Merge branch 'smb2_write_response' of https://github.com/mauropalumbo75/zeek

* 'smb2_write_response' of https://github.com/mauropalumbo75/zeek: smb2_write_response event added Fixed the unit test to ignore bad checksums in the pcap
2025-10-04 07:38:19 +00:00 · 2019-04-12 10:12:31 -07:00 · 2019-04-12 10:12:31 -07:00 · 8a2371c7ea
commit 8a2371c7ea
parent 78dcbcc71a 0c508f8280
7 changed files with 45 additions and 2 deletions
--- a/4
+++ b/4
@ -1,4 +1,8 @@

+2.6-212 | 2019-04-12 10:12:31 -0700
+
+  * smb2_write_response event added (Mauro Palumbo)
+
 2.6-210 | 2019-04-10 09:54:27 -0700

  * Add options to tune BinPAC flowbuffer policy (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-2.6-210
+2.6-212
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 97af751958172622862bf0da694d6386967d5d24
+Subproject commit e9f6728f13165148ca8ffe0b373148ff78b10c6a
--- a/src/analyzer/protocol/smb/smb2-com-write.pac
+++ b/src/analyzer/protocol/smb/smb2-com-write.pac
@ -24,6 +24,15 @@ refine connection SMB_Conn += {

 	function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool
 		%{
+
+		if ( smb2_write_response )
+			{
+			BifEvent::generate_smb2_write_response(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+			                                      BuildSMB2HeaderVal(h),
+							      ${val.write_count});
+			}
+
 		return true;
 		%}

--- a/src/analyzer/protocol/smb/smb2_com_write.bif
+++ b/src/analyzer/protocol/smb/smb2_com_write.bif
@ -16,3 +16,18 @@
 ##
 ## .. bro:see:: smb2_message
 event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *write*. This is sent by the server in response to a write request or
+## named pipe on the server.
+##
+## For more information, see MS-SMB2:2.2.22
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## length: The number of bytes of the file being written.
+##
+## .. bro:see:: smb2_message
+event smb2_write_response%(c: connection, hdr: SMB2::Header, length: count%);
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout
@ -0,0 +1,2 @@
+smb2_write_response 169.254.128.18 -> 169.254.128.15:445, length: 7000
+[credit_charge=1, status=0, command=9, credits=1, flags=1, message_id=1238, process_id=65279, tree_id=1394175098, session_id=1008934080, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
--- a/testing/btest/scripts/base/protocols/smb/smb2-write-response.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2-write-response.test
@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -C -r $TRACES/smb/smb2readwrite.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+
+# A test for write response.
+event smb2_write_response(c: connection, hdr: SMB2::Header, length: count)
+	{
+	print fmt("smb2_write_response %s -> %s:%d, length: %d", c$id$orig_h, c$id$resp_h, c$id$resp_p, length);
+	print (hdr);
+	}
+
+
 @ -1 +1 @@
 .6-210
 .6-212