Merge remote-tracking branch 'origin/topic/vlad/gh-1286'

Merge adjustments: - Rewrote the check for error response as a switch statement to fix compiler warning about signed/unsigned comparison and also to just simplify/clarify the logic. - Changed the btest to use `zeek -b`. * origin/topic/vlad/gh-1286: Add tests for new SMB3 multichannel support Fix SMB2 response status parsing. Fixes #1286
2025-10-02 14:48:21 +00:00 · 2020-12-07 16:03:25 -08:00 · 2020-12-07 16:03:25 -08:00 · 0b8535b879
commit 0b8535b879
parent bb928f0a30 f30ca69402
6 changed files with 146 additions and 9 deletions
--- a/6
+++ b/6
@ -1,4 +1,10 @@

+3.3.0-dev.629 | 2020-12-07 16:03:25 -0800
+
+  * Add tests for new SMB3 multichannel support (Vlad Grigorescu)
+
+  * Fix SMB2 response status parsing. Fixes #1286 (Vlad Grigorescu)
+
 3.3.0-dev.624 | 2020-12-07 18:17:34 +0000

  * Switch test baselines to canonified baselines
--- a/2
+++ b/2
@ -1 +1 @@
-3.3.0-dev.624
+3.3.0-dev.629
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@ -162,14 +162,9 @@ enum smb2_share_types {

 type SMB2_PDU(is_orig: bool) = record {
 	header     : SMB2_Header(is_orig);
-	message    : case header.status of {
-		# Status 0 indicates success.  In the case of a
-		# request this should just happen to work out due to
-		# how the fields are set.
-		0                               -> msg                      : SMB2_Message(header, is_orig);
-		STATUS_BUFFER_OVERFLOW          -> buffer_overflow          : SMB2_Message(header, is_orig);
-		STATUS_MORE_PROCESSING_REQUIRED -> more_processing_required : SMB2_Message(header, is_orig);
-		default                         -> err                      : SMB2_error_response(header);
+	message    : case $context.connection.is_error_response(header, is_orig) of {
+		true  -> err : SMB2_error_response(header);
+		false -> msg : SMB2_Message(header, is_orig);
 	};
 };

@ -266,6 +261,52 @@ refine connection SMB_Conn += {

 		return it->second;
 		%}
+
+	function is_error_response(header: SMB2_Header, is_orig: bool): bool
+		%{
+		// In an request, we ignore this field. Relevant documentation is
+		// at [MS-SMB2] 2.2.1.1 SMB2 Packet Header
+
+		// For SMB 3.x, it's the ChannelSequence field, followed by
+		// the reserved field. In older dialects, the client MUST set
+		// it to 0, and the server MUST ignore it.
+
+		// I don't believe that we care about the ChannelSequence,
+		// since that seems inconsequential to our parsing.
+
+		if ( is_orig )
+			return false;
+
+		// In a response, this is parsed as the status of the request.
+
+		// Non-zero USUALLY means an error, except for the specific cases detailed in
+		// [MS-SMB2] 3.3.4.4 Sending an Error Response
+
+		switch ( ${header.status} ) {
+		case 0:
+			// No error.
+			return false;
+		case STATUS_BUFFER_OVERFLOW:
+			// SMB2_IOCTL is a bit loose, as it's only acceptable if the IOCTL
+			// CtlCode is {FSCTL_PIPE_TRANSCEIVE, FSCTL_PIPE_PEEK, or
+			// FSCTL_DFS_GETREFERRALS}, but we haven't parsed that yet.
+			return ( ${header.command} != SMB2_IOCTL &&
+			         ${header.command} != SMB2_QUERY_INFO &&
+			         ${header.command} != SMB2_READ );
+		case STATUS_INVALID_PARAMETER:
+			// This is a bit loose, as it's only acceptable if the IOCTL
+			// CtlCode is {FSCTL_SRV_COPYCHUNK or
+			// FSCTL_SRV_COPYCHUNK_WRITE}, but we haven't parsed that yet.
+			return ${header.command} != SMB2_IOCTL;
+		case STATUS_MORE_PROCESSING_REQUIRED:
+			// Return true (is_error) if it does NOT match this command
+			return ${header.command} != SMB2_SESSION_SETUP;
+		case STATUS_NOTIFY_ENUM_DIR:
+			return ${header.command} != SMB2_CHANGE_NOTIFY;
+		default:
+			return true;
+		}
+		%}
 };

 type SMB2_file_attributes = record {
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb3-multichannel/smb_files.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3-multichannel/smb_files.log
@ -0,0 +1,82 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smb_files
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed
+#types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	<share_root>	4096	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.exe	77824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.exe	77824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	00bfsvc.exe	77824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	01bootstat.docx	67584	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	<share_root>	4096	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	01bootstat.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	01bootstat.docx	67584	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	01bootstat.docx	67584	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	02DtcInstall.doc	1947	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	02DtcInstall.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	02DtcInstall.doc	1947	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	05hh.exe	18432	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	05hh.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	05hh.exe	18432	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	06lsasetup.pdf	1376	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	06lsasetup.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	06lsasetup.pdf	1376	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	07mib.pdf	43131	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	07mib.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	07mib.pdf	43131	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	07mib.pdf	43131	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	08notepad.exe	202240	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	08notepad.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	08notepad.exe	202240	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	08notepad.exe	202240	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	09PFRO.doc	4772	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	09PFRO.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	09PFRO.doc	4772	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	10Professional.docx	30831	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	10Professional.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	10Professional.docx	30831	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	11regedit.exe	369664	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	11regedit.exe	369664	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_DELETE	\\\\172.17.0.189\\share2	11regedit.exe	369664	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	12splwow64.exe	135168	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	12splwow64.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	12splwow64.exe	135168	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.17.0.184	57093	172.17.0.189	445	-	SMB::FILE_OPEN	-	13system.pdf	219	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	13system.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	172.17.0.184	57095	172.17.0.189	445	-	SMB::FILE_OPEN	-	13system.pdf	219	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	14twain_32.pdf	65024	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.17.0.184	57093	172.17.0.189	445	-	SMB::FILE_OPEN	-	14twain_32.enc	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	14twain_32.pdf	65024	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	<share_root>	4096	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	00bfsvc.enc	103968	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	00bfsvc.enc	103968	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	01bootstat.enc	90288	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	01bootstat.enc	90288	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	02DtcInstall.enc	2736	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	02DtcInstall.enc	2736	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	05hh.enc	24624	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	05hh.enc	24624	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	06lsasetup.enc	2736	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	06lsasetup.enc	2736	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	07mib.enc	58824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	07mib.enc	58824	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	08notepad.enc	270864	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	08notepad.enc	270864	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	09PFRO.enc	6840	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	09PFRO.enc	6840	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	10Professional.enc	42408	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	10Professional.enc	42408	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	11regedit.enc	493848	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	11regedit.enc	493848	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	12splwow64.enc	180576	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	12splwow64.enc	180576	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	13system.enc	1368	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	13system.enc	1368	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.184	57094	172.17.0.189	445	-	SMB::FILE_OPEN	-	14twain_32.enc	87552	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.184	57092	172.17.0.189	445	-	SMB::FILE_OPEN	\\\\172.17.0.189\\share2	14twain_32.enc	87552	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/smb/smb3_multichannel.pcap
+++ b/testing/btest/Traces/smb/smb3_multichannel.pcap
--- a/testing/btest/scripts/base/protocols/smb/smb3-multichannel.test
+++ b/testing/btest/scripts/base/protocols/smb/smb3-multichannel.test
@ -0,0 +1,8 @@
+# @TEST-EXEC: zeek -b -r $TRACES/smb/smb3_multichannel.pcap %INPUT
+# @TEST-EXEC: btest-diff smb_files.log
+# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/smb
+
+