diff --git a/CHANGES b/CHANGES
index b2dbd0714d..5cbec754f4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
+2.5-848 | 2018-08-16 17:21:28 -0500
+
+ * Enable SMB by default by moving scripts from policy/ to base/
+ (Jon Siwek, Corelight)
+
2.5-847 | 2018-08-16 16:07:14 -0500
* BIT-1924: add DHCP port to software.log for completeness
diff --git a/NEWS b/NEWS
index 6251fa5071..1809cd4bd6 100644
--- a/NEWS
+++ b/NEWS
@@ -239,6 +239,9 @@ New Functionality
- Added new NFS events: nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr
+- The SMB scripts in policy/protocols/smb are now moved into base/protocols/smb
+ and loaded/enabled by default.
+
- Added new SMB events: smb1_transaction_secondary_request,
smb1_transaction2_secondary_request, smb1_transaction_response
diff --git a/VERSION b/VERSION
index 2903be358d..3c34b2649e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-847
+2.5-848
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index d0db0a0330..463f5c2942 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -62,8 +62,6 @@
@load base/protocols/rfb
@load base/protocols/sip
@load base/protocols/snmp
-# This DOES NOT enable the SMB analyzer. It's just some base support
-# for other protocols.
@load base/protocols/smb
@load base/protocols/smtp
@load base/protocols/socks
diff --git a/scripts/base/protocols/smb/README b/scripts/base/protocols/smb/README
index 6e41fd1a28..d10322faad 100644
--- a/scripts/base/protocols/smb/README
+++ b/scripts/base/protocols/smb/README
@@ -1 +1 @@
-Definitions of constants used by the SMB protocol.
+Support for SMB protocol analysis.
diff --git a/scripts/base/protocols/smb/__load__.bro b/scripts/base/protocols/smb/__load__.bro
index 975d204851..d1ed8cdfe9 100644
--- a/scripts/base/protocols/smb/__load__.bro
+++ b/scripts/base/protocols/smb/__load__.bro
@@ -1,3 +1,10 @@
@load ./consts
@load ./const-dos-error
@load ./const-nt-status
+
+@load ./main
+@load ./smb1-main
+@load ./smb2-main
+@load ./files
+
+@load-sigs ./dpd.sig
diff --git a/scripts/policy/protocols/smb/dpd.sig b/scripts/base/protocols/smb/dpd.sig
similarity index 100%
rename from scripts/policy/protocols/smb/dpd.sig
rename to scripts/base/protocols/smb/dpd.sig
diff --git a/scripts/policy/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro
similarity index 100%
rename from scripts/policy/protocols/smb/files.bro
rename to scripts/base/protocols/smb/files.bro
diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro
similarity index 99%
rename from scripts/policy/protocols/smb/main.bro
rename to scripts/base/protocols/smb/main.bro
index 51aab775c0..a2226ded33 100644
--- a/scripts/policy/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@@ -1,4 +1,6 @@
-@load base/protocols/smb
+@load ./consts
+@load ./const-dos-error
+@load ./const-nt-status
module SMB;
diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro
similarity index 100%
rename from scripts/policy/protocols/smb/smb1-main.bro
rename to scripts/base/protocols/smb/smb1-main.bro
diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.bro
similarity index 100%
rename from scripts/policy/protocols/smb/smb2-main.bro
rename to scripts/base/protocols/smb/smb2-main.bro
diff --git a/scripts/policy/protocols/smb/README b/scripts/policy/protocols/smb/README
deleted file mode 100644
index d10322faad..0000000000
--- a/scripts/policy/protocols/smb/README
+++ /dev/null
@@ -1 +0,0 @@
-Support for SMB protocol analysis.
diff --git a/scripts/policy/protocols/smb/__load__.bro b/scripts/policy/protocols/smb/__load__.bro
deleted file mode 100644
index 31c8469c60..0000000000
--- a/scripts/policy/protocols/smb/__load__.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-@load base/protocols/smb
-
-@load ./main
-@load ./smb1-main
-@load ./smb2-main
-@load ./files
-
-@load-sigs ./dpd.sig
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index 5064d6a330..605b5ab75d 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -99,7 +99,3 @@
# Uncomment the following line to enable logging of link-layer addresses. Enabling
# this adds the link-layer address for each connection endpoint to the conn.log file.
# @load policy/protocols/conn/mac-logging
-
-# Uncomment the following line to enable the SMB analyzer. The analyzer
-# is currently considered a preview and therefore not loaded by default.
-# @load policy/protocols/smb
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 3389942fe5..e0268a7c62 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -80,11 +80,6 @@
@load protocols/modbus/track-memmap.bro
@load protocols/mysql/software.bro
@load protocols/rdp/indicate_ssl.bro
-@load protocols/smb/__load__.bro
-@load protocols/smb/files.bro
-@load protocols/smb/main.bro
-@load protocols/smb/smb1-main.bro
-@load protocols/smb/smb2-main.bro
@load protocols/smtp/blocklists.bro
@load protocols/smtp/detect-suspicious-orig.bro
@load protocols/smtp/entities-excerpt.bro
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index af9ccda1ae..26a4b5fa85 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -1,6 +1,7 @@
2 1080
1 135
1 137
+1 139
1 143
1 1434
1 161
@@ -19,6 +20,7 @@
1 3544
1 4011
2 443
+1 445
1 502
1 5060
1 5072
@@ -52,8 +54,8 @@
1 992
1 993
1 995
-59 and
-58 or
-59 port
-40 tcp
+61 and
+60 or
+61 port
+42 tcp
19 udp
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 4742280a26..ebe22c1b91 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -327,6 +327,10 @@ scripts/base/init-default.bro
scripts/base/protocols/smb/consts.bro
scripts/base/protocols/smb/const-dos-error.bro
scripts/base/protocols/smb/const-nt-status.bro
+ scripts/base/protocols/smb/main.bro
+ scripts/base/protocols/smb/smb1-main.bro
+ scripts/base/protocols/smb/smb2-main.bro
+ scripts/base/protocols/smb/files.bro
scripts/base/protocols/pop3/__load__.bro
scripts/base/protocols/radius/__load__.bro
scripts/base/protocols/radius/main.bro
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index a8ebd497b9..0fadde65a5 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -40,6 +40,8 @@
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_RADIUS, 1812/udp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_RDP, 3389/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SIP, 5060/udp)) ->
+0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMB, 139/tcp)) ->
+0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMB, 445/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMTP, 25/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMTP, 587/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SNMP, 161/udp)) ->
@@ -103,6 +105,8 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_RADIUS, 1812/udp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_RDP, 3389/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SIP, 5060/udp)) ->
+0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMB, 139/tcp)) ->
+0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMB, 445/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMTP, 25/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMTP, 587/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SNMP, 161/udp)) ->
@@ -142,6 +146,7 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_RADIUS, {1812/udp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_RDP, {3389/tcp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SIP, {5060/udp})) ->
+0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SMB, {139<...>/tcp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SMTP, {587<...>/tcp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SNMP, {162<...>/udp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SOCKS, {1080/tcp})) ->
@@ -174,6 +179,7 @@
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) ->
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) ->
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) ->
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) ->
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
@@ -207,6 +213,9 @@
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rfb, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=reporter, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=sip, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=smb_cmd, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=smb_files, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=smb_mapping, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=smtp, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=snmp, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=socks, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
@@ -251,6 +260,9 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::CMD_LOG, [columns=, ev=, path=smb_cmd])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=, ev=, path=smb_files])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks])) ->
@@ -264,7 +276,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) ->
@@ -296,6 +308,9 @@
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (RFB::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Reporter::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SIP::LOG)) ->
+0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SMB::CMD_LOG)) ->
+0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SMB::FILES_LOG)) ->
+0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SMB::MAPPING_LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SMTP::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SNMP::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SOCKS::LOG)) ->
@@ -340,6 +355,9 @@
0.000000 MetaHookPost CallFunction(Log::add_filter, , (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::add_filter, , (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::add_filter, , (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::add_filter, , (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
@@ -384,6 +402,9 @@
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (RFB::LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Reporter::LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SIP::LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SMB::CMD_LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SMB::FILES_LOG, default)) ->
+0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SMB::MAPPING_LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SMTP::LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SNMP::LOG, default)) ->
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (SOCKS::LOG, default)) ->
@@ -428,6 +449,9 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::CMD_LOG, [columns=, ev=, path=smb_cmd])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=, ev=, path=smb_files])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks])) ->
@@ -441,7 +465,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
@@ -669,6 +693,8 @@
0.000000 MetaHookPost LoadFile(0, .<...>/sftp.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/shunt.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/site.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/smb1-main.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/smb2-main.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/sqlite.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/stats.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/std-dev.bro) -> -1
@@ -843,6 +869,8 @@
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_RADIUS, 1812/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_RDP, 3389/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SIP, 5060/udp))
+0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMB, 139/tcp))
+0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMB, 445/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMTP, 25/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SMTP, 587/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SNMP, 161/udp))
@@ -906,6 +934,8 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_RADIUS, 1812/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_RDP, 3389/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SIP, 5060/udp))
+0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMB, 139/tcp))
+0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMB, 445/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMTP, 25/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SMTP, 587/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SNMP, 161/udp))
@@ -945,6 +975,7 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_RADIUS, {1812/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_RDP, {3389/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SIP, {5060/udp}))
+0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SMB, {139<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SMTP, {587<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
@@ -977,6 +1008,7 @@
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]))
@@ -1010,6 +1042,9 @@
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rfb, path_func=