Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 21:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/johanna/gh-859

Browse source
This commit is contained in:
Johanna Amann 2021-06-30 10:36:54 +01:00
commit 509b501e1b
18 changed files with 76 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/base/init-bare.zeek
View file

@ -2789,14 +2789,22 @@ export {
## .. zeek:see:: smb1_nt_create_andx_response smb2_create_response
type SMB::MACTimes: record {
## The time when data was last written to the file.
modified : time &log;
modified : time &log;
## Same as `modified` but in SMB's original `FILETIME` integer format.
modified_raw: count;
## The time when the file was last accessed.
accessed : time &log;
accessed : time &log;
## Same as `accessed` but in SMB's original `FILETIME` integer format.
accessed_raw: count;
## The time the file was created.
created : time &log;
created : time &log;
## Same as `created` but in SMB's original `FILETIME` integer format.
created_raw : count;
## The time when the file was last modified.
changed : time &log;
} &log;
changed : time &log;
## Same as `changed` but in SMB's original `FILETIME` integer format.
changed_raw : count;
};
## A set of file names used as named pipes over SMB. This
## only comes into play as a heuristic to identify named

5
scripts/base/protocols/smb/files.zeek
View file

@ -24,8 +24,9 @@ function get_file_handle(c: connection, is_orig: bool): string
local path_name = current_file?$path ? current_file$path : "";
local file_name = current_file?$name ? current_file$name : "";
# Include last_mod time if available because if a file has been modified it
# should be considered a new file.
local last_mod = cat(current_file?$times ? current_file$times$modified : double_to_time(0.0));
# should be considered a new file. We use the raw version here to avoid
# getting differences when double precision varies by architecture.
local last_mod = cat(current_file?$times ? current_file$times$modified_raw : 0);
# TODO: This is doing hexdump to avoid problems due to file analysis handling
# using CheckString which is not immune to encapsulated null bytes.
# This needs to be fixed lower in the file analysis code later.