Merge branch 'smb-transaction-messages' of https://github.com/jbencteux/bro

* 'smb-transaction-messages' of https://github.com/jbencteux/bro:
  add test for smb1_com_transaction_response event changes
  add test for smb1_com_transaction2_secondary_request event changes
  add test for smb1_com_transaction2_request event changes
  add test for smb1_com_transaction_secondary_request event changes
  add test for smb1_com_transaction_request event changes
  fix setup field handling in smb1_com_transaction_request messages
  fix smb1_com_transaction* messages
  add smb1_transaction2_secondary_request event
  add smb1_transaction_secondary_request event
  add parameters and data to smb1_transaction_request/response messages
  add SMB_Parameters.Words to smb1_transaction2_request event

src/analyzer/protocol/smb/smb1-com-transaction.pac

@@ -31,18 +31,90 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
 		%{
-		if ( smb1_transaction_request )
-			BifEvent::generate_smb1_transaction_request(bro_analyzer(),
-			                                            bro_analyzer()->Conn(),
-			                                            BuildHeaderVal(header),
-			                                            smb_string2stringval(${val.name}),
-			                                            ${val.sub_cmd});
+		if ( ! smb1_transaction_request )
+			return false;
+
+		StringVal* parameters = new StringVal(${val.parameters}.length(),
+		                                      (const char*)${val.parameters}.data());
+		StringVal* payload_str = nullptr;
+		SMB1_transaction_data* payload = nullptr;
+
+		if ( ${val.data_count} > 0 )
+			{
+			payload = ${val.data};
+			}
+
+		if ( payload )
+			{
+			switch ( payload->trans_type() ) {
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+				break;
+			}
+			}
+
+		if ( ! payload_str )
+			{
+			payload_str = new StringVal("");
+			}
+
+		BifEvent::generate_smb1_transaction_request(bro_analyzer(),
+		                                            bro_analyzer()->Conn(),
+		                                            BuildHeaderVal(header),
+		                                            smb_string2stringval(${val.name}),
+		                                            ${val.sub_cmd},
+		                                            parameters,
+		                                            payload_str);
 
 		return true;
 		%}
 
 	function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
 		%{
+		if ( ! smb1_transaction_response )
+			return false;
+
+		StringVal* parameters = new StringVal(${val.parameters}.length(),
+		                                      (const char*)${val.parameters}.data());
+		StringVal* payload_str = nullptr;
+		SMB1_transaction_data* payload = nullptr;
+
+		if ( ${val.data_count} > 0 )
+			{
+			payload = ${val.data[0]};
+			}
+
+		if ( payload )
+			{
+			switch ( payload->trans_type() ) {
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
+				break;
+			}
+			}
+
+		if ( ! payload_str )
+			{
+			payload_str = new StringVal("");
+			}
+
+		BifEvent::generate_smb1_transaction_response(bro_analyzer(),
+		                                             bro_analyzer()->Conn(),
+		                                             BuildHeaderVal(header),
+		                                             parameters,
+		                                             payload_str);
 		return true;
 		%}
 };
@@ -54,17 +126,12 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
 #	SMB_MAILSLOT_LANMAN -> lanman    : SMB_MailSlot_message(header.unicode, count);
 #	SMB_RAP             -> rap       : SMB_Pipe_message(header.unicode, count);
 	SMB_PIPE            -> pipe_data : bytestring &restofdata;
-	SMB_UNKNOWN         -> unknown   : bytestring &restofdata &transient;
-	default             -> data      : bytestring &restofdata &transient;
+	SMB_UNKNOWN         -> unknown   : bytestring &restofdata;
+	default             -> data      : bytestring &restofdata;
 } &let {
 	pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
 };
 
-type SMB1_transaction_setup = record {
-	op_code : uint16;
-	file_id : uint16;
-}
-
 type SMB1_transaction_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -83,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	setup_count         : uint8;
 	reserved3           : uint8;
 	# word_count 16 is a different dialect that behaves a bit differently.
-	setup               : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count];
+	setup               : uint16[setup_count];
 
 	byte_count          : uint16;
 	name                : SMB_string(header.unicode, offsetof(name));
@@ -92,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe);
 } &let {
-	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0;
+	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0;
 	transtype : int = determine_transaction_type(header, name);
 	is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid)));