Merge branch 'master' of https://github.com/hosom/zeek

* 'master' of https://github.com/hosom/zeek:
  Normalize the intel seen filename for smb.
  load smb-filenames in scripts/policy/frameworks/intel/seen/__load__.bro
  Add SMB::IN_FILE_NAME to Intel::Where enum
  Support filenamess for SMB files

I added a test case

scripts/policy/frameworks/intel/seen/__load__.bro

@@ -6,6 +6,7 @@
 @load ./http-url
 @load ./pubkey-hashes
 @load ./ssl
+@load ./smb-filenames
 @load ./smtp
 @load ./smtp-url-extraction
 @load ./x509

scripts/policy/frameworks/intel/seen/smb-filenames.bro

@@ -0,0 +1,23 @@
+@load base/protocols/smb
+@load base/frameworks/intel
+@load ./where-locations
+
+event file_new(f: fa_file)
+    {
+    if ( f$source != "SMB" )
+        return;
+
+    for ( id in f$conns )
+        {
+        local c = f$conns[id];
+        if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name )
+            {
+            local split_fname = split_string(c$smb_state$current_file$name, /\\/);
+            local fname = split_fname[|split_fname|-1];
+            Intel::seen([$indicator=fname,
+                        $indicator_type=Intel::FILE_NAME,
+                        $f=f,
+                        $where=SMB::IN_FILE_NAME]);
+            }
+        }
+    }

scripts/policy/frameworks/intel/seen/where-locations.bro

@@ -26,5 +26,6 @@ export {
 		SSL::IN_SERVER_NAME,
 		SMTP::IN_HEADER,
 		X509::IN_CERT,
+		SMB::IN_FILE_NAME,
 	};
 }

scripts/test-all-policy.bro

@@ -25,6 +25,7 @@
 @load frameworks/intel/seen/http-headers.bro
 @load frameworks/intel/seen/http-url.bro
 @load frameworks/intel/seen/pubkey-hashes.bro
+@load frameworks/intel/seen/smb-filenames.bro
 @load frameworks/intel/seen/smtp-url-extraction.bro
 @load frameworks/intel/seen/smtp.bro
 @load frameworks/intel/seen/ssl.bro