diff --git a/CHANGES b/CHANGES index 46cc194e4a..5d73e66940 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4.1.0-dev.830 | 2021-06-30 07:51:08 +0200 + + * GH-1406: Fix SMB tests on Apple M1. (Robin Sommer, Corelight) + 4.1.0-dev.828 | 2021-06-29 11:11:22 -0700 * Remove remaining vestigial IDMEF support code (Christian Kreibich, Corelight) diff --git a/VERSION b/VERSION index 665e90d8e1..8995de2994 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.1.0-dev.828 +4.1.0-dev.830 diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index e82e062cb2..ea70767f72 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -2789,14 +2789,22 @@ export { ## .. zeek:see:: smb1_nt_create_andx_response smb2_create_response type SMB::MACTimes: record { ## The time when data was last written to the file. - modified : time &log; + modified : time &log; + ## Same as `modified` but in SMB's original `FILETIME` integer format. + modified_raw: count; ## The time when the file was last accessed. - accessed : time &log; + accessed : time &log; + ## Same as `accessed` but in SMB's original `FILETIME` integer format. + accessed_raw: count; ## The time the file was created. - created : time &log; + created : time &log; + ## Same as `created` but in SMB's original `FILETIME` integer format. + created_raw : count; ## The time when the file was last modified. - changed : time &log; - } &log; + changed : time &log; + ## Same as `changed` but in SMB's original `FILETIME` integer format. + changed_raw : count; + }; ## A set of file names used as named pipes over SMB. This ## only comes into play as a heuristic to identify named diff --git a/scripts/base/protocols/smb/files.zeek b/scripts/base/protocols/smb/files.zeek index ac719d728f..e3b387b771 100644 --- a/scripts/base/protocols/smb/files.zeek +++ b/scripts/base/protocols/smb/files.zeek @@ -24,8 +24,9 @@ function get_file_handle(c: connection, is_orig: bool): string local path_name = current_file?$path ? current_file$path : ""; local file_name = current_file?$name ? current_file$name : ""; # Include last_mod time if available because if a file has been modified it - # should be considered a new file. - local last_mod = cat(current_file?$times ? current_file$times$modified : double_to_time(0.0)); + # should be considered a new file. We use the raw version here to avoid + # getting differences when double precision varies by architecture. + local last_mod = cat(current_file?$times ? current_file$times$modified_raw : 0); # TODO: This is doing hexdump to avoid problems due to file analysis handling # using CheckString which is not immune to encapsulated null bytes. # This needs to be fixed lower in the file analysis code later. diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac index 51a5e6c9a9..45b48d9720 100644 --- a/src/analyzer/protocol/smb/smb-time.pac +++ b/src/analyzer/protocol/smb/smb-time.pac @@ -32,9 +32,13 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, { auto r = zeek::make_intrusive(zeek::BifType::Record::SMB::MACTimes); r->Assign(0, filetime2zeektime(modify)); - r->Assign(1, filetime2zeektime(access)); - r->Assign(2, filetime2zeektime(create)); - r->Assign(3, filetime2zeektime(change)); + r->Assign(1, modify); + r->Assign(2, filetime2zeektime(access)); + r->Assign(3, access); + r->Assign(4, filetime2zeektime(create)); + r->Assign(5, create); + r->Assign(6, filetime2zeektime(change)); + r->Assign(7, change); return r; } %} diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index c0fc8e87b3..ff6b4ded24 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -199,7 +199,7 @@ 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(FilteredTraceDetection::should_detect, , ()) -> @@ -1230,7 +1230,7 @@ 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(FilteredTraceDetection::should_detect, , ()) @@ -2260,7 +2260,7 @@ 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction FilteredTraceDetection::should_detect() diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log index 86a8c17d03..c1ff8bfdbb 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count -XXXXXXXXXX.XXXXXX FvOchP1DvxPt75ql7b 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - - -XXXXXXXXXX.XXXXXX FRCqNs3XdP1aPvzhvf 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FVTHwlRSH2WI8fFw2 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FAI5Dc4cLr5RAw3j0e 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log index 6ab1899891..c1b80a0c12 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log @@ -9,9 +9,9 @@ #types time string addr port addr port string enum string string count string time time time time XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FvOchP1DvxPt75ql7b SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FVTHwlRSH2WI8fFw2 SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FRCqNs3XdP1aPvzhvf SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FAI5Dc4cLr5RAw3j0e SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout index c2ac54b0f5..53024bdccd 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout @@ -1,13 +1,13 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762045120585, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762045120585, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762045120585], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=srvsvc, disposition=1, create_options=4194368] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.16444736e+10, accessed=-1.16444736e+10, created=-1.16444736e+10, changed=-1.16444736e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.16444736e+10, modified_raw=0, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=2, create_options=2097185] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] -smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=XXXXXXXXXX.XXXXXX, accessed=-1.16444736e+10, created=-1.16444736e+10, changed=-1.16444736e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129676762954270355, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] +smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=XXXXXXXXXX.XXXXXX, modified_raw=129635214083125000, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log index 325f02166a..6a8bb83e3f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count -XXXXXXXXXX.XXXXXX FlZWcY3zsKh9Tt1Jy9 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FwL5Z01az5ZsFYcHh5 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log index a5ac5d8a24..8bf960834d 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FvOchP1DvxPt75ql7b - pythonfile +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FVTHwlRSH2WI8fFw2 - pythonfile #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 1ef1273329..2c6e4053ba 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -87a8b70c109b3dde01805fe95a6fba19033ccd85 +581e8d66bcd0fb64b12d2b6c91d26fdf31420ce6