Fix for suppressing SMB logging of previously-logged files

2025-10-02 06:38:20 +00:00 · 2024-05-18 14:13:52 -07:00 · 2024-05-18 14:13:52 -07:00 · 74bf453d6d
commit 74bf453d6d
parent 1a0fffd714
2 changed files with 7 additions and 8 deletions
--- a/scripts/base/protocols/smb/main.zeek
+++ b/scripts/base/protocols/smb/main.zeek
@ -215,12 +215,18 @@ function write_file_log(state: State)
 		# seen files in the SMB::State $recent_files field.
 		if ( f?$times )
 			{
+			# For repeated reads of the same file, the access
+			# time can change, so make a copy of the various times
+			# and zero that one out.
+			local times = copy(f$times);
+			times$accessed_raw = 0;
+			times$accessed = double_to_time(0.0);
 			local file_ident = cat(f$action,
 			                       f?$fuid ? f$fuid : "",
 			                       f?$name ? f$name : "",
 			                       f?$path ? f$path : "",
 			                       f$size,
-			                       f$times);
+			                       times);
 			if ( file_ident in state$recent_files )
 				{
 				# We've already seen this file and don't want to log it again.