smb2: Raise smb2_file_delete for CREATE with FILE_DELETE_ON_CLOSE

When a CREATE request contains the FILE_DELETE_ON_CLOSE option and the subsequent CREATE response indicates success, we now raise the smb2_file_delete event to log a delete action in smb_files.log and also give users a way to handle this scenario. The provided pcap was generated locally by recording a smbtorture run of the smb2.delete-on-close-perms test case. Placed the create_options into the CmdInfo record for potential exposure in smb_cmd.log (wasn't sure how that would look so left it for the future). Fixes #2276.
2025-10-17 14:08:20 +00:00 · 2022-07-15 15:13:40 +02:00 · 2022-07-15 15:13:40 +02:00 · 3dae8ab086
commit 3dae8ab086
parent 1d2c12e980
5 changed files with 70 additions and 0 deletions
--- a/testing/btest/scripts/base/protocols/smb/smb2-create-delete-on-close.zeek
+++ b/testing/btest/scripts/base/protocols/smb/smb2-create-delete-on-close.zeek
@ -0,0 +1,8 @@
+# @TEST-EXEC: zeek -C -r $TRACES/smb/smb2.delete-on-close-perms-delete-existing.pcap policy/protocols/smb/log-cmds
+# @TEST-EXEC: btest-diff smb_files.log
+# @TEST-EXEC: btest-diff smb_cmd.log
+
+@load base/protocols/smb
+
+redef SMB::logged_file_actions += { SMB::FILE_READ, SMB::FILE_WRITE };
+