Merge branch 'smb-transaction-messages' of https://github.com/jbencteux/bro

* 'smb-transaction-messages' of https://github.com/jbencteux/bro:
  add test for smb1_com_transaction_response event changes
  add test for smb1_com_transaction2_secondary_request event changes
  add test for smb1_com_transaction2_request event changes
  add test for smb1_com_transaction_secondary_request event changes
  add test for smb1_com_transaction_request event changes
  fix setup field handling in smb1_com_transaction_request messages
  fix smb1_com_transaction* messages
  add smb1_transaction2_secondary_request event
  add smb1_transaction_secondary_request event
  add parameters and data to smb1_transaction_request/response messages
  add SMB_Parameters.Words to smb1_transaction2_request event

CHANGES

@@ -1,4 +1,44 @@
 
+2.5-422 | 2018-02-05 16:28:25 -0600
+
+  * fix setup field handling in smb1_com_transaction_request messages
+
+    This field is an array of 16 bit words and was parsed as an array of
+    32 bit words. Moreover, one can not assume the format is going to be a
+    16 bits opcode followed by a 16 bit file ID, the content of the setup
+    field is different according to its first 16 bits word that defines
+    the subcommand code. See MS-CIFS section 2.2.4.33.1 :
+
+    Setup (variable): An array of two-byte words that provides transaction
+    context to the server. The size and content of the array are specific
+    to individual subcommands. (Jeffrey Bencteux)
+
+  * add smb1_transaction2_secondary_request event
+
+    parse and expose SMB_COM_TRANSACTION2_SECONDARY (0x33) message to
+    script level. See MS-CIFS section 2.2.4.47.1. (Jeffrey Bencteux)
+
+  * add smb1_transaction_secondary_request event
+
+    expose SMB_COM_TRANSACTION_SECONDARY (0x26) message to script
+    language. See MS-CIFS section 2.2.4.34.1. (Jeffrey Bencteux)
+
+  * add parameters and data to smb1_transaction_request/response messages
+
+    expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of
+    SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section
+    2.2.4.33.1.
+
+    These fields are exposed to the script level as Bro strings. Note that
+    this commit also expose a new event smb1_transaction_response.
+    (Jeffrey Bencteux)
+
+  * add SMB_Parameters.Words to smb1_transaction2_request event
+
+    expose the fields contained in SMB_Parameters.Words of the
+    SMB_COM_TRANSACTION2 (0x32) message to the script language. See
+    MS-CIFS section 2.2.46.1. (Jeffrey Bencteux)
+
 2.5-410 | 2018-02-05 15:18:41 -0600
 
   * Fix warnings when building sphinx docs (Corelight)

NEWS

@@ -56,6 +56,9 @@ New Functionality
 
 - Added new NFS events: nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr
 
+- Added new SMB events: smb1_transaction_secondary_request,
+  smb1_transaction2_secondary_request, smb1_transaction_response
+
 Changed Functionality
 ---------------------
 
@@ -83,6 +86,11 @@ Changed Functionality
   the default configuration of logs, this field will show "-" instead of
   "(empty)" for connections that lack any tunelling.
 
+- SMB event argument changes
+  - smb1_transaction_request now has two additional arguments, "parameters"
+    and "data" strings
+  - smb1_transaction2_request now has an additional "args" record argument
+
 Removed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-2.5-410
+2.5-422

scripts/base/init-bare.bro

@@ -2960,6 +2960,73 @@ export {
 		security_blob	: string &optional;
 	};
 
+	type SMB1::Trans2_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Max parameter count
+	     max_param_count: count;
+	     ## Max data count
+	     max_data_count: count;
+	     ## Max setup count
+	     max_setup_count: count;
+	     ## Flags
+	     flags: count;
+	     ## Timeout
+	     trans_timeout: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Setup count
+	     setup_count: count;
+	};
+
+	type SMB1::Trans_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	};
+
+	type SMB1::Trans2_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	     ## File ID
+	     FID: count;
+	};
+
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
 		search_attrs		: count;

scripts/policy/protocols/smb/smb1-main.bro

@@ -82,7 +82,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 	}
 
 
-event smb1_transaction2_request(c: connection, hdr: SMB1::Header, sub_cmd: count)
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans2_sub_commands[sub_cmd];
 	}
@@ -263,7 +263,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons
 	# No behavior yet.
 	}
 	
-event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
 	}

src/analyzer/protocol/smb/CMakeLists.txt

@@ -18,7 +18,9 @@ bro_plugin_bif(
 	smb1_com_read_andx.bif
 	smb1_com_session_setup_andx.bif
 	smb1_com_transaction.bif
+	smb1_com_transaction_secondary.bif
 	smb1_com_transaction2.bif
+	smb1_com_transaction2_secondary.bif
 	smb1_com_tree_connect_andx.bif
 	smb1_com_tree_disconnect.bif
 	smb1_com_write_andx.bif
@@ -65,6 +67,7 @@ bro_plugin_pac(
 	smb1-com-transaction-secondary.pac
 	smb1-com-transaction.pac
 	smb1-com-transaction2.pac
+	smb1-com-transaction2-secondary.pac
 	smb1-com-tree-connect-andx.pac
 	smb1-com-tree-disconnect.pac
 	smb1-com-write-andx.pac

src/analyzer/protocol/smb/smb.pac

@@ -24,7 +24,9 @@
 #include "smb1_com_read_andx.bif.h"
 #include "smb1_com_session_setup_andx.bif.h"
 #include "smb1_com_transaction.bif.h"
+#include "smb1_com_transaction_secondary.bif.h"
 #include "smb1_com_transaction2.bif.h"
+#include "smb1_com_transaction2_secondary.bif.h"
 #include "smb1_com_tree_connect_andx.bif.h"
 #include "smb1_com_tree_disconnect.bif.h"
 #include "smb1_com_write_andx.bif.h"
@@ -74,6 +76,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb1-com-transaction-secondary.pac
 %include smb1-com-transaction.pac
 %include smb1-com-transaction2.pac
+%include smb1-com-transaction2-secondary.pac
 %include smb1-com-tree-connect-andx.pac
 %include smb1-com-tree-disconnect.pac
 %include smb1-com-write-andx.pac

src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac

@@ -1,3 +1,61 @@
+refine connection SMB_Conn += {
+
+	function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool
+	%{
+	if ( ! smb1_transaction_secondary_request )
+		return false;
+
+	RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+
+	StringVal* parameters = new StringVal(${val.parameters}.length(),
+	                                      (const char*)${val.parameters}.data());
+	StringVal* payload_str = nullptr;
+	SMB1_transaction_data* payload = nullptr;
+
+	if ( ${val.data_count} > 0 )
+		{
+		payload = ${val.data};
+		}
+
+	if ( payload )
+		{
+		switch ( payload->trans_type() ) {
+		case SMB_PIPE:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+			break;
+		case SMB_UNKNOWN:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+			break;
+		default:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+			break;
+		}
+		}
+
+	if ( ! payload_str )
+		{
+		payload_str = new StringVal("");
+		}
+
+	BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
+	                                                      bro_analyzer()->Conn(),
+	                                                      BuildHeaderVal(header),
+	                                                      args,
+	                                                      parameters,
+	                                                      payload_str);
+
+	return true;
+	%}
+};
+
 type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -14,4 +72,6 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	parameters          : bytestring &length = param_count;
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN, false);
+} &let {
+  proc : bool = $context.connection.proc_smb1_transaction_secondary_request(header, this);
 };

src/analyzer/protocol/smb/smb1-com-transaction.pac

@@ -31,18 +31,90 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
 		%{
-		if ( smb1_transaction_request )
-			BifEvent::generate_smb1_transaction_request(bro_analyzer(),
-			                                            bro_analyzer()->Conn(),
-			                                            BuildHeaderVal(header),
-			                                            smb_string2stringval(${val.name}),
-			                                            ${val.sub_cmd});
+		if ( ! smb1_transaction_request )
+			return false;
+
+		StringVal* parameters = new StringVal(${val.parameters}.length(),
+		                                      (const char*)${val.parameters}.data());
+		StringVal* payload_str = nullptr;
+		SMB1_transaction_data* payload = nullptr;
+
+		if ( ${val.data_count} > 0 )
+			{
+			payload = ${val.data};
+			}
+
+		if ( payload )
+			{
+			switch ( payload->trans_type() ) {
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+				break;
+			}
+			}
+
+		if ( ! payload_str )
+			{
+			payload_str = new StringVal("");
+			}
+
+		BifEvent::generate_smb1_transaction_request(bro_analyzer(),
+		                                            bro_analyzer()->Conn(),
+		                                            BuildHeaderVal(header),
+		                                            smb_string2stringval(${val.name}),
+		                                            ${val.sub_cmd},
+		                                            parameters,
+		                                            payload_str);
 
 		return true;
 		%}
 
 	function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
 		%{
+		if ( ! smb1_transaction_response )
+			return false;
+
+		StringVal* parameters = new StringVal(${val.parameters}.length(),
+		                                      (const char*)${val.parameters}.data());
+		StringVal* payload_str = nullptr;
+		SMB1_transaction_data* payload = nullptr;
+
+		if ( ${val.data_count} > 0 )
+			{
+			payload = ${val.data[0]};
+			}
+
+		if ( payload )
+			{
+			switch ( payload->trans_type() ) {
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
+				break;
+			}
+			}
+
+		if ( ! payload_str )
+			{
+			payload_str = new StringVal("");
+			}
+
+		BifEvent::generate_smb1_transaction_response(bro_analyzer(),
+		                                             bro_analyzer()->Conn(),
+		                                             BuildHeaderVal(header),
+		                                             parameters,
+		                                             payload_str);
 		return true;
 		%}
 };
@@ -54,17 +126,12 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
 #	SMB_MAILSLOT_LANMAN -> lanman    : SMB_MailSlot_message(header.unicode, count);
 #	SMB_RAP             -> rap       : SMB_Pipe_message(header.unicode, count);
 	SMB_PIPE            -> pipe_data : bytestring &restofdata;
-	SMB_UNKNOWN         -> unknown   : bytestring &restofdata &transient;
-	default             -> data      : bytestring &restofdata &transient;
+	SMB_UNKNOWN         -> unknown   : bytestring &restofdata;
+	default             -> data      : bytestring &restofdata;
 } &let {
 	pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
 };
 
-type SMB1_transaction_setup = record {
-	op_code : uint16;
-	file_id : uint16;
-}
-
 type SMB1_transaction_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -83,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	setup_count         : uint8;
 	reserved3           : uint8;
 	# word_count 16 is a different dialect that behaves a bit differently.
-	setup               : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count];
+	setup               : uint16[setup_count];
 
 	byte_count          : uint16;
 	name                : SMB_string(header.unicode, offsetof(name));
@@ -92,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe);
 } &let {
-	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0;
+	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0;
 	transtype : int = determine_transaction_type(header, name);
 	is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid)));
 

src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac

@@ -0,0 +1,52 @@
+refine connection SMB_Conn += {
+
+	function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool
+	%{
+	if ( ! smb1_transaction2_secondary_request )
+		return false;
+
+	RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+	args->Assign(8, new Val(${val.FID}, TYPE_COUNT));
+
+	StringVal* parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
+	StringVal* payload = new StringVal(${val.data}.length(), (const char*)${val.data}.data());
+
+	BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
+	                                                       bro_analyzer()->Conn(),
+	                                                       BuildHeaderVal(header),
+	                                                       args,
+	                                                       parameters,
+	                                                       payload);
+
+	return true;
+	%}
+};
+
+type SMB1_transaction2_secondary_request(header: SMB_Header) = record {
+	word_count          : uint8;
+	total_param_count   : uint16;
+	total_data_count    : uint16;
+	param_count         : uint16;
+	param_offset        : uint16;
+	param_displacement  : uint16;
+	data_count          : uint16;
+	data_offset         : uint16;
+	data_displacement   : uint16;
+	FID                 : uint16;
+
+	byte_count          : uint16;
+	pad1                : padding to (param_offset - SMB_Header_length);
+	parameters          : bytestring &length = param_count;
+	pad2                : padding to (data_offset - SMB_Header_length);
+	data                : bytestring &length=data_count;
+} &let {
+	proc : bool = $context.connection.proc_smb1_transaction2_secondary_request(header, this);
+};

src/analyzer/protocol/smb/smb1-com-transaction2.pac

@@ -23,7 +23,23 @@ refine connection SMB_Conn += {
 	function proc_smb1_transaction2_request(header: SMB_Header, val: SMB1_transaction2_request): bool
 		%{
 		if ( smb1_transaction2_request )
-			BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd});
+			{
+			RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args);
+			args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+			args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+			args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT));
+			args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT));
+			args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT));
+			args->Assign(5, new Val(${val.flags}, TYPE_COUNT));
+			args->Assign(6, new Val(${val.timeout}, TYPE_COUNT));
+			args->Assign(7, new Val(${val.param_count}, TYPE_COUNT));
+			args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT));
+			args->Assign(9, new Val(${val.data_count}, TYPE_COUNT));
+			args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT));
+			args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT));
+
+			BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd});
+			}
 
 		return true;
 		%}

src/analyzer/protocol/smb/smb1-protocol.pac

@@ -170,7 +170,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_QUERY_INFORMATION2       -> query_information2     : SMB_query_information2_request(header);
 	SMB_COM_LOCKING_ANDX             -> locking_andx           : SMB1_locking_andx_request(header, offset);
 	SMB_COM_TRANSACTION              -> transaction            : SMB1_transaction_request(header);
-#	SMB_COM_TRANSACTION_SECONDARY    -> transaction_secondary  : SMB1_transaction_secondary_request(header);
+	SMB_COM_TRANSACTION_SECONDARY     -> transaction_secondary  : SMB1_transaction_secondary_request(header);
 #	#SMB_COM_IOCTL                    -> ioctl                  : SMB_ioctl_request(header);
 #	#SMB_COM_IOCTL_SECONDARY          -> ioctl_secondary        : SMB_ioctl_secondary_request(header);
 #	#SMB_COM_COPY                     -> copy                   : SMB_copy_request(header);
@@ -179,7 +179,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_WRITE_AND_CLOSE          -> write_and_close        : SMB_write_and_close_request(header);
 #	#SMB_COM_NEW_FILE_SIZE            -> new_file_size          : SMB_new_file_size_request(header);
 #	#SMB_COM_CLOSE_AND_TREE_DISC      -> close_and_tree_disc    : SMB_close_and_tree_disc_request(header);
-#	#SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
+	SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
 #	#SMB_COM_FIND_CLOSE2              -> find_close2            : SMB_find_close2_request(header);
 #	#SMB_COM_FIND_NOTIFY_CLOSE        -> find_notify_close      : SMB_find_notify_close_request(header);
 #	#SMB_COM_TREE_CONNECT             -> tree_connect           : SMB_tree_connect_request(header);

src/analyzer/protocol/smb/smb1_com_transaction.bif

@@ -3,7 +3,7 @@
 ## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
 ## which are interprocess communication endpoints within the CIFS file system.
 ##
-## For more information, see MS-CIFS:2.2.4.33
+## For more information, see MS-CIFS:2.2.4.33.1
 ##
 ## c: The connection.
 ##
@@ -14,5 +14,25 @@
 ##
 ## sub_cmd: The sub command, some may be parsed and have their own events.
 ##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+##
 ## .. bro:see:: smb1_message smb1_transaction2_request
-event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);
+event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction*. This command serves as the transport for the
+## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+## which are interprocess communication endpoints within the CIFS file system.
+##
+## For more information, see MS-CIFS:2.2.4.33.2
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction_response%(c: connection, hdr: SMB1::Header, parameters: string, data: string%);

src/analyzer/protocol/smb/smb1_com_transaction2.bif

@@ -17,7 +17,7 @@
 ##
 ## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
 ##    smb1_trans2_get_dfs_referral_request smb1_transaction_request
-event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%);
+event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
 ## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
@@ -92,6 +92,6 @@ event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, fi
 
 
 ### Types
-
 type SMB1::Find_First2_Request_Args: record;
-type SMB1::Find_First2_Response_Args: record;
+type SMB1::Find_First2_Response_Args: record;
+type SMB1::Trans2_Args: record;

src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif

@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction2 secondary*.
+##
+## For more information, see MS-CIFS:2.2.4.47.1
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
+## version 1 message.
+##
+## args: arguments of the message (SMB_Parameters.Words)
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction2_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string%);
+
+### Types
+type SMB1::Trans2_Sec_Args: record;

src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif

@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction_secondary*. This command
+## serves as an additional request data container for the
+## Transaction Subprotocol Commands (carried by *transaction* requests).
+##
+## For more information, see MS-CIFS:2.2.4.34
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: the SMB_Data.Trans_Parameters field content
+##
+## data: the SMB_Data.Trans_Data field content
+##
+event smb1_transaction_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string%);
+
+### Types
+type SMB1::Trans_Sec_Args: record;

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2017-05-02-20-38-47
+#open	2018-02-05-22-27-42
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -114,7 +114,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -168,4 +170,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2017-05-02-20-38-47
+#close	2018-02-05-22-27-42

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2017-05-02-20-39-05
+#open	2018-02-05-22-27-48
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -114,7 +114,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -357,4 +359,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2017-05-02-20-39-05
+#close	2018-02-05-22-27-48

testing/btest/Baseline/plugins.hooks/output

@@ -256,7 +256,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -429,7 +429,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -538,6 +538,8 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
@@ -1034,7 +1036,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1207,7 +1209,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1316,6 +1318,8 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro)
@@ -1811,7 +1815,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1984,7 +1988,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2093,6 +2097,8 @@
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction2.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -2327,7 +2333,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1517869617.717274, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()

testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout

@@ -0,0 +1 @@
+smb1_transaction_request hdr: [command=37, status=0, flags=0, flags2=0, tid=31335, pid=1, uid=11132, mid=2], name: \\PIPE\lsarpc, sub_cmd: 2600, params: some_params, data: some_data

testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout

@@ -0,0 +1 @@
+smb1_transaction_response hdr: [command=37, status=0, flags=128, flags2=0, tid=41669, pid=1, uid=17768, mid=2], params: some_params, data: some_data

testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout

@@ -0,0 +1 @@
+smb1_transaction_secondary_request hdr: [command=38, status=0, flags=0, flags2=0, tid=45374, pid=1, uid=57674, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=52, param_displacement=9, data_count=9, data_offset=66, data_displacement=11], params: some_params, data: some_data

testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout

@@ -0,0 +1 @@
+smb1_transaction2_request hdr: [command=50, status=0, flags=0, flags2=0, tid=47242, pid=1, uid=2017, mid=2], args: [total_param_count=13, total_data_count=0, max_param_count=0, max_data_count=0, max_setup_count=0, flags=0, trans_timeout=0, param_count=13, param_offset=69, data_count=0, data_offset=0, setup_count=1], sub_cmd: 5

testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout

@@ -0,0 +1 @@
+smb1_transaction2_secondary_request hdr: [command=51, status=0, flags=0, flags2=0, tid=29550, pid=1, uid=25541, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=54, param_displacement=9, data_count=9, data_offset=68, data_displacement=11, FID=65535], params: some_params, data: some_data

testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction requests are parsed correctly
+
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_request hdr: %s, name: %s, sub_cmd: %x, params: %s, data: %s", hdr, name, sub_cmd, parameters, data);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_response.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction_response requests are parsed correctly
+
+event smb1_transaction_response(c: connection, hdr: SMB1::Header, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_response hdr: %s, params: %s, data: %s", hdr, parameters, data);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction_secondary requests are parsed correctly
+
+event smb1_transaction_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction2 requests are parsed correctly
+
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
+{
+	print fmt("smb1_transaction2_request hdr: %s, args: %s, sub_cmd: %x", hdr, args, sub_cmd);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction2_secondary requests are parsed correctly
+
+event smb1_transaction2_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction2_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}