From 95fbe150dfd5c2cbfcd213b9f9fe3ab888d4050d Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 2 Apr 2018 22:25:51 -0400 Subject: [PATCH] Improving the new SMB2 create command test. It's now a less fragile test than it was. --- .../scripts.base.protocols.smb.smb2/.stdout | 249 +----------------- .../scripts/base/protocols/smb/smb2.test | 9 +- 2 files changed, 16 insertions(+), 242 deletions(-) diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout index 015b55c71d..bc605dcbb2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout @@ -1,238 +1,11 @@ -smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=6, num_bytes_ip=1257, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=760, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006812, service={ -SMB, -GSSAPI, -NTLM -}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ -[4] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] -}, fid_map={ - -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ - -}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=1, create_options=32] -smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=7, num_bytes_ip=1517, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1004, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006958, service={ -SMB, -GSSAPI, -NTLM -}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=145.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ - -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ - -}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] -smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=8, num_bytes_ip=1665, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1088, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.007847, service={ -SMB, -GSSAPI, -NTLM -}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=, name=srvsvc, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=, name=srvsvc, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], pending_cmds={ -[6] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=, name=srvsvc, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], smb1_offered_dialects=, smb2_offered_dialects=] -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] -}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=srvsvc, disposition=1, create_options=4194368] -smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=9, num_bytes_ip=1841, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1244, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.008011, service={ -SMB, -GSSAPI, -NTLM -}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=164.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=, times=, fid=18446744069414584398, uuid=], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=, times=, fid=18446744069414584398, uuid=], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], pending_cmds={ - -}, fid_map={ -[18446744069414584398] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=, times=, fid=18446744069414584398, uuid=], -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] -}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] -smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2342, state=4, num_pkts=13, num_bytes_ip=2654, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1924, state=4, num_pkts=12, num_bytes_ip=2416, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.010734, service={ -SMB, -GSSAPI, -NTLM, -DCE_RPC -}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ -[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] -}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ -[11] = [ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] -}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=11, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=2, create_options=2097185] -smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=16, num_bytes_ip=3323, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2297, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.061545, service={ -SMB, -GSSAPI, -NTLM, -DCE_RPC -}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ -[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] -}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ -[15] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] -}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68] -smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=17, num_bytes_ip=3639, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2573, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.062223, service={ -SMB, -GSSAPI, -NTLM, -DCE_RPC -}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ -[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] -}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=677.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ - -}, fid_map={ -[18446744069414584406] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=], -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] -}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] -smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1064, num_bytes_ip=1557690, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=4957, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229267, service={ -SMB, -GSSAPI, -NTLM, -DCE_RPC -}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ -[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] -}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ -[44] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], -SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] -}]], [credit_charge=0, status=0, command=5, credits=104, flags=0, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=1, create_options=32] -smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1065, num_bytes_ip=1557950, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5201, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229443, service={ -SMB, -GSSAPI, -NTLM, -DCE_RPC -}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ -[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] -}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=175.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ - -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], -[18446744069414584414] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], -SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] -}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] -smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1067, num_bytes_ip=1558254, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5541, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233359, service={ -SMB, -GSSAPI, -NTLM, -DCE_RPC -}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ -[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] -}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ -[47] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], -SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] -}]], [credit_charge=0, status=0, command=5, credits=80, flags=0, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=1, create_options=32] -smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1068, num_bytes_ip=1558514, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5785, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233475, service={ -SMB, -GSSAPI, -NTLM, -DCE_RPC -}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ -[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] -}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=115.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ - -}, fid_map={ -[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], -[18446744069414584422] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=] -}, tid_map={ -[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], -[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], -[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] -}, uid_map={ - -}, pipe_map={ - -}, recent_files={ -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], -SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], -SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] -}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=srvsvc, disposition=1, create_options=4194368] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=2, create_options=2097185] +smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] +smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] +smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test index 3b8c45de47..33ce0e29a3 100644 --- a/testing/btest/scripts/base/protocols/smb/smb2.test +++ b/testing/btest/scripts/base/protocols/smb/smb2.test @@ -8,13 +8,14 @@ @load policy/protocols/smb -event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest ) +# Add some tests for SMB2 create request and response. +event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) { - print "smb2_create_request", c, hdr, request; + print fmt("smb2_create_request %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, request); } -event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse ) +event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) { - print "smb2_create_response", c, hdr, response; + print fmt("smb2_create_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, response); }