diff --git a/CHANGES b/CHANGES index 33d2bbb93e..5d73e66940 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,19 @@ +4.1.0-dev.830 | 2021-06-30 07:51:08 +0200 + + * GH-1406: Fix SMB tests on Apple M1. (Robin Sommer, Corelight) + +4.1.0-dev.828 | 2021-06-29 11:11:22 -0700 + + * Remove remaining vestigial IDMEF support code (Christian Kreibich, Corelight) + +4.1.0-dev.826 | 2021-06-29 10:39:18 -0700 + + * made RecordVal::AppendField protected: it's low-level & requires knowledge of internals (Vern Paxson, Corelight) + +4.1.0-dev.821 | 2021-06-29 08:38:37 -0700 + + * Fix package name for CMake on CentOS 8 (Dominik Charousset, Corelight) + 4.1.0-dev.818 | 2021-06-28 13:50:13 -0700 * GH-1216: Enable Mobile IPv6 support by default (Tim Wojtulewicz, Corelight) diff --git a/VERSION b/VERSION index 277cb6f169..8995de2994 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.1.0-dev.818 +4.1.0-dev.830 diff --git a/auxil/zeek-aux b/auxil/zeek-aux index 2e24ebafe0..89eed44dfb 160000 --- a/auxil/zeek-aux +++ b/auxil/zeek-aux @@ -1 +1 @@ -Subproject commit 2e24ebafe096be5a493a4aa307e195da244073a9 +Subproject commit 89eed44dfbc0a4ba015f42ba4cfaa22b92a8b92e diff --git a/ci/centos-8/Dockerfile b/ci/centos-8/Dockerfile index 344d2f5a5f..6456e718a4 100644 --- a/ci/centos-8/Dockerfile +++ b/ci/centos-8/Dockerfile @@ -7,7 +7,7 @@ RUN dnf config-manager --set-enabled powertools RUN dnf -y update && dnf -y install \ git \ - cmake3 \ + cmake \ make \ gcc \ gcc-c++ \ diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index e82e062cb2..ea70767f72 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -2789,14 +2789,22 @@ export { ## .. zeek:see:: smb1_nt_create_andx_response smb2_create_response type SMB::MACTimes: record { ## The time when data was last written to the file. - modified : time &log; + modified : time &log; + ## Same as `modified` but in SMB's original `FILETIME` integer format. + modified_raw: count; ## The time when the file was last accessed. - accessed : time &log; + accessed : time &log; + ## Same as `accessed` but in SMB's original `FILETIME` integer format. + accessed_raw: count; ## The time the file was created. - created : time &log; + created : time &log; + ## Same as `created` but in SMB's original `FILETIME` integer format. + created_raw : count; ## The time when the file was last modified. - changed : time &log; - } &log; + changed : time &log; + ## Same as `changed` but in SMB's original `FILETIME` integer format. + changed_raw : count; + }; ## A set of file names used as named pipes over SMB. This ## only comes into play as a heuristic to identify named diff --git a/scripts/base/protocols/smb/files.zeek b/scripts/base/protocols/smb/files.zeek index ac719d728f..e3b387b771 100644 --- a/scripts/base/protocols/smb/files.zeek +++ b/scripts/base/protocols/smb/files.zeek @@ -24,8 +24,9 @@ function get_file_handle(c: connection, is_orig: bool): string local path_name = current_file?$path ? current_file$path : ""; local file_name = current_file?$name ? current_file$name : ""; # Include last_mod time if available because if a file has been modified it - # should be considered a new file. - local last_mod = cat(current_file?$times ? current_file$times$modified : double_to_time(0.0)); + # should be considered a new file. We use the raw version here to avoid + # getting differences when double precision varies by architecture. + local last_mod = cat(current_file?$times ? current_file$times$modified_raw : 0); # TODO: This is doing hexdump to avoid problems due to file analysis handling # using CheckString which is not immune to encapsulated null bytes. # This needs to be fixed lower in the file analysis code later. diff --git a/src/Options.cc b/src/Options.cc index abc53cd24c..d28c67b06e 100644 --- a/src/Options.cc +++ b/src/Options.cc @@ -122,11 +122,6 @@ void usage(const char* prog, int code) #endif fprintf(stderr, " --pseudo-realtime[=] | enable pseudo-realtime for performance evaluation (default 1)\n"); fprintf(stderr, " -j|--jobs | enable supervisor mode\n"); - -#ifdef USE_IDMEF - fprintf(stderr, " -n|--idmef-dtd | specify path to IDMEF DTD file\n"); -#endif - fprintf(stderr, " --test | run unit tests ('--test -h' for help, only when compiling with ENABLE_ZEEK_UNIT_TESTS)\n"); fprintf(stderr, " $ZEEKPATH | file search path (%s)\n", util::zeek_path().c_str()); fprintf(stderr, " $ZEEK_PLUGIN_PATH | plugin search path (%s)\n", util::zeek_plugin_path()); @@ -337,9 +332,7 @@ Options parse_cmdline(int argc, char** argv) #ifdef DEBUG {"debug", required_argument, nullptr, 'B'}, #endif -#ifdef USE_IDMEF - {"idmef-dtd", required_argument, nullptr, 'n'}, -#endif + #ifdef USE_PERFTOOLS_DEBUG {"mem-leaks", no_argument, nullptr, 'm'}, {"mem-profile", no_argument, nullptr, 'M'}, @@ -517,12 +510,6 @@ Options parse_cmdline(int argc, char** argv) break; #endif -#ifdef USE_IDMEF - case 'n': - rval.libidmef_dtd_path = optarg; - break; -#endif - case '#': fprintf(stderr, "ERROR: --test only allowed as first argument.\n"); usage(zargs[0], 1); diff --git a/src/Options.h b/src/Options.h index a43827ff45..204c65839c 100644 --- a/src/Options.h +++ b/src/Options.h @@ -70,7 +70,6 @@ struct Options { std::optional random_seed_output_file; std::optional process_status_file; std::optional zeekygen_config_file; - std::string libidmef_dtd_file = "idmef-message.dtd"; std::set plugins_to_load; std::vector scripts_to_load; diff --git a/src/Val.h b/src/Val.h index df1a25569e..9205eee98b 100644 --- a/src/Val.h +++ b/src/Val.h @@ -1183,22 +1183,6 @@ public: Assign(idx, std::forward(val)); } - /** - * Appends a value to the record's fields. The caller is responsible - * for ensuring that fields are appended in the correct order and - * with the correct type. The type needs to be passed in because - * it's unsafe to take it from v when the field's type is "any" while - * v is a concrete type. - * @param v The value to append. - */ - void AppendField(ValPtr v, const TypePtr& t) - { - if ( v ) - record_val->emplace_back(ZVal(v, t)); - else - record_val->emplace_back(std::nullopt); - } - /** * Returns the number of fields in the record. * @return The number of fields in the record. @@ -1423,6 +1407,23 @@ public: protected: friend class zeek::detail::ZBody; + /** + * Appends a value to the record's fields. The caller is responsible + * for ensuring that fields are appended in the correct order and + * with the correct type. The type needs to be passed in because + * it's unsafe to take it from v when the field's type is "any" while + * v is a concrete type. + * @param v The value to append. + * @param t The type associated with the field. + */ + void AppendField(ValPtr v, const TypePtr& t) + { + if ( v ) + record_val->emplace_back(ZVal(v, t)); + else + record_val->emplace_back(std::nullopt); + } + // For use by low-level ZAM instructions. Caller assumes // responsibility for memory management. The first version // allows manipulation of whether the field is present at all. diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac index 51a5e6c9a9..45b48d9720 100644 --- a/src/analyzer/protocol/smb/smb-time.pac +++ b/src/analyzer/protocol/smb/smb-time.pac @@ -32,9 +32,13 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, { auto r = zeek::make_intrusive(zeek::BifType::Record::SMB::MACTimes); r->Assign(0, filetime2zeektime(modify)); - r->Assign(1, filetime2zeektime(access)); - r->Assign(2, filetime2zeektime(create)); - r->Assign(3, filetime2zeektime(change)); + r->Assign(1, modify); + r->Assign(2, filetime2zeektime(access)); + r->Assign(3, access); + r->Assign(4, filetime2zeektime(create)); + r->Assign(5, create); + r->Assign(6, filetime2zeektime(change)); + r->Assign(7, change); return r; } %} diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index 3a66f2a350..200f12baa6 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -12,12 +12,6 @@ #include #include -#ifdef USE_IDMEF -extern "C" { -#include -} -#endif - #include #include @@ -529,14 +523,6 @@ SetupResult setup(int argc, char** argv, Options* zopts) if ( r != SQLITE_OK ) reporter->Error("Failed to initialize sqlite3: %s", sqlite3_errstr(r)); -#ifdef USE_IDMEF - char* libidmef_dtd_path_cstr = new char[options.libidmef_dtd_file.size() + 1]; - safe_strncpy(libidmef_dtd_path_cstr, options.libidmef_dtd_file.data(), - options.libidmef_dtd_file.size()); - globalsInit(libidmef_dtd_path_cstr); // Init LIBIDMEF globals - createCurrentDoc("1.0"); // Set a global XML document -#endif - timer_mgr = new PQ_TimerMgr(); auto zeekygen_cfg = options.zeekygen_config_file.value_or(""); diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index cd29d13982..93e3158764 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -200,7 +200,7 @@ 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(FilteredTraceDetection::should_detect, , ()) -> @@ -1247,7 +1247,7 @@ 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(FilteredTraceDetection::should_detect, , ()) @@ -2293,7 +2293,7 @@ 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction FilteredTraceDetection::should_detect() diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log index 86a8c17d03..c1ff8bfdbb 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count -XXXXXXXXXX.XXXXXX FvOchP1DvxPt75ql7b 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - - -XXXXXXXXXX.XXXXXX FRCqNs3XdP1aPvzhvf 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FVTHwlRSH2WI8fFw2 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FAI5Dc4cLr5RAw3j0e 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log index 6ab1899891..c1b80a0c12 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log @@ -9,9 +9,9 @@ #types time string addr port addr port string enum string string count string time time time time XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FvOchP1DvxPt75ql7b SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FVTHwlRSH2WI8fFw2 SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FRCqNs3XdP1aPvzhvf SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FAI5Dc4cLr5RAw3j0e SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout index c2ac54b0f5..53024bdccd 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout @@ -1,13 +1,13 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762045120585, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762045120585, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762045120585], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=srvsvc, disposition=1, create_options=4194368] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.16444736e+10, accessed=-1.16444736e+10, created=-1.16444736e+10, changed=-1.16444736e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.16444736e+10, modified_raw=0, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=2, create_options=2097185] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] -smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=XXXXXXXXXX.XXXXXX, accessed=-1.16444736e+10, created=-1.16444736e+10, changed=-1.16444736e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129676762954270355, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] +smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=XXXXXXXXXX.XXXXXX, modified_raw=129635214083125000, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] -smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log index 325f02166a..6a8bb83e3f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count -XXXXXXXXXX.XXXXXX FlZWcY3zsKh9Tt1Jy9 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FwL5Z01az5ZsFYcHh5 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log index a5ac5d8a24..8bf960834d 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FvOchP1DvxPt75ql7b - pythonfile +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FVTHwlRSH2WI8fFw2 - pythonfile #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index ce0fefc7cf..a1e561df22 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -79e9cfddf16bcb717d12c3ecb7afcce2be0958ad +8d61264167ea455240389525a2a1e9b9dcee2692