Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/jsiwek/gh-865-smb-negotiate-context-list'

Browse source 
* origin/topic/jsiwek/gh-865-smb-negotiate-context-list:
  GH-865: fix parsing of SMB NegotiateContextList
This commit is contained in:
Tim Wojtulewicz 2020-03-20 10:05:21 -07:00
commit 535c70b087
6 changed files with 74 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

4
testing/btest/Baseline/scripts.base.protocols.smb.compression-cap/out Normal file
View file

@ -0,0 +1,4 @@
context value type 1, length 38
[hash_alg_count=1, salt_length=32, hash_alg=[1], salt=\xfbV\x86\xeb\xb8\x8f\x1e\xb2\x1f\xd1?&\x94\xa5\xa53'\x01\x96\x96:\xca.\xcc\xa5\xa8\xd2\xf9\x15\xd7*\x92]
context value type 3, length 10
[alg_count=1, algs=[1]]

BIN
testing/btest/Traces/smb/SMBGhost.pcap Normal file
View file

Binary file not shown.

33
testing/btest/scripts/base/protocols/smb/compression-cap.zeek Normal file
View file

@ -0,0 +1,33 @@
# @TEST-EXEC: zeek -b -r $TRACES/smb/SMBGhost.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
@load base/protocols/smb
event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse)
{
for ( i in response$negotiate_context_values )
{
local ncv = response$negotiate_context_values[i];
print fmt("context value type %s, length %s",
ncv$context_type, ncv$data_length);
switch ( ncv$context_type ) {
case 0x001:
print fmt(" %s", ncv$preauth_info);
break;
case 0x002:
print fmt(" %s", ncv$encryption_info);
break;
case 0x003:
print fmt(" %s", ncv$compression_info);
break;
case 0x005:
print fmt(" %s", ncv$netname);
break;
default:
print " unknown context value type";
break;
}
}
}