Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 05:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

SMB: Init lanman time and set TZ correctly before calling mktime

Browse source 
This makes a change to the record for smb1-negotiate-response as well.
Times and dates are two 2-byte sections, not three. Switch the parsing
to just use two uint16s, and pass those into the lanman time conversion
function.
This commit is contained in:
Tim Wojtulewicz 2025-09-05 15:39:17 -07:00
parent 3c16ee9667
commit 8efddf87d9
6 changed files with 55 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

8
testing/btest/Baseline/scripts.base.protocols.smb.smb1-negotiate-lanman/out Normal file
View file

@ -0,0 +1,8 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
smb1_negotiate_request
[command=114, status=0, flags=24, flags2=51283, tid=0, pid=4660, uid=0, mid=1]
[PC NETWORK PROGRAM 1.0, LANMAN1.0, LM1.2X002, LANMAN2.1]
smb1_negotiate_response
[command=114, status=0, flags=152, flags2=51283, tid=0, pid=4660, uid=0, mid=1]
[core=<uninitialized>, lanman=[word_count=13, dialect_index=3, security_mode=[user_level=T, challenge_response=T, signatures_enabled=<uninitialized>, signatures_required=<uninitialized>], max_buffer_size=4356, max_mpx_count=32, max_number_vcs=1, raw_mode=[read_raw=F, write_raw=F], session_key=0, server_time=1758862898.0, encryption_key=\x11"3DUfw\x88, primary_domain=\xe4\xbd\x97\xe4\xad\x92\xe5\x89\x87\xe5\x95\x8fP], ntlm=<uninitialized>]
Parsed Response Server Time: 2025-09-26-05:01:38T

3
testing/btest/Traces/README
View file

@ -56,3 +56,6 @@ Trace Index/Sources:
- smb_v2_only_non_zero_reserved1.pcap
Provided by @predator89090 on #4730
https://github.com/zeek/zeek/issues/4730
- smb/cifs_negotiate_lanman.pcap
Generated with scapy/chatgpt by @Mohan-Dhawan
https://github.com/zeek/zeek/issues/4545

BIN
testing/btest/Traces/smb/cifs_negotiate_lanman.pcap Normal file
View file

Binary file not shown.

19
testing/btest/scripts/base/protocols/smb/smb1-negotiate-lanman.zeek Normal file
View file

@ -0,0 +1,19 @@
# @TEST-DOC: Tests parsing of SMB1 Negotiate Request/Response LanMan messages. Primarily exists to test parsing of the timetstamps.
#
# @TEST-EXEC: zeek -r ${TRACES}/smb/cifs_negotiate_lanman.pcap %INPUT > out
# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
event smb1_negotiate_request(c: connection, hdr: SMB1::Header, dialects: string_vec)
{
print "smb1_negotiate_request";
print hdr;
print dialects;
}
event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse)
{
print "smb1_negotiate_response";
print hdr;
print response;
print fmt("Parsed Response Server Time: %DT", response$lanman$server_time);
}