From de4a83206dafaa17dc531a49138df27f0254ddf5 Mon Sep 17 00:00:00 2001
From: Pavel Ershov <owner.mad.epa@gmail.com>
Date: Tue, 27 Aug 2019 12:21:03 +0300
Subject: [PATCH] Fix for smb3 negotiate context

---
 src/analyzer/protocol/smb/smb2-com-negotiate.pac |   2 +-
 .../.stdout                                      |   1 +
 .../btest/Traces/smb/smb3_negotiate_context.pcap | Bin 0 -> 1986 bytes
 .../protocols/smb/smb3-negotiate-context.test    |   9 +++++++++
 4 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout
 create mode 100644 testing/btest/Traces/smb/smb3_negotiate_context.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test

diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac
index 41175fcfdd..c4fef08ccd 100644
--- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac
+++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac
@@ -134,8 +134,8 @@ type SMB2_negotiate_response(header: SMB2_Header) = record {
 	security_offset           : uint16;
 	security_length           : uint16;
 	negotiate_context_offset  : uint32;
-	pad1                      : padding to security_offset - header.head_length;
 	security_blob             : bytestring &length=security_length;
+	pad1                      : padding to negotiate_context_offset - header.head_length;
 	negotiate_context_list    : case dialect_revision of {
 		0x0311    -> smb3_ncl : NegotiateContextList(negotiate_context_count);
 		default   -> unknown  : empty;
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout
new file mode 100644
index 0000000000..167ea72032
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout
@@ -0,0 +1 @@
+[dialect_revision=785, security_mode=1, server_guid=[persistent=7021797314968118638, volatile=25959], system_time=1566489002.208084, server_start_time=-1.164447e+10, negotiate_context_count=2, negotiate_context_values=[[context_type=1, data_length=38, preauth_info=[hash_alg_count=1, salt_length=32, hash_alg=[1], salt=\x0d&\xc9\xca\xf2\xd8\xfc\x87\xa7\x10\x9c\x04W\x82p\x09T8Rl\xed\xe0\x84\x10\xca4\xaa\x87B\xb9Z\x80], encryption_info=<uninitialized>, compression_info=<uninitialized>, netname=<uninitialized>], [context_type=2, data_length=4, preauth_info=<uninitialized>, encryption_info=[cipher_count=1, ciphers=[1]], compression_info=<uninitialized>, netname=<uninitialized>]]]
diff --git a/testing/btest/Traces/smb/smb3_negotiate_context.pcap b/testing/btest/Traces/smb/smb3_negotiate_context.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d705500e7af4b0db1fc9f3e09111b2d9b5706b05
GIT binary patch
literal 1986
zcmb`IZAep57{|{!cUx*|voc0~Xo+o7ur?j^CcgHv)H&O3r31BTQwBB7Mi~(eiz4bn
zWE5D$%(623V3g2{P?S-Ah%|$ew4nS@QbeK9o9lV*?K=0;%ZCm;o^$TG=jZ?Y&;M%w
z-7C$E$Vi~c2!+Y{>t&@=zQvOq7-Nz7M>hIT$&PAF=LVz5N<xhLHCZG}p?`V%0xf|`
zY^|bQtF@&w=bnDv;8oJm<*<p;sF;*5CoT>gdTK|a_RmDEKpculOrWF7{Ncnmv!_jH
z6xE4JMU59eA~8M@^&ypZwN{}%(3$8>;1o-TMIz{{K%J;@Y!WfTsZ#`vgCQCdfw~t@
zz3jt;#tx*m0nrx6kvwn%D~y=Vn~+#>O(NdZ(XKwvJs-a8V_!eEGeVe5epSZMOP>v&
zQ;wU0<QJ33VW&?g1j(I00;j*J+tt3K3Fytf>08wY-v!76hlXTGm&hYP{{7waYXr@=
zLNqr6{Uo?BrhO&3;Ny{uTJz&MG8>|W73u<w<@1o}cpZ_bqGO$JgNeZC_uI@lbub{R
z+y~eN+BhTyS_ff8x$44|{056PUtMIithQ#G)droOF!P#RtHown#Y@XJe4Z9@Aq_Va
zWEYyV3x&M}W`i!ZSg%hdY=y<97FSYr2I(bXXmf0-a1d6=|5_J+El$m9z0Lr8LA^Rv
zCt$>3W@aWqr|yAMlJ{Y^YD_wVP93WZxz&?>p6;DqB^gPXAv*QzMtLL_%;$&_e8&nU
zQkK+$#KvP0i7GO}Ljv(j1|lYq2WNZ6L2?!h#72d`8Pe=u`fS+Y2d>+>W1FX@&Qa|Y
zcgcm$3qQrmOZVi^lBbv%p?Srxh-@?|6bltpE@!?BeY!7RAFGIgxr{a}W-O*<fj-5j
znUn0U@sw|JR=M2HP310kxph^p(Xe<)R_$h|W1F+wRqd{+bD}@%z#qx+&}<STpD(2S
zMsPN}ckXJhci}g$Su~MNJ9>n~CLn$X#aLm)4}5`;c7H^oijJ1O4<-VmGuZLD$Q9az
zHPVCM^vNVjxTQU?KI@X@dBytero+9pyQ78|7T3cwxD3LWk|nWZMmWYPxdaYTlxVPn
zUJX?}Jm&Ie#PsS8Uf%bp<4NiGaK=!EskpWGVsz7;O8ar-D1`SJyv>9>%e5S_f=sNi
z^sPubi(WLY4NhOZtIu;k&8s4x=Y0~r0B5H{`s^@^4fZ0CzJK)s)0e=pzoyUB5uU!s
zaJv7OKEWzbGuh)f&BLBg&%PfxuRJB&&`=xAFR^ZZ|7xGI$Jllt=epgC9*h66@#H@N
Df3yY0

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test b/testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test
new file mode 100644
index 0000000000..271f682221
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: zeek -b -r $TRACES/smb/smb3_negotiate_context.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+
+event smb2_negotiate_response(c: connection , hdr: SMB2::Header , response: SMB2::NegotiateResponse )
+{
+    print response;
+}
\ No newline at end of file