smb2_write_response event added

src/analyzer/protocol/smb/smb2-com-write.pac

@@ -24,6 +24,15 @@ refine connection SMB_Conn += {
 
 	function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool
 		%{
+
+		if ( smb2_write_response )
+			{
+			BifEvent::generate_smb2_write_response(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+			                                      BuildSMB2HeaderVal(h),
+							      ${val.write_count});
+			}
+
 		return true;
 		%}
 

src/analyzer/protocol/smb/smb2_com_write.bif

@@ -16,3 +16,18 @@
 ##
 ## .. bro:see:: smb2_message
 event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *write*. This is sent by the server in response to a write request or
+## named pipe on the server.
+##
+## For more information, see MS-SMB2:2.2.22
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## length: The number of bytes of the file being written.
+##
+## .. bro:see:: smb2_message
+event smb2_write_response%(c: connection, hdr: SMB2::Header, length: count%);

testing/btest/scripts/base/protocols/smb/smb2-write-response.test

@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/smb/smb2readwrite.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+
+# A test for write response.
+event smb2_write_response(c: connection, hdr: SMB2::Header, length: count)
+	{
+	print fmt("smb2_write_response %s -> %s:%d, length: %d", c$id$orig_h, c$id$resp_h, c$id$resp_p, length);
+	print (hdr);
+	}
+
+