Merge branch 'smb3-transform-header' of https://github.com/mauropalumbo75/zeek

* 'smb3-transform-header' of https://github.com/mauropalumbo75/zeek:
  clean up, test and pcap for transform_header added
  added smb2-com-transform-header for smb3.x

CHANGES

@@ -1,4 +1,8 @@
 
+2.6-175 | 2019-03-20 19:25:11 -0700
+
+  * Parse SMB2 TRANSFORM_HEADER messages and generate new smb2_transform_header event (Mauro Palumbo)
+
 2.6-172 | 2019-03-20 17:59:30 -0700
 
   * Fix smb_files.log missing FUID field in read/write actions (Mauro Palumbo)

VERSION

@@ -1 +1 @@
-2.6-172
+2.6-175

doc

@@ -1 +1 @@
-Subproject commit 3438d6f185e258e4ef17b5d11b4e374356bd2ce0
+Subproject commit 79d4293fb0a7b03b7c3ae84c633b14f51c836a8d

scripts/base/init-bare.bro

@@ -3327,6 +3327,30 @@ export {
 		## The action taken in establishing the open.
 		create_action : count;
 	};
+
+	## An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
+	##
+	## For more information, see MS-SMB2:2.2.41
+	##
+	## .. bro:see:: smb2_header smb2_message smb2_close_request smb2_close_response
+	##    smb2_create_request smb2_create_response smb2_negotiate_request
+	##    smb2_negotiate_response smb2_read_request
+	##    smb2_session_setup_request smb2_session_setup_response
+	##    smb2_file_rename smb2_file_delete
+	##    smb2_tree_connect_request smb2_tree_connect_response
+	##    smb2_write_request
+	type SMB2::Transform_header: record {
+		## The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.
+		signature     : string;
+		## An implementation specific value assigned for every encrypted message.
+		nonce         : string;
+		## The size, in bytes, of the SMB2 message.
+		orig_msg_size : count;
+		## A flags field, interpreted in different ways depending of the SMB2 dialect.
+		flags         : count;
+		## A value that uniquely identifies the established session for the command.
+		session_id    : count;
+	};
 }
 
 module GLOBAL;

src/analyzer/protocol/smb/CMakeLists.txt

@@ -35,6 +35,7 @@ bro_plugin_bif(
 	smb2_com_tree_connect.bif
 	smb2_com_tree_disconnect.bif
 	smb2_com_write.bif
+	smb2_com_transform_header.bif
 	smb2_events.bif
 
 	events.bif
@@ -84,5 +85,6 @@ bro_plugin_pac(
 	smb2-com-tree-connect.pac
 	smb2-com-tree-disconnect.pac
 	smb2-com-write.pac
+	smb2-com-transform-header.pac
 )
 bro_plugin_end()

src/analyzer/protocol/smb/smb-common.pac

@@ -1,6 +1,7 @@
 enum SMBVersion {
 	SMB1 = 0xff534d42, # \xffSMB
 	SMB2 = 0xfe534d42, # \xfeSMB
+	SMB3 = 0xfd534d42, # \xfdSMB (implies use of transform_header)
 };
 
 enum TransactionType {

src/analyzer/protocol/smb/smb.pac

@@ -40,6 +40,7 @@
 #include "smb2_com_tree_connect.bif.h"
 #include "smb2_com_tree_disconnect.bif.h"
 #include "smb2_com_write.bif.h"
+#include "smb2_com_transform_header.bif.h"
 %}
 
 analyzer SMB withcontext {
@@ -93,6 +94,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb2-com-tree-connect.pac
 %include smb2-com-tree-disconnect.pac
 %include smb2-com-write.pac
+%include smb2-com-transform-header.pac
 
 type uint24 = record {
 	byte1 : uint8;
@@ -128,6 +130,8 @@ type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record {
 	smb_1_or_2        : case protocol of {
 		SMB1    -> smb1    : SMB_PDU(is_orig, msg_len);
 		SMB2    -> smb2    : SMB2_PDU(is_orig);
+		# SMB 3.x protocol ID implies use of transform header to support encryption
+		SMB3    -> smb3    : SMB2_transform_header;
 		default -> unknown : empty;
 	};
 };

src/analyzer/protocol/smb/smb2-com-transform-header.pac

@@ -0,0 +1,37 @@
+refine connection SMB_Conn += {
+
+	function BuildSMB2TransformHeaderVal(hdr: SMB2_transform_header): BroVal
+		%{
+		RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header);
+
+		r->Assign(0, bytestring_to_val(${hdr.signature}));
+		r->Assign(1, bytestring_to_val(${hdr.nonce}));
+		r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size}));
+		r->Assign(3, val_mgr->GetCount(${hdr.flags}));
+		r->Assign(4, val_mgr->GetCount(${hdr.session_id}));
+
+		return r;
+		%}
+
+	function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool
+		%{
+		if ( smb2_transform_header )
+			BifEvent::generate_smb2_transform_header(bro_analyzer(),
+			                                         bro_analyzer()->Conn(),
+			                                         BuildSMB2TransformHeaderVal(hdr));
+
+		return true;
+		%}
+
+};
+
+type SMB2_transform_header = record {
+	signature         : bytestring &length = 16;
+	nonce             : bytestring &length = 16;
+	orig_msg_size     : uint32;
+	reserved          : uint16;
+	flags             : uint16;
+	session_id	  : uint64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_transform_header(this);
+} &byteorder = littleendian;

src/analyzer/protocol/smb/smb2_com_transform_header.bif

@@ -0,0 +1,15 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 3.x *transform_header*. This is used by the client or server when sending
+## encrypted messages.
+##
+## For more information, see MS-SMB2:2.2.41
+##
+## c: The connection.
+##
+## hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers.
+##
+## .. bro:see:: smb2_message
+event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%);
+
+type SMB2::Transform_header: record;
+

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro

testing/btest/Baseline/plugins.hooks/output

@@ -663,6 +663,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1
@@ -1564,6 +1565,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro)
@@ -2464,6 +2466,7 @@
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_read.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_session_setup.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_set_info.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_transform_header.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_write.bif.bro

testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout

@@ -0,0 +1,44 @@
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=v\x17k\x19V\xed,\x9cZ\xcf\x00\xa3\x0c\x04\x85\xbc, nonce=:\xaa\x96\x8f\x18\xaea\xe6\xe7o\x1f\x00\x00\x00\x00\x00, orig_msg_size=146, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xec\xbf\xd2v\x00\xd6["R\xf6?\xc8\xf95\xd6\xe7, nonce=]\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=136, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9ah^\xb0y\xca\xcc\xc00\xb7\x0f\x0e.6\xd8l, nonce=\x91yv\x16z\xfa\x18V<\xd4\xbd\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa4\x8a\xcf\xab\xe3\x97\x1fy\xb1??\x12\xed\x01U\xa8, nonce=^\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xafq\xe0B3?a(J\xa9\x94\xd7\x98\x83\xeb\xca, nonce=\xe9of$\xde\s\xa4\x9e\x96\x8e\x00\x00\x00\x00\x00, orig_msg_size=121, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc3w\x8c\xc7\x9e\xe9\x98@:\x13\xa2\x1d\xcfz\xaa\xcb, nonce=_\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=720, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x18\x8d9\xce\xa4\xb1\xe3\xf6@\xaf\xf5\xd0\xb1V\x98R, nonce=\xc0\xbdfU\x16\xdb\xb4\xb4\x99P\x7f\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9c\xd4:\x8b\xbe\xecS\xe4\x013\x18t\x7fb\x90\xaf, nonce=`\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=92, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=T\x80\xd9\x08\xf7>\xe9\xde8;\xa0\x89\x9a\x0f}[, nonce=\x11\xde\xf2n\x84P\x0b,+\x1f\xce\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xcfX\xd9\x1f\xa4\x11\x06\xbd\x89\xa7blz5[\xa3, nonce=a\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=80, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x8f\xa7u\xda\x0c\xe8f=)o\x13\xa8\xab\xa8"\xf6, nonce=Eq!\xd9D\xdc1B\x01J\x80\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=8l\xb2\xecl\xa8\x1f~e\xf4\xbfB\x08\x0e\x83\x0f, nonce=b\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=100, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=+\xed\xaf_\xdc\x12\xc4\xb1\x0f\xfa\xf2\xc2\xdfs\xe5w, nonce=\xff\xbe\xf8\xe1\xce~2\xf3\xd0\x1d5\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6d~\xf8\xd2\xffs\xc9/\xad\x17jz\x008\xd1, nonce=c\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6F\x1b\x19\x07\xa7\xf0\xc9E\xbd\xd2a\xdb\xb6\x1b\xc8, nonce=G\x10mh\x09\xb5\x1b\xed\x9d\x03\x0f\x00\x00\x00\x00\x00, orig_msg_size=158, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0e\xf8\xbb\xfbB'\x83\x9b\xa3\x98\xa5K\xa4,pO, nonce=d\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6\xdc\x0e\x9c\x06\xd2V\xf5\xf5za\xd3[\xfb\xde|, nonce=\xa2\x15\x19\xce~\xee \x16\x15\x9a\xe8\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xfc\xfbM9\xa6\xfb\xb8\xcc"\xd8\xc3S\xbcX#\x16, nonce=e\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xbe\x85\xe3\xdeX\xda\x89\x87\x8e\xd6\x0aq\x7f\xf7\xff\xb5, nonce=\x9a\xae\x1f\x88M\x09W#\x18\x1a\x9d\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x83ime\x91/8f\x13\x9f\x16Qa\xd3\x00\x8a, nonce=f\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x91\x8d[\x18\x9d*\x97\xc2\x0bK\xdb\x94dbB\xae, nonce=\x97\x9f\xd7\xc4,?u\xf1\xcf\x1f\x0f\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=R\x96KU\x95\xfc\x05\x17\xe5\xbd\xed\x16\x12}\x8e\x81, nonce=g\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf4RBG}\xd0i\x0f\xcbdP\xe7n\xd9\xc0W, nonce="\xda\xcdU@;<\x09\x0a\x14\xa0\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=t\xb9p\xb1\xec\xbfm%\xfc\x8d\x0e\xacR\xe1/J, nonce=h\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x98\xbc\xb1|\x9d,EK%\x9b\x0d\xec\xcdF\xde\xcb, nonce=\xd8\xa5V:\xeaQM:\xe9V\xca\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf2\x8f\xc9U\x8c)\x12\xb8\xcc<\xb9\xa6Ni\xe9\xcf, nonce=i\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=UY\x80\xef\xe4Jw,\xb95E!\xa1I\x9fM, nonce=\xf0\xe60Q\xc4\x15\xaf\xab\x8a)\xe9\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=y-8dk\x8dKH\xf3\xdd\xb3\xbf%n\xfa3, nonce=j\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0by\xe8l\x11\xdbm\x90K\xcc\x11wd\xdb\xd8\xe6, nonce=\xd2V"\xa9C\xac0\x15\xf2Pe\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xef%\xd6\x89\x095\xba\xc8P\xd2\x85\xb0\x00\xd2\x07?, nonce=k\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xdeR\xf3J\xde\x13n5\x86P]\x13\xb8\x02|\xcd, nonce=u\x81\xc63\x06\x1f\xda\xd1\x03\xaa!\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=_\xaarMl\x89l$\x7f\xe9\xfb\x11E\xa6\xb5F, nonce=l\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xee\x9aE\xbc%\xe9\xee\xc0)\x1f\x85\x86\xf5\xb16\xaa, nonce=\x9f_\xed\xaa\xd53\xd4y\xe3\xbc\xdb\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=N\x9d.\xf1\x01\xe0\xa82\xa4\x8dg\x8ek\xbb\x9d., nonce=m\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x098_IU\x1d\xc1\x14?\xebwC\x1aje\xbc, nonce=\xf51\xbb\x95\xc6\x98B\xf9\x82\xab\x8a\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6!\x0c\xe0\xe35\xfd\x0e\x82\xd3\x0a\xfbE\xaa\x85\x06, nonce=n\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=m\x98z\x98Hq\x12L\x85v\x17\xec\xa4\xb7A\x95, nonce=\x04\xa7}z\xb4&\xf7B\xaa\x983\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd8\xcf>8!\xcfZ6\x04@\x9f\x86a\xfe\xee\xda, nonce=o\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=9\x00\xe0\x00\xb8%\xddH\xbf\xa9M\xf1\xed\x0c\xf0\xa5, nonce=I\xf8\x1a_\xf1\x1e0\xca\x0a\x8eU\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=E|\xeb$V\xf4p,\xa8c\xe6\x1d\xd1a\xb2\xfb, nonce=p\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=350, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd2U\xd6\xcf!\x94f\xf8&`J\xd4I(\xa7\x0e, nonce=\x06\x1e\x18+ C\xa1P\xb7\x86f\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=4\xb6\xb2|\x02$\x8bF\xf0\x16\x97\xc3s\xd7(F, nonce=q\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=1\x9d\xe63DL\x16\xc2\x8bt\x15\xe8\xb4\xf2\xfa\x90, nonce=}\x09FCI\xf9\x09&\x8aEf\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901]
+smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x82\xef\x1e_\xee{\xc2\xack\x05\xbe\x82\x93<\x18\xe7, nonce=r\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901]

testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smb_mapping
+#open	2019-02-21-09-15-32
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	path	service	native_file_system	share_type
+#types	time	string	addr	port	addr	port	string	string	string	string
+1495015336.544229	CHhAvVGS1DHFjwGM9	10.160.64.139	38166	10.160.65.202	445	\\\\WS2016\\encrypted	-	-	DISK
+1495015336.569009	CHhAvVGS1DHFjwGM9	10.160.64.139	38166	10.160.65.202	445	\\\\10.160.65.202\\IPC$	-	-	PIPE
+#close	2019-02-21-09-15-32

testing/btest/scripts/base/protocols/smb/smb3.test

@@ -0,0 +1,14 @@
+# @TEST-EXEC: bro -r $TRACES/smb/smb3.pcap %INPUT
+# @TEST-EXEC: btest-diff smb_mapping.log
+# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+
+# Add a test for SMB2 transform header.
+event smb2_transform_header(c: connection, hdr: SMB2::Transform_header)
+	{
+	print fmt("smb2_transform_header %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, hdr);
+	}
+