diff --git a/CHANGES b/CHANGES
index f7d6321fbe..df3cec3aa6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,44 @@
+2.5-422 | 2018-02-05 16:28:25 -0600
+
+ * fix setup field handling in smb1_com_transaction_request messages
+
+ This field is an array of 16 bit words and was parsed as an array of
+ 32 bit words. Moreover, one can not assume the format is going to be a
+ 16 bits opcode followed by a 16 bit file ID, the content of the setup
+ field is different according to its first 16 bits word that defines
+ the subcommand code. See MS-CIFS section 2.2.4.33.1 :
+
+ Setup (variable): An array of two-byte words that provides transaction
+ context to the server. The size and content of the array are specific
+ to individual subcommands. (Jeffrey Bencteux)
+
+ * add smb1_transaction2_secondary_request event
+
+ parse and expose SMB_COM_TRANSACTION2_SECONDARY (0x33) message to
+ script level. See MS-CIFS section 2.2.4.47.1. (Jeffrey Bencteux)
+
+ * add smb1_transaction_secondary_request event
+
+ expose SMB_COM_TRANSACTION_SECONDARY (0x26) message to script
+ language. See MS-CIFS section 2.2.4.34.1. (Jeffrey Bencteux)
+
+ * add parameters and data to smb1_transaction_request/response messages
+
+ expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of
+ SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section
+ 2.2.4.33.1.
+
+ These fields are exposed to the script level as Bro strings. Note that
+ this commit also expose a new event smb1_transaction_response.
+ (Jeffrey Bencteux)
+
+ * add SMB_Parameters.Words to smb1_transaction2_request event
+
+ expose the fields contained in SMB_Parameters.Words of the
+ SMB_COM_TRANSACTION2 (0x32) message to the script language. See
+ MS-CIFS section 2.2.46.1. (Jeffrey Bencteux)
+
2.5-410 | 2018-02-05 15:18:41 -0600
* Fix warnings when building sphinx docs (Corelight)
diff --git a/NEWS b/NEWS
index 4489439407..8296903ba9 100644
--- a/NEWS
+++ b/NEWS
@@ -56,6 +56,9 @@ New Functionality
- Added new NFS events: nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr
+- Added new SMB events: smb1_transaction_secondary_request,
+ smb1_transaction2_secondary_request, smb1_transaction_response
+
Changed Functionality
---------------------
@@ -83,6 +86,11 @@ Changed Functionality
the default configuration of logs, this field will show "-" instead of
"(empty)" for connections that lack any tunelling.
+- SMB event argument changes
+ - smb1_transaction_request now has two additional arguments, "parameters"
+ and "data" strings
+ - smb1_transaction2_request now has an additional "args" record argument
+
Removed Functionality
---------------------
diff --git a/VERSION b/VERSION
index 4c07f9de0b..01c4a73e12 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-410
+2.5-422
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 3c98431719..fc8446b304 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2960,6 +2960,73 @@ export {
security_blob : string &optional;
};
+ type SMB1::Trans2_Args: record {
+ ## Total parameter count
+ total_param_count: count;
+ ## Total data count
+ total_data_count: count;
+ ## Max parameter count
+ max_param_count: count;
+ ## Max data count
+ max_data_count: count;
+ ## Max setup count
+ max_setup_count: count;
+ ## Flags
+ flags: count;
+ ## Timeout
+ trans_timeout: count;
+ ## Parameter count
+ param_count: count;
+ ## Parameter offset
+ param_offset: count;
+ ## Data count
+ data_count: count;
+ ## Data offset
+ data_offset: count;
+ ## Setup count
+ setup_count: count;
+ };
+
+ type SMB1::Trans_Sec_Args: record {
+ ## Total parameter count
+ total_param_count: count;
+ ## Total data count
+ total_data_count: count;
+ ## Parameter count
+ param_count: count;
+ ## Parameter offset
+ param_offset: count;
+ ## Parameter displacement
+ param_displacement: count;
+ ## Data count
+ data_count: count;
+ ## Data offset
+ data_offset: count;
+ ## Data displacement
+ data_displacement: count;
+ };
+
+ type SMB1::Trans2_Sec_Args: record {
+ ## Total parameter count
+ total_param_count: count;
+ ## Total data count
+ total_data_count: count;
+ ## Parameter count
+ param_count: count;
+ ## Parameter offset
+ param_offset: count;
+ ## Parameter displacement
+ param_displacement: count;
+ ## Data count
+ data_count: count;
+ ## Data offset
+ data_offset: count;
+ ## Data displacement
+ data_displacement: count;
+ ## File ID
+ FID: count;
+ };
+
type SMB1::Find_First2_Request_Args: record {
## File attributes to apply as a constraint to the search
search_attrs : count;
diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro
index 853d83b01f..6b23fe91db 100644
--- a/scripts/policy/protocols/smb/smb1-main.bro
+++ b/scripts/policy/protocols/smb/smb1-main.bro
@@ -82,7 +82,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
}
-event smb1_transaction2_request(c: connection, hdr: SMB1::Header, sub_cmd: count)
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
{
c$smb_state$current_cmd$sub_command = SMB1::trans2_sub_commands[sub_cmd];
}
@@ -263,7 +263,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons
# No behavior yet.
}
-event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
{
c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
}
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index bf44501b96..cc5d690dfd 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -18,7 +18,9 @@ bro_plugin_bif(
smb1_com_read_andx.bif
smb1_com_session_setup_andx.bif
smb1_com_transaction.bif
+ smb1_com_transaction_secondary.bif
smb1_com_transaction2.bif
+ smb1_com_transaction2_secondary.bif
smb1_com_tree_connect_andx.bif
smb1_com_tree_disconnect.bif
smb1_com_write_andx.bif
@@ -65,6 +67,7 @@ bro_plugin_pac(
smb1-com-transaction-secondary.pac
smb1-com-transaction.pac
smb1-com-transaction2.pac
+ smb1-com-transaction2-secondary.pac
smb1-com-tree-connect-andx.pac
smb1-com-tree-disconnect.pac
smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac
index 156037f614..a21101faaa 100644
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@@ -24,7 +24,9 @@
#include "smb1_com_read_andx.bif.h"
#include "smb1_com_session_setup_andx.bif.h"
#include "smb1_com_transaction.bif.h"
+#include "smb1_com_transaction_secondary.bif.h"
#include "smb1_com_transaction2.bif.h"
+#include "smb1_com_transaction2_secondary.bif.h"
#include "smb1_com_tree_connect_andx.bif.h"
#include "smb1_com_tree_disconnect.bif.h"
#include "smb1_com_write_andx.bif.h"
@@ -74,6 +76,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
%include smb1-com-transaction-secondary.pac
%include smb1-com-transaction.pac
%include smb1-com-transaction2.pac
+%include smb1-com-transaction2-secondary.pac
%include smb1-com-tree-connect-andx.pac
%include smb1-com-tree-disconnect.pac
%include smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
index bcd9ba91bb..e5314d798b 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
@@ -1,3 +1,61 @@
+refine connection SMB_Conn += {
+
+ function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool
+ %{
+ if ( ! smb1_transaction_secondary_request )
+ return false;
+
+ RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args);
+ args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+ args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+ args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+ args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+ args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+ args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+ args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+ args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+
+ StringVal* parameters = new StringVal(${val.parameters}.length(),
+ (const char*)${val.parameters}.data());
+ StringVal* payload_str = nullptr;
+ SMB1_transaction_data* payload = nullptr;
+
+ if ( ${val.data_count} > 0 )
+ {
+ payload = ${val.data};
+ }
+
+ if ( payload )
+ {
+ switch ( payload->trans_type() ) {
+ case SMB_PIPE:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+ break;
+ case SMB_UNKNOWN:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+ break;
+ default:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+ break;
+ }
+ }
+
+ if ( ! payload_str )
+ {
+ payload_str = new StringVal("");
+ }
+
+ BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
+ bro_analyzer()->Conn(),
+ BuildHeaderVal(header),
+ args,
+ parameters,
+ payload_str);
+
+ return true;
+ %}
+};
+
type SMB1_transaction_secondary_request(header: SMB_Header) = record {
word_count : uint8;
total_param_count : uint16;
@@ -14,4 +72,6 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record {
parameters : bytestring &length = param_count;
pad2 : padding to data_offset - SMB_Header_length;
data : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN, false);
+} &let {
+ proc : bool = $context.connection.proc_smb1_transaction_secondary_request(header, this);
};
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac
index d199b9062c..c06a7c8cb0 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac
@@ -31,18 +31,90 @@ refine connection SMB_Conn += {
function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
%{
- if ( smb1_transaction_request )
- BifEvent::generate_smb1_transaction_request(bro_analyzer(),
- bro_analyzer()->Conn(),
- BuildHeaderVal(header),
- smb_string2stringval(${val.name}),
- ${val.sub_cmd});
+ if ( ! smb1_transaction_request )
+ return false;
+
+ StringVal* parameters = new StringVal(${val.parameters}.length(),
+ (const char*)${val.parameters}.data());
+ StringVal* payload_str = nullptr;
+ SMB1_transaction_data* payload = nullptr;
+
+ if ( ${val.data_count} > 0 )
+ {
+ payload = ${val.data};
+ }
+
+ if ( payload )
+ {
+ switch ( payload->trans_type() ) {
+ case SMB_PIPE:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+ break;
+ case SMB_UNKNOWN:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+ break;
+ default:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+ break;
+ }
+ }
+
+ if ( ! payload_str )
+ {
+ payload_str = new StringVal("");
+ }
+
+ BifEvent::generate_smb1_transaction_request(bro_analyzer(),
+ bro_analyzer()->Conn(),
+ BuildHeaderVal(header),
+ smb_string2stringval(${val.name}),
+ ${val.sub_cmd},
+ parameters,
+ payload_str);
return true;
%}
function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
%{
+ if ( ! smb1_transaction_response )
+ return false;
+
+ StringVal* parameters = new StringVal(${val.parameters}.length(),
+ (const char*)${val.parameters}.data());
+ StringVal* payload_str = nullptr;
+ SMB1_transaction_data* payload = nullptr;
+
+ if ( ${val.data_count} > 0 )
+ {
+ payload = ${val.data[0]};
+ }
+
+ if ( payload )
+ {
+ switch ( payload->trans_type() ) {
+ case SMB_PIPE:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
+ break;
+ case SMB_UNKNOWN:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
+ break;
+ default:
+ payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
+ break;
+ }
+ }
+
+ if ( ! payload_str )
+ {
+ payload_str = new StringVal("");
+ }
+
+ BifEvent::generate_smb1_transaction_response(bro_analyzer(),
+ bro_analyzer()->Conn(),
+ BuildHeaderVal(header),
+ parameters,
+ payload_str);
return true;
%}
};
@@ -54,17 +126,12 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
# SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count);
# SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count);
SMB_PIPE -> pipe_data : bytestring &restofdata;
- SMB_UNKNOWN -> unknown : bytestring &restofdata &transient;
- default -> data : bytestring &restofdata &transient;
+ SMB_UNKNOWN -> unknown : bytestring &restofdata;
+ default -> data : bytestring &restofdata;
} &let {
pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
};
-type SMB1_transaction_setup = record {
- op_code : uint16;
- file_id : uint16;
-}
-
type SMB1_transaction_request(header: SMB_Header) = record {
word_count : uint8;
total_param_count : uint16;
@@ -83,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
setup_count : uint8;
reserved3 : uint8;
# word_count 16 is a different dialect that behaves a bit differently.
- setup : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count];
+ setup : uint16[setup_count];
byte_count : uint16;
name : SMB_string(header.unicode, offsetof(name));
@@ -92,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
pad2 : padding to data_offset - SMB_Header_length;
data : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe);
} &let {
- sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0;
+ sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0;
transtype : int = determine_transaction_type(header, name);
is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid)));
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
new file mode 100644
index 0000000000..0383687651
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
@@ -0,0 +1,52 @@
+refine connection SMB_Conn += {
+
+ function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool
+ %{
+ if ( ! smb1_transaction2_secondary_request )
+ return false;
+
+ RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
+ args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+ args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+ args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+ args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+ args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+ args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+ args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+ args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+ args->Assign(8, new Val(${val.FID}, TYPE_COUNT));
+
+ StringVal* parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
+ StringVal* payload = new StringVal(${val.data}.length(), (const char*)${val.data}.data());
+
+ BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
+ bro_analyzer()->Conn(),
+ BuildHeaderVal(header),
+ args,
+ parameters,
+ payload);
+
+ return true;
+ %}
+};
+
+type SMB1_transaction2_secondary_request(header: SMB_Header) = record {
+ word_count : uint8;
+ total_param_count : uint16;
+ total_data_count : uint16;
+ param_count : uint16;
+ param_offset : uint16;
+ param_displacement : uint16;
+ data_count : uint16;
+ data_offset : uint16;
+ data_displacement : uint16;
+ FID : uint16;
+
+ byte_count : uint16;
+ pad1 : padding to (param_offset - SMB_Header_length);
+ parameters : bytestring &length = param_count;
+ pad2 : padding to (data_offset - SMB_Header_length);
+ data : bytestring &length=data_count;
+} &let {
+ proc : bool = $context.connection.proc_smb1_transaction2_secondary_request(header, this);
+};
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
index 1025e89dc2..5e77489d10 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
@@ -23,7 +23,23 @@ refine connection SMB_Conn += {
function proc_smb1_transaction2_request(header: SMB_Header, val: SMB1_transaction2_request): bool
%{
if ( smb1_transaction2_request )
- BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd});
+ {
+ RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args);
+ args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+ args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+ args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT));
+ args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT));
+ args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT));
+ args->Assign(5, new Val(${val.flags}, TYPE_COUNT));
+ args->Assign(6, new Val(${val.timeout}, TYPE_COUNT));
+ args->Assign(7, new Val(${val.param_count}, TYPE_COUNT));
+ args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT));
+ args->Assign(9, new Val(${val.data_count}, TYPE_COUNT));
+ args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT));
+ args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT));
+
+ BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd});
+ }
return true;
%}
diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac
index 4b38feefcb..75db898f73 100644
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@@ -170,7 +170,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
# #SMB_COM_QUERY_INFORMATION2 -> query_information2 : SMB_query_information2_request(header);
SMB_COM_LOCKING_ANDX -> locking_andx : SMB1_locking_andx_request(header, offset);
SMB_COM_TRANSACTION -> transaction : SMB1_transaction_request(header);
-# SMB_COM_TRANSACTION_SECONDARY -> transaction_secondary : SMB1_transaction_secondary_request(header);
+ SMB_COM_TRANSACTION_SECONDARY -> transaction_secondary : SMB1_transaction_secondary_request(header);
# #SMB_COM_IOCTL -> ioctl : SMB_ioctl_request(header);
# #SMB_COM_IOCTL_SECONDARY -> ioctl_secondary : SMB_ioctl_secondary_request(header);
# #SMB_COM_COPY -> copy : SMB_copy_request(header);
@@ -179,7 +179,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
# #SMB_COM_WRITE_AND_CLOSE -> write_and_close : SMB_write_and_close_request(header);
# #SMB_COM_NEW_FILE_SIZE -> new_file_size : SMB_new_file_size_request(header);
# #SMB_COM_CLOSE_AND_TREE_DISC -> close_and_tree_disc : SMB_close_and_tree_disc_request(header);
-# #SMB_COM_TRANSACTION2_SECONDARY -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
+ SMB_COM_TRANSACTION2_SECONDARY -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
# #SMB_COM_FIND_CLOSE2 -> find_close2 : SMB_find_close2_request(header);
# #SMB_COM_FIND_NOTIFY_CLOSE -> find_notify_close : SMB_find_notify_close_request(header);
# #SMB_COM_TREE_CONNECT -> tree_connect : SMB_tree_connect_request(header);
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif
index 8811cc3e92..0c411b55c3 100644
--- a/src/analyzer/protocol/smb/smb1_com_transaction.bif
+++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif
@@ -3,7 +3,7 @@
## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
## which are interprocess communication endpoints within the CIFS file system.
##
-## For more information, see MS-CIFS:2.2.4.33
+## For more information, see MS-CIFS:2.2.4.33.1
##
## c: The connection.
##
@@ -14,5 +14,25 @@
##
## sub_cmd: The sub command, some may be parsed and have their own events.
##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+##
## .. bro:see:: smb1_message smb1_transaction2_request
-event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);
+event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction*. This command serves as the transport for the
+## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+## which are interprocess communication endpoints within the CIFS file system.
+##
+## For more information, see MS-CIFS:2.2.4.33.2
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction_response%(c: connection, hdr: SMB1::Header, parameters: string, data: string%);
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif
index 0daf5fcdd9..aa30aeebe1 100644
--- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif
@@ -17,7 +17,7 @@
##
## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
## smb1_trans2_get_dfs_referral_request smb1_transaction_request
-event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%);
+event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%);
## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
@@ -92,6 +92,6 @@ event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, fi
### Types
-
type SMB1::Find_First2_Request_Args: record;
-type SMB1::Find_First2_Response_Args: record;
\ No newline at end of file
+type SMB1::Find_First2_Response_Args: record;
+type SMB1::Trans2_Args: record;
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
new file mode 100644
index 0000000000..d22c456ee9
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction2 secondary*.
+##
+## For more information, see MS-CIFS:2.2.4.47.1
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
+## version 1 message.
+##
+## args: arguments of the message (SMB_Parameters.Words)
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction2_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string%);
+
+### Types
+type SMB1::Trans2_Sec_Args: record;
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif
new file mode 100644
index 0000000000..bd3644ffb3
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif
@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction_secondary*. This command
+## serves as an additional request data container for the
+## Transaction Subprotocol Commands (carried by *transaction* requests).
+##
+## For more information, see MS-CIFS:2.2.4.34
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: the SMB_Data.Trans_Parameters field content
+##
+## data: the SMB_Data.Trans_Data field content
+##
+event smb1_transaction_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string%);
+
+### Types
+type SMB1::Trans_Sec_Args: record;
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 52a660261c..d214962c21 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2017-05-02-20-38-47
+#open 2018-02-05-22-27-42
#fields name
#types string
scripts/base/init-bare.bro
@@ -114,7 +114,9 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
+ build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
+ build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -168,4 +170,4 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
scripts/policy/misc/loaded-scripts.bro
scripts/base/utils/paths.bro
-#close 2017-05-02-20-38-47
+#close 2018-02-05-22-27-42
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 75ef872a95..209ca82bb4 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2017-05-02-20-39-05
+#open 2018-02-05-22-27-48
#fields name
#types string
scripts/base/init-bare.bro
@@ -114,7 +114,9 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
+ build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
+ build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -357,4 +359,4 @@ scripts/base/init-default.bro
scripts/base/misc/find-filtered-trace.bro
scripts/base/misc/version.bro
scripts/policy/misc/loaded-scripts.bro
-#close 2017-05-02-20-39-05
+#close 2018-02-05-22-27-48
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index f6a5c4ad37..4ffb55a96d 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -256,7 +256,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) ->
@@ -429,7 +429,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
@@ -538,6 +538,8 @@
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
@@ -1034,7 +1036,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG))
@@ -1207,7 +1209,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ())
0.000000 MetaHookPre CallFunction(NetControl::init, , ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, , ())
@@ -1316,6 +1318,8 @@
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro)
@@ -1811,7 +1815,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1984,7 +1988,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction NetControl::check_plugins()
0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()
@@ -2093,6 +2097,8 @@
0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro
0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -2327,7 +2333,7 @@
0.000000 | HookLoadFile base<...>/x509
0.000000 | HookLoadFile base<...>/xmpp
0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite packet_filter [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite packet_filter [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T]
0.000000 | HookQueueEvent NetControl::init()
0.000000 | HookQueueEvent bro_init()
0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout
new file mode 100644
index 0000000000..b9d6e354ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction_request hdr: [command=37, status=0, flags=0, flags2=0, tid=31335, pid=1, uid=11132, mid=2], name: \\PIPE\lsarpc, sub_cmd: 2600, params: some_params, data: some_data
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
new file mode 100644
index 0000000000..f4d00733bf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
@@ -0,0 +1 @@
+smb1_transaction_response hdr: [command=37, status=0, flags=128, flags2=0, tid=41669, pid=1, uid=17768, mid=2], params: some_params, data: some_data
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout
new file mode 100644
index 0000000000..10cad0c702
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction_secondary_request hdr: [command=38, status=0, flags=0, flags2=0, tid=45374, pid=1, uid=57674, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=52, param_displacement=9, data_count=9, data_offset=66, data_displacement=11], params: some_params, data: some_data
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout
new file mode 100644
index 0000000000..a31a286d1f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction2_request hdr: [command=50, status=0, flags=0, flags2=0, tid=47242, pid=1, uid=2017, mid=2], args: [total_param_count=13, total_data_count=0, max_param_count=0, max_data_count=0, max_setup_count=0, flags=0, trans_timeout=0, param_count=13, param_offset=69, data_count=0, data_offset=0, setup_count=1], sub_cmd: 5
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout
new file mode 100644
index 0000000000..7be34af9ea
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction2_secondary_request hdr: [command=51, status=0, flags=0, flags2=0, tid=29550, pid=1, uid=25541, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=54, param_displacement=9, data_count=9, data_offset=68, data_displacement=11, FID=65535], params: some_params, data: some_data
diff --git a/testing/btest/Traces/smb/smb1_transaction2_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_request.pcap
new file mode 100644
index 0000000000..564579597e
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction2_request.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap
new file mode 100644
index 0000000000..923b9e0bbc
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction_request.pcap b/testing/btest/Traces/smb/smb1_transaction_request.pcap
new file mode 100644
index 0000000000..e234ec4e76
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction_request.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction_response.pcap b/testing/btest/Traces/smb/smb1_transaction_response.pcap
new file mode 100644
index 0000000000..c28689b76c
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction_response.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap
new file mode 100644
index 0000000000..4236b140d5
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap differ
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
new file mode 100644
index 0000000000..9334230e84
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction requests are parsed correctly
+
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
+{
+ print fmt("smb1_transaction_request hdr: %s, name: %s, sub_cmd: %x, params: %s, data: %s", hdr, name, sub_cmd, parameters, data);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
new file mode 100644
index 0000000000..ef00ed3772
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_response.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction_response requests are parsed correctly
+
+event smb1_transaction_response(c: connection, hdr: SMB1::Header, parameters: string, data: string)
+{
+ print fmt("smb1_transaction_response hdr: %s, params: %s, data: %s", hdr, parameters, data);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
new file mode 100644
index 0000000000..03bddf7bf5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction_secondary requests are parsed correctly
+
+event smb1_transaction_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string)
+{
+ print fmt("smb1_transaction_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
new file mode 100644
index 0000000000..9cd7c996f7
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction2 requests are parsed correctly
+
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
+{
+ print fmt("smb1_transaction2_request hdr: %s, args: %s, sub_cmd: %x", hdr, args, sub_cmd);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
new file mode 100644
index 0000000000..48c7f8c197
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction2_secondary requests are parsed correctly
+
+event smb1_transaction2_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string)
+{
+ print fmt("smb1_transaction2_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}