Fix a segfault, and add script-level support for some more commands.

scripts/base/protocols/smb/smb1-main.bro

@@ -123,6 +123,7 @@ event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string
 	c$smb_state$current_cmd$referenced_file$name = name;
 	c$smb_state$current_cmd$referenced_file$action = SMB::FILE_OPEN;
 	c$smb_state$current_file = c$smb_state$current_cmd$referenced_file;
+	c$smb_state$current_cmd$argument = name;
 	}
 
 event smb1_nt_create_andx_response(c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes) &priority=5
@@ -148,6 +149,7 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o
 	{
 	SMB::set_current_file(c$smb_state, file_id);
 	c$smb_state$current_file$action = SMB::FILE_READ;
+	c$smb_state$current_cmd$argument = c$smb_state$current_file$name;
 	}
 	
 event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count) &priority=-5
@@ -168,6 +170,7 @@ event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count,
 	{
 	SMB::set_current_file(c$smb_state, file_id);
 	c$smb_state$current_file$action = SMB::FILE_WRITE;
+	c$smb_state$current_cmd$argument = c$smb_state$current_file$name;
 	}
 	
 event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=-5
@@ -215,6 +218,11 @@ event smb1_trans2_get_dfs_referral_request(c: connection, hdr: SMB1::Header, fil
 	c$smb_state$current_cmd$argument = file_name;
 	}
 
+event smb1_trans2_query_path_info_request(c: connection, hdr: SMB1::Header, file_name: string, level_of_interets: count)
+	{
+	c$smb_state$current_cmd$argument = file_name;
+	}
+	
 event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5
 	{
 	if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )

src/analyzer/protocol/smb/smb1-com-open-andx.pcap

@@ -0,0 +1,79 @@
+# Copyright (c) Broala LLC. All Rights Reserved. No use or distribution without permission.
+
+refine connection SMB_Conn += {
+
+	function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool
+		%{
+		if ( smb1_open_andx_request )
+			BifEvent::generate_smb1_open_andx_request(bro_analyzer(),
+			                                          bro_analyzer()->Conn(),
+			                                          BuildHeaderVal(h),
+			                                          ${val.flags},
+			                                          ${val.access_mode},
+													  ${val.search_attrs},
+													  ${val.file_attrs},
+													  ${val.creation_time},
+													  ${val.open_mode},
+													  ${val.allocation_size},
+													  ${val.timeout},
+			                                          smb_string2stringval(${val.filename}));
+
+		return true;
+		%}
+
+	function proc_smb1_open_andx_response(h: SMB_Header, val: SMB1_open_andx_response): bool
+		%{
+		if ( smb1_open_andx_response )
+			BifEvent::generate_smb1_open_andx_response(bro_analyzer(),
+			                                           bro_analyzer()->Conn(),
+			                                           BuildHeaderVal(h),
+													   ${val.fid},
+													   ${val.file_attrs},
+													   ${val.last_write_time},
+													   ${val.file_data_size},
+													   ${val.access_rights},
+													   ${val.resource_type},
+													   ${val.nm_pipe_status},
+													   ${val.open_results});
+
+		return true;
+		%}
+
+};
+
+
+
+type SMB1_open_andx_request(header: SMB_Header) = record {
+	word_count        : uint8;
+	andx           	  : SMB_andx;
+	flags		   	  : uint16;
+	access_mode	   	  : uint16;
+	search_attrs   	  : uint16;
+	file_attrs	   	  : uint16;
+	creation_time  	  : uint32;
+	open_mode	   	  : uint16;
+	allocation_size   : uint32;
+	timeout		      : uint32;
+	reserved	   	  : padding[2];
+	byte_count	   	  : uint16;
+	filename	   	  : SMB_string(header.unicode, offsetof(filename);
+} &let {
+	proc        : bool   = $context.connection.proc_smb1_open_andx_request(header, this);
+} &byteorder=littleendian;
+
+type SMB1_open_andx_response(header: SMB_Header) = record {
+	word_count        : uint8;
+	andx              : SMB_andx;
+	fid				  : uint16;
+	file_attrs		  : uint16;
+	last_write_time	  : uint32;
+	file_data_size	  : uint32;
+	access_rights	  : uint16;
+	resource_type	  : uint16;
+	nm_pipe_status	  : uint16;
+	open_results	  : uint16;
+	reserved		  : padding[3];
+	byte_count		  : uint16;
+} &let {
+	proc        : bool   = $context.connection.proc_smb1_open_andx_response(header, this);
+} &byteorder=littleendian;

src/analyzer/protocol/smb/smb1-com-transaction.pac

@@ -27,7 +27,7 @@ type SMB1_transaction_data(header: SMB_Header, count: uint16, sub_cmd: uint16,
 #	SMB_MAILSLOT_LANMAN -> lanman   : SMB_MailSlot_message(header.unicode, count);
 #	SMB_RAP             -> rap      : SMB_Pipe_message(header.unicode, count, sub_cmd);
 	SMB_PIPE            -> pipe     : SMB_Pipe_message(header.unicode, count, sub_cmd);
-#	SMB_UNKNOWN         -> unknown  : bytestring &restofdata;
+	SMB_UNKNOWN         -> unknown  : bytestring &restofdata;
 #	default             -> data     : bytestring &restofdata;
 };
 
@@ -83,7 +83,7 @@ type SMB1_transaction_response(header: SMB_Header) = record {
 	pad1                : padding to data_offset - SMB_Header_length;
 	handle_response	    : case $context.connection.isATSVC() of {
 		true -> pipe_data : SMB1_transaction_data(header, data_count, 0, SMB_PIPE);
-#		false -> unk_data : SMB1_transaction_data(header, data_count, 0, SMB_UNKNOWN);
+		false -> unk_data : SMB1_transaction_data(header, data_count, 0, SMB_UNKNOWN);
 	};
 } &let {
 	proc : bool = $context.connection.proc_smb1_transaction_response(header, this);

src/analyzer/protocol/smb/smb1-com-transaction2.pac

@@ -182,8 +182,14 @@ refine connection SMB_Conn += {
 
 	function proc_trans2_query_path_info_request(header: SMB_Header, val: trans2_query_path_info_request): bool
 		%{
-		// TODO: implement this.
+		if ( smb1_trans2_query_path_info_request )
-		//printf("trans2_query_path_info request!\n");
+			{
+			BifEvent::generate_smb1_trans2_query_path_info_request(bro_analyzer(), bro_analyzer()->Conn(), \
+																   BuildHeaderVal(header), \
+																   smb_string2stringval(${val.file_name}),\
+																   ${val.level_of_interest});
+			
+			}
 		return true;
 		%}