64.enc 180576 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 13system.enc 1368 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 13system.enc 1368 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.184 57094 172.17.0.189 445 - SMB::FILE_OPEN - 14twain_32.enc 87552 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.184 57092 172.17.0.189 445 - SMB::FILE_OPEN \\\\172.17.0.189\\share2 14twain_32.enc 87552 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
BIN
testing/btest/Traces/smb/smb3_multichannel.pcap
Normal file
BIN
testing/btest/Traces/smb/smb3_multichannel.pcap
Normal file
Binary file not shown.
|
|
@ -0,0 +1,8 @@
|
||||||
|
# @TEST-EXEC: zeek -b -r $TRACES/smb/smb3_multichannel.pcap %INPUT
|
||||||
|
# @TEST-EXEC: btest-diff smb_files.log
|
||||||
|
# @TEST-EXEC: test ! -f dpd.log
|
||||||
|
# @TEST-EXEC: test ! -f weird.log
|
||||||
|
|
||||||
|
@load base/protocols/smb
|
||||||
|
|
||||||
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue