From 84ac362c677d381b346c848624ad45baaff6f0ea Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 6 Jan 2023 18:59:32 -0700 Subject: [PATCH] Restore/rename field in SMB2::Fscontrol record type b41a4bf06dc2f3a4218cfa0a95b536ec9d253917 removed a field from this record because it had a duplicate name as another field. The field does need to exist, but it needs the correct name. --- scripts/base/init-bare.zeek | 4 +++- .../scripts.base.protocols.smb.smb2-fscontrol/out | 3 +++ testing/btest/Traces/smb/smb2_fscontrol.pcap | Bin 0 -> 783 bytes .../base/protocols/smb/smb2-fscontrol.test | 11 +++++++++++ 4 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out create mode 100644 testing/btest/Traces/smb/smb2_fscontrol.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index cd27134c73..76a9cefffa 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3594,8 +3594,10 @@ export { type SMB2::Fscontrol: record { ## minimum amount of free disk space required to begin document filtering free_space_start_filtering : int; - ## minimum amount of free disk space required to continue document filtering + ## minimum amount of free disk space required to continue filtering documents and merging word lists free_space_threshold : int; + ## minimum amount of free disk space required to continue content filtering + free_space_stop_filtering : int; ## default per-user disk quota delete_quota_threshold : count; ## default per-user disk limit diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out new file mode 100644 index 0000000000..493f266542 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out @@ -0,0 +1,3 @@ +[credit_charge=0, status=0, command=17, credits=2, flags=255, message_id=576460756581679103, process_id=213, tree_id=0, session_id=11555726885438752000, signature=\x01\x05\x05\x02\xa0`0^\xa000.\x06\x09*\x86] +[persistent=6859950276847483450, volatile=7016448126591398502] +[free_space_start_filtering=1869373806, free_space_threshold=1601467760, free_space_stop_filtering=1933860724, delete_quota_threshold=7308895133777551220, default_quota_limit=100, fs_control_flags=4278190080] diff --git a/testing/btest/Traces/smb/smb2_fscontrol.pcap b/testing/btest/Traces/smb/smb2_fscontrol.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8cf0ec538122db51e090588215e55542d480fe4f GIT binary patch literal 783 zcmca|c+)~A1{MYcU}0bca!%!5NiLFMWv~IVK^P2}z$7CFgDV4r28ivzmUfPdfq@Z- zncm%H=myIJi2$Z+H?Gcu@jzykqnib?1gHzcEGCe74BbG}Kr|2s2m#IN0VxInkXe=J zW)b5qkXcLt0zk8R!3IIissfsI8OR1sWq8JHOUgM}Fw{{IIvIj%za46IBG5)9%NFtS1!1_pX;oLX%jO-yWDi?!r{%A^^~ ze0;5}!cy`IjN{Xa@~cww;uG@{bMn*UGxG{cOX5?@Qu9jUU5YdF^YTmLQ&Q71^HNh_ z=7X$cHMej8g`F$svf$Ie;PUh#BN{=G#}puW?Z%boFtb5sb)lOD@ihKu1O@4QP|#m_ mk8D;C`DO_M&3cDyRzJE~$kB)^sm=$Qz#IUK#w*WYW&r?WJc_XZ literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test b/testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test new file mode 100644 index 0000000000..e66a0d02be --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: zeek -r $TRACES/smb/smb2_fscontrol.pcap %INPUT > out +# @TEST-EXEC: btest-diff out + +@load base/protocols/smb + +event smb2_file_fscontrol(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol) + { + print hdr; + print file_id; + print fs_control; + } \ No newline at end of file