Merge remote-tracking branch 'origin/master' into topic/johanna/gh-859

CHANGES

@@ -1,3 +1,19 @@
+4.1.0-dev.830 | 2021-06-30 07:51:08 +0200
+
+  * GH-1406: Fix SMB tests on Apple M1. (Robin Sommer, Corelight)
+
+4.1.0-dev.828 | 2021-06-29 11:11:22 -0700
+
+  * Remove remaining vestigial IDMEF support code (Christian Kreibich, Corelight)
+
+4.1.0-dev.826 | 2021-06-29 10:39:18 -0700
+
+  * made RecordVal::AppendField protected: it's low-level & requires knowledge of internals (Vern Paxson, Corelight)
+
+4.1.0-dev.821 | 2021-06-29 08:38:37 -0700
+
+  * Fix package name for CMake on CentOS 8 (Dominik Charousset, Corelight)
+
 4.1.0-dev.818 | 2021-06-28 13:50:13 -0700
 
   * GH-1216: Enable Mobile IPv6 support by default (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-4.1.0-dev.818
+4.1.0-dev.830

auxil/zeek-aux

@@ -1 +1 @@
-Subproject commit 2e24ebafe096be5a493a4aa307e195da244073a9
+Subproject commit 89eed44dfbc0a4ba015f42ba4cfaa22b92a8b92e

ci/centos-8/Dockerfile

@@ -7,7 +7,7 @@ RUN dnf config-manager --set-enabled powertools
 
 RUN dnf -y update && dnf -y install \
     git \
-    cmake3 \
+    cmake \
     make \
     gcc \
     gcc-c++ \

scripts/base/init-bare.zeek

@@ -2789,14 +2789,22 @@ export {
 	## .. zeek:see:: smb1_nt_create_andx_response smb2_create_response
 	type SMB::MACTimes: record {
 		## The time when data was last written to the file.
-		modified : time &log;
+		modified 	: time &log;
+		## Same as `modified` but in SMB's original `FILETIME` integer format.
+		modified_raw: count;
 		## The time when the file was last accessed.
-		accessed : time &log;
+		accessed 	: time &log;
+		## Same as `accessed` but in SMB's original `FILETIME` integer format.
+		accessed_raw: count;
 		## The time the file was created.
-		created  : time &log;
+		created  	: time &log;
+		## Same as `created` but in SMB's original `FILETIME` integer format.
+		created_raw : count;
 		## The time when the file was last modified.
-		changed  : time &log;
+		changed  	: time &log;
-	} &log;
+		## Same as `changed` but in SMB's original `FILETIME` integer format.
+		changed_raw : count;
+	};
 
 	## A set of file names used as named pipes over SMB. This
 	## only comes into play as a heuristic to identify named

scripts/base/protocols/smb/files.zeek

@@ -24,8 +24,9 @@ function get_file_handle(c: connection, is_orig: bool): string
 	local path_name = current_file?$path ? current_file$path : "";
 	local file_name = current_file?$name ? current_file$name : "";
 	# Include last_mod time if available because if a file has been modified it
-	# should be considered a new file.
+	# should be considered a new file. We use the raw version here to avoid
-	local last_mod  = cat(current_file?$times ? current_file$times$modified : double_to_time(0.0));
+	# getting differences when double precision varies by architecture.
+	local last_mod  = cat(current_file?$times ? current_file$times$modified_raw : 0);
 	# TODO: This is doing hexdump to avoid problems due to file analysis handling
 	#       using CheckString which is not immune to encapsulated null bytes.
 	#       This needs to be fixed lower in the file analysis code later.

src/Options.cc

@@ -122,11 +122,6 @@ void usage(const char* prog, int code)
 #endif
 	fprintf(stderr, "    --pseudo-realtime[=<speedup>]  | enable pseudo-realtime for performance evaluation (default 1)\n");
 	fprintf(stderr, "    -j|--jobs                      | enable supervisor mode\n");
-
-#ifdef USE_IDMEF
-	fprintf(stderr, "    -n|--idmef-dtd <idmef-msg.dtd> | specify path to IDMEF DTD file\n");
-#endif
-
 	fprintf(stderr, "    --test                         | run unit tests ('--test -h' for help, only when compiling with ENABLE_ZEEK_UNIT_TESTS)\n");
 	fprintf(stderr, "    $ZEEKPATH                      | file search path (%s)\n", util::zeek_path().c_str());
 	fprintf(stderr, "    $ZEEK_PLUGIN_PATH              | plugin search path (%s)\n", util::zeek_plugin_path());
@@ -337,9 +332,7 @@ Options parse_cmdline(int argc, char** argv)
 #ifdef	DEBUG
 		{"debug",		required_argument,	nullptr,	'B'},
 #endif
-#ifdef	USE_IDMEF
+
-		{"idmef-dtd",		required_argument,	nullptr,	'n'},
-#endif
 #ifdef	USE_PERFTOOLS_DEBUG
 		{"mem-leaks",	no_argument,		nullptr,	'm'},
 		{"mem-profile",	no_argument,		nullptr,	'M'},
@@ -517,12 +510,6 @@ Options parse_cmdline(int argc, char** argv)
 			break;
 #endif
 
-#ifdef USE_IDMEF
-		case 'n':
-			rval.libidmef_dtd_path = optarg;
-			break;
-#endif
-
 		case '#':
 			fprintf(stderr, "ERROR: --test only allowed as first argument.\n");
 			usage(zargs[0], 1);

src/Options.h

@@ -70,7 +70,6 @@ struct Options {
 	std::optional<std::string> random_seed_output_file;
 	std::optional<std::string> process_status_file;
 	std::optional<std::string> zeekygen_config_file;
-	std::string libidmef_dtd_file = "idmef-message.dtd";
 
 	std::set<std::string> plugins_to_load;
 	std::vector<std::string> scripts_to_load;

src/Val.h

@@ -1183,22 +1183,6 @@ public:
 		Assign(idx, std::forward<T>(val));
 		}
 
-	/**
-	 * Appends a value to the record's fields.  The caller is responsible
-	 * for ensuring that fields are appended in the correct order and
-	 * with the correct type.  The type needs to be passed in because
-	 * it's unsafe to take it from v when the field's type is "any" while
-	 * v is a concrete type.
-	 * @param v  The value to append.
-	 */
-	void AppendField(ValPtr v, const TypePtr& t)
-		{
-		if ( v )
-			record_val->emplace_back(ZVal(v, t));
-		else
-			record_val->emplace_back(std::nullopt);
-		}
-
 	/**
 	 * Returns the number of fields in the record.
 	 * @return  The number of fields in the record.
@@ -1423,6 +1407,23 @@ public:
 protected:
 	friend class zeek::detail::ZBody;
 
+	/**
+	 * Appends a value to the record's fields.  The caller is responsible
+	 * for ensuring that fields are appended in the correct order and
+	 * with the correct type.  The type needs to be passed in because
+	 * it's unsafe to take it from v when the field's type is "any" while
+	 * v is a concrete type.
+	 * @param v  The value to append.
+	 * @param t  The type associated with the field.
+	 */
+	void AppendField(ValPtr v, const TypePtr& t)
+		{
+		if ( v )
+			record_val->emplace_back(ZVal(v, t));
+		else
+			record_val->emplace_back(std::nullopt);
+		}
+
 	// For use by low-level ZAM instructions.  Caller assumes
 	// responsibility for memory management.  The first version
 	// allows manipulation of whether the field is present at all.

src/analyzer/protocol/smb/smb-time.pac

@@ -32,9 +32,13 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
 	{
 	auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB::MACTimes);
 	r->Assign(0, filetime2zeektime(modify));
-	r->Assign(1, filetime2zeektime(access));
+	r->Assign(1, modify);
-	r->Assign(2, filetime2zeektime(create));
+	r->Assign(2, filetime2zeektime(access));
-	r->Assign(3, filetime2zeektime(change));
+	r->Assign(3, access);
+	r->Assign(4, filetime2zeektime(create));
+	r->Assign(5, create);
+	r->Assign(6, filetime2zeektime(change));
+	r->Assign(7, change);
 	return r;
 	}
 %}

src/zeek-setup.cc

@@ -12,12 +12,6 @@
 #include <list>
 #include <optional>
 
-#ifdef USE_IDMEF
-extern "C" {
-#include <libidmef/idmefxml.h>
-}
-#endif
-
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
@@ -529,14 +523,6 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 	if ( r != SQLITE_OK )
 		reporter->Error("Failed to initialize sqlite3: %s", sqlite3_errstr(r));
 
-#ifdef USE_IDMEF
-	char* libidmef_dtd_path_cstr = new char[options.libidmef_dtd_file.size() + 1];
-	safe_strncpy(libidmef_dtd_path_cstr, options.libidmef_dtd_file.data(),
-	             options.libidmef_dtd_file.size());
-	globalsInit(libidmef_dtd_path_cstr);	// Init LIBIDMEF globals
-	createCurrentDoc("1.0");		// Set a global XML document
-#endif
-
 	timer_mgr = new PQ_TimerMgr();
 
 	auto zeekygen_cfg = options.zeekygen_config_file.value_or("");

testing/btest/Baseline/plugins.hooks/output

@@ -200,7 +200,7 @@
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(FilteredTraceDetection::should_detect, <null>, ()) -> <no result>
@@ -1247,7 +1247,7 @@
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(FilteredTraceDetection::should_detect, <null>, ())
@@ -2293,7 +2293,7 @@
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=lambda_<15770440363500096069>{ return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified_raw : 0)return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction FilteredTraceDetection::should_detect()

testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log

@@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
-XXXXXXXXXX.XXXXXX	FvOchP1DvxPt75ql7b	169.254.128.15	169.254.128.18	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	text/plain	pythonfile	0.000000	-	F	16	16	0	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	FVTHwlRSH2WI8fFw2	169.254.128.15	169.254.128.18	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	text/plain	pythonfile	0.000000	-	F	16	16	0	0	F	-	-	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	FRCqNs3XdP1aPvzhvf	169.254.128.18	169.254.128.15	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	text/plain	pythonfile2	0.000000	-	T	7000	-	0	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	FAI5Dc4cLr5RAw3j0e	169.254.128.18	169.254.128.15	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	text/plain	pythonfile2	0.000000	-	T	7000	-	0	0	F	-	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log

@@ -9,9 +9,9 @@
 #types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_OPEN	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_READ	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FvOchP1DvxPt75ql7b	SMB::FILE_READ	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FVTHwlRSH2WI8fFw2	SMB::FILE_READ	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_OPEN	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_WRITE	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FRCqNs3XdP1aPvzhvf	SMB::FILE_WRITE	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FAI5Dc4cLr5RAw3j0e	SMB::FILE_WRITE	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_OPEN	-	<share_root>	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout

@@ -1,13 +1,13 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
-smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762045120585, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762045120585, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762045120585], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=srvsvc, disposition=1, create_options=4194368]
-smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.16444736e+10, accessed=-1.16444736e+10, created=-1.16444736e+10, changed=-1.16444736e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.16444736e+10, modified_raw=0, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=2, create_options=2097185]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
-smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129676762954270355, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
-smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=XXXXXXXXXX.XXXXXX, accessed=-1.16444736e+10, created=-1.16444736e+10, changed=-1.16444736e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]
+smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=XXXXXXXXXX.XXXXXX, modified_raw=129635214083125000, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
-smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
-smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, accessed=XXXXXXXXXX.XXXXXX, created=XXXXXXXXXX.XXXXXX, changed=XXXXXXXXXX.XXXXXX], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=129676762954270355, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=129676762954270355, created=XXXXXXXXXX.XXXXXX, created_raw=129668175639452974, changed=XXXXXXXXXX.XXXXXX, changed_raw=129676762954270355], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]

testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
-XXXXXXXXXX.XXXXXX	FlZWcY3zsKh9Tt1Jy9	10.0.0.11	10.0.0.12	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	-	T	1508939	-	0	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	FwL5Z01az5ZsFYcHh5	10.0.0.11	10.0.0.12	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	-	T	1508939	-	0	0	F	-	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	pythonfile	Intel::FILE_NAME	SMB::IN_FILE_NAME	zeek	Intel::FILE_NAME	source1	FvOchP1DvxPt75ql7b	-	pythonfile
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	pythonfile	Intel::FILE_NAME	SMB::IN_FILE_NAME	zeek	Intel::FILE_NAME	source1	FVTHwlRSH2WI8fFw2	-	pythonfile
 #close XXXX-XX-XX-XX-XX-XX

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-79e9cfddf16bcb717d12c3ecb7afcce2be0958ad
+8d61264167ea455240389525a2a1e9b9dcee2692