From a346b01a85ed3ba5b7c329ccb4b9ce18d01b765d Mon Sep 17 00:00:00 2001 From: mauro Date: Thu, 21 Feb 2019 12:01:02 +0100 Subject: [PATCH] clean up, test and pcap for transform_header added --- .../smb/smb2-com-transform-header.pac | 4 -- src/analyzer/protocol/smb/smb2-protocol.pac | 2 +- .../smb/smb2_com_transform_header.bif | 2 +- .../canonified_loaded_scripts.log | 1 + .../canonified_loaded_scripts.log | 1 + testing/btest/Baseline/plugins.hooks/output | 3 ++ .../scripts.base.protocols.smb.smb3/.stdout | 44 ++++++++++++++++++ .../smb_mapping.log | 11 +++++ testing/btest/Traces/smb/smb3.pcap | Bin 0 -> 15692 bytes .../scripts/base/protocols/smb/smb3.test | 14 ++++++ 10 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log create mode 100644 testing/btest/Traces/smb/smb3.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb3.test diff --git a/src/analyzer/protocol/smb/smb2-com-transform-header.pac b/src/analyzer/protocol/smb/smb2-com-transform-header.pac index 10c1e5422f..9fa4fb7dc9 100644 --- a/src/analyzer/protocol/smb/smb2-com-transform-header.pac +++ b/src/analyzer/protocol/smb/smb2-com-transform-header.pac @@ -4,8 +4,6 @@ refine connection SMB_Conn += { %{ RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header); - //r->Assign(0, uint8s_to_stringval(${hdr.signature})); - //r->Assign(1, uint8s_to_stringval(${hdr.nonce})); r->Assign(0, bytestring_to_val(${hdr.signature})); r->Assign(1, bytestring_to_val(${hdr.nonce})); r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size})); @@ -30,8 +28,6 @@ refine connection SMB_Conn += { type SMB2_transform_header = record { signature : bytestring &length = 16; nonce : bytestring &length = 16; - #signature : uint8[16]; - #nonce : uint8[16]; orig_msg_size : uint32; reserved : uint16; flags : uint16; diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index d02a69edb1..f5095a66d1 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -281,7 +281,7 @@ type SMB2_error_response(header: SMB2_Header) = record { type SMB2_logoff_request(header: SMB2_Header) = record { structure_size : uint16; reserved : uint16; -}; +}; type SMB2_logoff_response(header: SMB2_Header) = record { structure_size : uint16; diff --git a/src/analyzer/protocol/smb/smb2_com_transform_header.bif b/src/analyzer/protocol/smb/smb2_com_transform_header.bif index fd77829dd4..6fc60e59ed 100644 --- a/src/analyzer/protocol/smb/smb2_com_transform_header.bif +++ b/src/analyzer/protocol/smb/smb2_com_transform_header.bif @@ -6,7 +6,7 @@ ## ## c: The connection. ## -## hdr: The parsed transformed header message, which is starting with \xfd534d42 and different from SMB1 and SMB2 headers. +## hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers. ## ## .. bro:see:: smb2_message event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%); diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 02e6855308..64f8dedc72 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 1df4b007c1..abb0ca0304 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -136,6 +136,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.bro build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index ecbb136298..412dbaef10 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -658,6 +658,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1 @@ -1553,6 +1554,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) @@ -2447,6 +2449,7 @@ 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_read.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_session_setup.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_set_info.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_transform_header.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro 0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_write.bif.bro diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout new file mode 100644 index 0000000000..155317d262 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout @@ -0,0 +1,44 @@ +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=v\x17k\x19V\xed,\x9cZ\xcf\x00\xa3\x0c\x04\x85\xbc, nonce=:\xaa\x96\x8f\x18\xaea\xe6\xe7o\x1f\x00\x00\x00\x00\x00, orig_msg_size=146, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xec\xbf\xd2v\x00\xd6["R\xf6?\xc8\xf95\xd6\xe7, nonce=]\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=136, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9ah^\xb0y\xca\xcc\xc00\xb7\x0f\x0e.6\xd8l, nonce=\x91yv\x16z\xfa\x18V<\xd4\xbd\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa4\x8a\xcf\xab\xe3\x97\x1fy\xb1??\x12\xed\x01U\xa8, nonce=^\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xafq\xe0B3?a(J\xa9\x94\xd7\x98\x83\xeb\xca, nonce=\xe9of$\xde\s\xa4\x9e\x96\x8e\x00\x00\x00\x00\x00, orig_msg_size=121, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc3w\x8c\xc7\x9e\xe9\x98@:\x13\xa2\x1d\xcfz\xaa\xcb, nonce=_\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=720, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x18\x8d9\xce\xa4\xb1\xe3\xf6@\xaf\xf5\xd0\xb1V\x98R, nonce=\xc0\xbdfU\x16\xdb\xb4\xb4\x99P\x7f\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9c\xd4:\x8b\xbe\xecS\xe4\x013\x18t\x7fb\x90\xaf, nonce=`\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=92, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=T\x80\xd9\x08\xf7>\xe9\xde8;\xa0\x89\x9a\x0f}[, nonce=\x11\xde\xf2n\x84P\x0b,+\x1f\xce\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xcfX\xd9\x1f\xa4\x11\x06\xbd\x89\xa7blz5[\xa3, nonce=a\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=80, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x8f\xa7u\xda\x0c\xe8f=)o\x13\xa8\xab\xa8"\xf6, nonce=Eq!\xd9D\xdc1B\x01J\x80\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=8l\xb2\xecl\xa8\x1f~e\xf4\xbfB\x08\x0e\x83\x0f, nonce=b\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=100, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=+\xed\xaf_\xdc\x12\xc4\xb1\x0f\xfa\xf2\xc2\xdfs\xe5w, nonce=\xff\xbe\xf8\xe1\xce~2\xf3\xd0\x1d5\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6d~\xf8\xd2\xffs\xc9/\xad\x17jz\x008\xd1, nonce=c\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6F\x1b\x19\x07\xa7\xf0\xc9E\xbd\xd2a\xdb\xb6\x1b\xc8, nonce=G\x10mh\x09\xb5\x1b\xed\x9d\x03\x0f\x00\x00\x00\x00\x00, orig_msg_size=158, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0e\xf8\xbb\xfbB'\x83\x9b\xa3\x98\xa5K\xa4,pO, nonce=d\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6\xdc\x0e\x9c\x06\xd2V\xf5\xf5za\xd3[\xfb\xde|, nonce=\xa2\x15\x19\xce~\xee \x16\x15\x9a\xe8\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xfc\xfbM9\xa6\xfb\xb8\xcc"\xd8\xc3S\xbcX#\x16, nonce=e\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xbe\x85\xe3\xdeX\xda\x89\x87\x8e\xd6\x0aq\x7f\xf7\xff\xb5, nonce=\x9a\xae\x1f\x88M\x09W#\x18\x1a\x9d\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x83ime\x91/8f\x13\x9f\x16Qa\xd3\x00\x8a, nonce=f\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x91\x8d[\x18\x9d*\x97\xc2\x0bK\xdb\x94dbB\xae, nonce=\x97\x9f\xd7\xc4,?u\xf1\xcf\x1f\x0f\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=R\x96KU\x95\xfc\x05\x17\xe5\xbd\xed\x16\x12}\x8e\x81, nonce=g\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf4RBG}\xd0i\x0f\xcbdP\xe7n\xd9\xc0W, nonce="\xda\xcdU@;<\x09\x0a\x14\xa0\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=t\xb9p\xb1\xec\xbfm%\xfc\x8d\x0e\xacR\xe1/J, nonce=h\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x98\xbc\xb1|\x9d,EK%\x9b\x0d\xec\xcdF\xde\xcb, nonce=\xd8\xa5V:\xeaQM:\xe9V\xca\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf2\x8f\xc9U\x8c)\x12\xb8\xcc<\xb9\xa6Ni\xe9\xcf, nonce=i\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=UY\x80\xef\xe4Jw,\xb95E!\xa1I\x9fM, nonce=\xf0\xe60Q\xc4\x15\xaf\xab\x8a)\xe9\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=y-8dk\x8dKH\xf3\xdd\xb3\xbf%n\xfa3, nonce=j\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0by\xe8l\x11\xdbm\x90K\xcc\x11wd\xdb\xd8\xe6, nonce=\xd2V"\xa9C\xac0\x15\xf2Pe\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xef%\xd6\x89\x095\xba\xc8P\xd2\x85\xb0\x00\xd2\x07?, nonce=k\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xdeR\xf3J\xde\x13n5\x86P]\x13\xb8\x02|\xcd, nonce=u\x81\xc63\x06\x1f\xda\xd1\x03\xaa!\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=_\xaarMl\x89l$\x7f\xe9\xfb\x11E\xa6\xb5F, nonce=l\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xee\x9aE\xbc%\xe9\xee\xc0)\x1f\x85\x86\xf5\xb16\xaa, nonce=\x9f_\xed\xaa\xd53\xd4y\xe3\xbc\xdb\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=N\x9d.\xf1\x01\xe0\xa82\xa4\x8dg\x8ek\xbb\x9d., nonce=m\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x098_IU\x1d\xc1\x14?\xebwC\x1aje\xbc, nonce=\xf51\xbb\x95\xc6\x98B\xf9\x82\xab\x8a\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6!\x0c\xe0\xe35\xfd\x0e\x82\xd3\x0a\xfbE\xaa\x85\x06, nonce=n\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=m\x98z\x98Hq\x12L\x85v\x17\xec\xa4\xb7A\x95, nonce=\x04\xa7}z\xb4&\xf7B\xaa\x983\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd8\xcf>8!\xcfZ6\x04@\x9f\x86a\xfe\xee\xda, nonce=o\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=9\x00\xe0\x00\xb8%\xddH\xbf\xa9M\xf1\xed\x0c\xf0\xa5, nonce=I\xf8\x1a_\xf1\x1e0\xca\x0a\x8eU\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=E|\xeb$V\xf4p,\xa8c\xe6\x1d\xd1a\xb2\xfb, nonce=p\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=350, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd2U\xd6\xcf!\x94f\xf8&`J\xd4I(\xa7\x0e, nonce=\x06\x1e\x18+ C\xa1P\xb7\x86f\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=4\xb6\xb2|\x02$\x8bF\xf0\x16\x97\xc3s\xd7(F, nonce=q\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=1\x9d\xe63DL\x16\xc2\x8bt\x15\xe8\xb4\xf2\xfa\x90, nonce=}\x09FCI\xf9\x09&\x8aEf\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x82\xef\x1e_\xee{\xc2\xack\x05\xbe\x82\x93<\x18\xe7, nonce=r\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log new file mode 100644 index 0000000000..7f4bc10f49 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smb_mapping +#open 2019-02-21-09-15-32 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p path service native_file_system share_type +#types time string addr port addr port string string string string +1495015336.544229 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\WS2016\\encrypted - - DISK +1495015336.569009 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\10.160.65.202\\IPC$ - - PIPE +#close 2019-02-21-09-15-32 diff --git a/testing/btest/Traces/smb/smb3.pcap b/testing/btest/Traces/smb/smb3.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3c1800ea19b04285dd45772887915df23499e7a9 GIT binary patch literal 15692 zcmchecOX{p|Nn1$XA~Kgy(xR8NVX_5WMpT@ZDj8)nUP&&Wk(?*r0fzhvLYihAximO z=O}OP`uhC$yY8-YpL09+b*|Uz`M6%M>s;p!pNI&*3V}cSB)A60=J1s=V=KALoZukRs1Og3Vgiu$O;-@pSGjVjg>11X~hcvRi zX=8?uk2FIfE$!{-EKTwGO?f~O72x3!5P|mo`=hm)8$O?iIiHAtFrN^=i3q=`2@j7D zAFsKv0H3KTzd4_ourWU9A5@_JLVZ2<`yGM6g!i$*aR;bSsl1GZa1bUnE(H5fRntJs zt|TKU&P%K5;UZ)Zh;-^%NrWVJ$OwL>WCVWZg|-9=v^p-8W;tDZBW_Z;2K`q~2x}U&w!7NOo{u-BM zVej5IFd!QsTdqT=f&$snCqim`9vnk;*NR<>AY0IQ9JeJAzSzq`kR6acXmtq`kR8CD zGG9tM&e+afTYw$8kUgM{&4ae=_6xe&pYp$Kxq!exK>w81`0DS(V#!B0oEu}7HMNt2 z8}J3&-5MS_lfTy0gNCSddsNZcgXW941)p)<1sj_a8x0E!J=2EADpQzODW1{&B zqobd~#^VT<_y0zQhK>&J2Ji0TgHLyNG4`E}pT)t$mdQfHWM}VWXliC|X=i3?XlZAt zCVNqUS6D<6U}%IiGqkj@vv)Mx^(*AxakwA5{_WNvHGU3`q52mqrPQBcR$5V5Dbuw# zW(TYcJ}%p1r4RBkXyn#@|Dr*T`dxmDiuhmtr9vR~0Mka${rNgVMdOmPy80EEBSCcB z@x4Fn?LZ%)^7C2qP=0>G{0JW8$C#Z<D~ zuW#Uh_V*ZuyK)_v2>JKTZ&RW1*>i)`xELHm6_p>fOzL@vpWuOm{JiAWwKrh~{Cq|- z?D5kN_$dKLH~uev{y_1+{CkielHYwr?D_i-k&?iYRPch{A^(2>@6_Nm1>T|Z3se&D zf&>;s4;>dB9-gNeVJ~&pr+dA5hU+QX@0S1gXy$G*W(XHW81&u$-`f1)zzAq;pAsj(=azfaHcMx}HT{KfuwMzw*`tmcPk~DX9g!C+hx(o`W=LtJf<0!BXRn&Nk z@OAtJkC&-~dXJ`zK{U{rwa|YFq(6gDNV2h#cw#h`*4x2l;Ec2l#V<`1@YB$KL?p z4{F42x4*mMV!%p*PeJ*^4Jv;QMaO@h4Dd_D47)e)5p6TM+g~Px9(e5^lX_qj+96DU z7H(ifJAorp&?;mLWD}Izp#s??8%kMQ8aMiQh7xHX^`}JPlIPb zg8|US6;zx4Xt3WV$l^aStK}+gQoz>cFBik5n$3WZ=p@h}@C7G;vV%qoworeeesldE z1yH{e5=o5-!7)_-(&88OBCN%&gIc^I09w3+v>*W~==Z#15NPoXG~V(P%sX6;TT^K* za;55aBeDoFgKEVJ?%ts+HkzKXhx&m)#KK#&y}r+|C4C=CeEy2^`H@BC7!IGEaLkwI zU)(Do9x_iX@H21IWhW8wepY%dI=+ESX!7Ryv)K;`dtdgawviX>FXhnvX!NEN?DspG ziJ)Al{xT3~h`p?ro;0YbbD_8B&ad!^&0)zPa(%p4Ry$j9ZkpY1F`kGPGX)K;7OSO4 zt}=b__i%JU&%e{nr@OHY8qe3HHzEuQzYs8j13TT?96v@Xmj} zdMP?7XD|}sz3f@-IUQ<*(M5f!=8LmvvWs}ju!X-;|EUPtMb1YZ9%yv+`5gvsp`CF} zevylP)Qx#&7b@;5aZZQSub#Urj2sEj_|YOCY0leB+dtPwd96t%s!3u#x!?FxmYFqI zB}Gv%XG>JI;kkw#Yy9_&to2K8_{=$(WQNoPSC;HuwY+wH1NrF0J|CUTAvOLEK7;CC zJS|W!!90bb@YJVkZyE%6`eE6;$I}qtsR1-n0r@EThC!)YTSo)WQ{p41g$8V5+*~N! zzf)?7_kv&miZ8tV&qv6)m}gJWix;X2*0~9fwrYfTpW|>l`^wXCPM~~FTfV$zKGdJ% znena5zCQ|UO0P!9o?d-CP@w2foRRx=9&651kthFhgEKe7lII88gkz&rcOo1!=6#s& z-JcuuwYKjft(Zu`8j)NZxW&t{m|8MPe_YG+<>ZV#Zc6MWIYkF^Fq$EsK)w;!=bK{S z8!~VVRaAb^Fp+35Kl%sxF%9BUd3_u3!#aCukDn&M&k$&%1M*FFc=w~pL|V5p2??@A zG|fB%6n>IWeB)I8p%AM-s=iL)%5<|e(X~27iPRZ&gCZH3P$xW7jDR1SICQ=^QVShd z`{M4{Oi#3mv&>4gJIW$Sm@}ifalVbWeIJ?W-M*dIV~R(g+qnE>u_8nWM|I-pv6puu z%tv);1bolFo~BlHy?3LO^*U$g+ZS6-N{p&sJ@0s7?-Vu?Ke|)g))=51lwJM8d;Mpi z5GFwv_BB84)m>jfK0CJ0XRjZV8h-_!LG>@5K2a~jJl#3S)9c&1_GX&Cl<0(c$UUBh z0Z&b!ks`=vB@W|K{1QfNiuv*HlLF@3=IqUxM)i={>388A3Zgw!{^KbTnLz0zzb;n% zX7pR{g(tyO#PQDp*mJaW&zbvwkR?gfdK~TDf18-tCyv)DJbIXqrP-`PGsD&Ez0OO~ zwM!X33SP3YBT01edk}9;basiwS`DY%?J|uFs$;cvSy1gc?wI+h z>c|B91U=rA$S2qrkWXxWhkYn!$5xOUD}rOFqH=^GjzotzT4XxNk(nl!O6z&R5lb$} zm{80H{&)pA8U|Ss6Y@!uYvil+xg<%kqYqAYyBD+@qHy#EPX7P-g!mF2Z-r0p>$p~4 z+xbPJ>zULqg9TiMRvh2?RTfrp@?HC>g7>1QPK>7$@%*QF0%=z6`gUrdP_gm5urO}C zkWpOq&Y;d-_7uweDvb;>qn9@0;vg zti<)aOP(q+OWV7x9=^dD$Qkp5Gkz?UllHls?idf3(Bf^Jrz=&WQ5+-_>DH{v*>u$I z&(ofrm-ouQ#}SOpNI^~%ky>C%rOz^bqLV@5qh9sdx(S>J-l2f@;rEO-q$BnI^S&l# zl#&d(?o;E7PhB`uGAAb2_>mj0gvV!Jsc;=LSef;uX1Ib@Nztq(9F}r?@)nIIZ$?7r z!|~~w$ch|mQeBf%iH1RX3w@E_#DlFv#W}__HnNJ)S|d{v#Z>yL3WbRbM?_wb#1R#W zt-VzUXn0{6nuu?8yXR5CbB)kx`pZ|8krJuv(iRUlU(1*rsXXG=v#hQhgg4kIfu~L# ztJaP~GoU7y*~WR(FTVi65ioZwEi0_|vnqR}n!>SfaXl|eqR3>L3&q)}PErQnUgo0E zkDcrgmC-a^Az(1wX7av!+!&*Ehi5hKGApr4WP@eg*5xAq0R8NFjM{U4+UArp23#F% zGS6Zsq(nd2sB*+)pI4K8`+afz(M(l@X$8To#g8ifj?vT~u~)e*UR-#ptvKI1rZ3y3 zTac}JZv*KS7}hnY?)QL@hEF%;>`vmNSO%Q(#(OMVg-3I}&A+dZHp&LGUTR@}Vx}|v zoVV6Pjf1%6LMN{Nu>V?mEsMaA=xSYhja`>b;fvn(u)8a-k&n>}JTPDA@uuDj;a|sl zmWNedW+#nM8cCa3*fCq=+j#Y8LiFXCD-Ss26(&iP{4`j<&7zg`?TpQy=qB17W6)T` z+!udZ8c2;N!DmqYEB^FRufXvq{b2lQJ+EtjLm$K+CcWP|AB?jP(0Bulq(Nhi^0sJK zcG={HWXbxQGOZ-FhB|Xiis6cidslqGDF|>U0G0p7+Tdo6nPUZ^G0kUt9foYOy!q4O zjU}lctysOC!y+pgtLGJ#&GD_M@r3Ra^*@XXJC8em))PBo*y%~9$lM||vrgBK)3x-D zKZ6^>sZH#vR96Ys#hA`q`u^>a^o(N+j#zJOKfC8SF$-r;*mlSVn{W?y=eCS5NR6S} z0;ral(lDGDwddKiNyWLt=HimTlv!1f(tVwY{Pu7`cj;>f;+i0~8q?~R+6P3I{0&dDQtuh; z+Ka0FqmDzh{{m~DhNAr#(Ebb1Uc3t2D*T=sj{xo4fHAQ48oq`OGnmJuaA1otKI0dDRw0Bwj`HUPkyRS%h+u2i`q2$ zg60{4kbwS=h$f|gYa!DMV+JkuF7 z<+qZ&n73&R43GA_=DVZQr@6AH{Q}&NUG0AYA3$A)>R;N|A~9j@AE0Reg-fN)7iiB( zdU8+uPN4k=Xd@8PzFT{cHk%Z?E-csB#$E7QmJy2fSD>ry)83BAL7=aWj)+SzItg=r zX@PemxrO^wCl^1T2nqJd`(JHZZ-n_6KS=(PxLI6&Io}4!!jwW4WfZ~wdNTdzn!DSe z?mN#kIf0z(Nkp@TY)Zxm1Y{$s-f;tm>b(l;N}Eh8_q{3B`Sc`UWeNS7NsUNe4+>iUKpQHer+)J-SBIpQncVZ`)AXc+isk;-;P>`iqKm1i93dr5(1XH*hpu;Cpl6gHdn<)xY$9 zgT#XMzI{+{OE)f+c6y*U2L-qT{5`jL^IPvENN*9F@&%hbT5q$pdMVr^0mQ~AdV`?? z%75{WKvmsCYb9`msiB3S>8EHUlKXXAZ4>jA_$@ats*tt>b{~P@B(=sgKO|2^bA6QB zJ<*pTHI7dQ(bb~++%;9q5)cXBKQV?pk4{kj;`w#{obox(vDX9dhfl=JXm==1bW3qw zJOy76W?&7z`Y!MEA4!dSz%f++iucXbUttCc4>HhBuWN5b4j8bd9N%ML6pZ;dppi(( ze$K@b!w+Q5WyIfC8^@5JTz8&tPIP(meSLFM5S)TQXv5q8?2qYj9`egfIj`>){(Y5c z0OPjpcBjW9jN>@c5%gbYwD<{)0=lkJa?PGHx8*_G+IY3#>hkJzP6H)%k%f#i_o6eA z1#x=7gV`m#5ng7V(po@>lBZ18u;4`THrTHup8`j+EpypQO zKyzrlo})W#PxE&`a|oPL$mSMP@6DbaWb2ut<5unnk+&u&ntMW5+o$7S!ZF1OrAlNYH;juImr^lJJTz+Q${eoF4bFLLo2 zLwZ3cyzb1T;^|j)m1p_vf6B_cKd}qgk%+w78TBUUfn`*S+(m~KJyFFl#m|zBGgdXH zN=Hy`P&+c_6{yV65d47$=-NY^@531MB?`MekNFl@3;*H#;Hq zp5DE`_5Qt9wR;7~E~uYS*>4vXI6n7#eLcCF^$%lgH_kw`XrQ4A0dEOCI9-VTYxfA`Co=1qz z>4xelvy@LZe(Dn`eIk0e(dz=6XLZ}pU7xpgW6d4Dmvws;@)zW{DY)0WdRuOh8aIJs zsQxv+E0MUc-VYDzZG95x{S(sr3`oYmWBLHldknPU1^MmB=CdDCtN|%mNe`8>xo%!I zMH$};(AD;hZ*(hhr-5B zz(zV?BW)c-fZw@$9Iycm8hG6)=fjay>>jQ4b$6q8*M5w8J|L&+@?N5&AWxo!j6?Xs z+yB@|ryEdL$cyZW)n%(Oq$oQ%{+3L)J@e<~t@KYHKN7UQwov}qWT$pAIs?7wlHOJ| z-F4?{I4d{()s_lNaguv-xqF#k3nPvx_?WUPm`kz@yk_m)2tOe_>3jMeR=)I$tF#nl zZ68fWk|@qaKTPtQ*s0^Q^0;ViDqa#l&Z(3Cxely${A=Aw294~nbtgPne@ztq)45bS zD}nxOQM!Bj4*~thfywZ?)AkQ#(VQPu9Sj3a>b2U86lN&;C!zSpn^2Kpo6}Y3={@Gf zXyLQZ*Pf;04Af@bad0RfoP8erb&59cM}nZU(^9RZ%Oje~5z!&C{N9rD4pJO3P1>c* z+8x!MrGyU_Q_I!b`R`$cxWt>?Cn?Fb^OjndH1-g0e@bK=I-0o<=oCn2O15?G9)|+C zQ`Qdc`&k{8)AhDFACb>#a9Oxh9wKs?j>|2Vst)s|Jm{+@rU&x?XpIiyY5zQc1e@%z zdB8WAr@Vtabyn)y+t>k~Dm8Kr@C2>Z!SjIUL6f7}Lt!CN{rC<(-*zgKi)llZ@vbsb zQm4V*(nj$a+j2tsjp`Eugp4wp%%>(Jez2dj5h2mAXP1lr@_>oed7L%&MDEw-+euH? zZ%OcX7}seDFIqiGAJIa)R1hm6_z`>dJDvTC*g(dYTj!M))>~NSva^VqeM0^{4=@2X zA2JWXhdH@vL`2g{X4ce0N)(4rcD4dqkfPXTL!=klv`MxDfgHe*&kcf?kZ^} zY-1h&RJTY$<`v~A+bJ_mTh2J@a#fG=^HCat#Cd0o)@n>pL}vyz`y!X+}1xgKnL?({tg{c zaya@Wd&gJTF9&%`^?%f==l*wWStL9(wrs&X<)H8ca+U2W;Ay%!d5@{;^D$B-Gflro^EmvD|y9HQ3kaTzaY7HMwrC z$L$g^v*z1&?4zIN7LP>6#Vl_wb>zL6L3ws&yUL}~4L$o{>1){IWE5~R0Stm; zi&OQ@vW0qE=Iz@@3e_ggDBeKf1U0q<%qziL*QR4a41rH=5O71r%mN^%fmmN8(Pk@c8((Oz9R zj(Ims@JFnLN8|^a>kSXfU*6g%PSME1OZM>K6v=VN+D63EuX1%Vw&hPK;Qu?e(2^Y* zTfW0AcpYS+8$92z%KQUuxS_q+vSVHEfUjx9;GWu9qVGD^%TL<^m=qwNC^wZuNF zDvQl&!Rt7G&0Eee2gknBt~xs<#ofNa)YN*SD3+nl;N%(Q3N`(=Z>UFD(P*U{qtHTP z?#~oT#Y?u47#q6Hd=9qqcNQ2=Y?hu^*C2e2)usEzr@1eSCHKcK&UldsW4v56;uo`5 zx0*colvIn(hbcJAW{Go~2Xkbik0TX+$u~ue{JM^j#BIvN`0v;f2z+x$Y$1Y~Q9T%2 z>~gqN-az??)0K6PnX%u@!1I>XJFS|L>||9P;?+4SmUG>fD9oV77GK{hr!=drB(7Vo zd3p`%H+V=bxnhTSGMOYq$A@NzG}%hVT)b$T)pq~5PZ;CWy)RKhF`4zcHhzqWBzw!6wH-6VCjw1z*r~2fx}B#xe@&gbqocr9FSJ*${_8a5AUz4VfB7?S*}q;*N=|mz zdi4*Or?`VWy#cw(-o=*^gF?gR08h|dA6~=K)bU-OQgr327L=jCuaKdpfOkVOR zoP7?Q^7k5+bBA>3xVKEfSfgP$a=6R8a}1aFvry`1#wzXijunMD6zP-oGSu&#+?0FM zMLKDI8MW!+A#hfvkui`+~VkL{-6>Uf%*Q3c~j*8Q&=e#^P}h_!wI*OA|t-D z$Mf0aURsKK53 z?|IDlZ*Hcb`yDrK5mW2iO7dSv9@jJ5edo7A;ieS6{(tuZk!Q1~$!?WxX_t6-RB4sH zU3^4EeC!o?cFJLpSp1NxyDN`Q%kEq2XExVRrHo5#W{pJ;Xg`@~ySrP+%-^CAFy-4> zSxcdKrGCEZY*xk4{ODY0hZw7?N`&=>NJ!arte{9%&l&%8Ouu>~?D-+bqBR9NjBFQs zF@;}Qxx$9Fu4FG47HiDTu_Bv_rc^{2N!27mH$SeZFIHPS5O{0H2bFX9ihA%~kmi;f z)W0S94ooo zy9a4+k6T#9K9?w9v`-ldFHH{4@TBeAIggu-L;ZGX@STPpTHwlnfswfD#8{)Nq~gn? z4yT5hPK1xw*IWNPS5*U>519uO!~9quHUHuV&Q;6I{b6{5HLtJq z1eGFsa3riz_(9E8Yh(_}tkn1I7m#mTOVm?3G;8`KA8ni}82xGz)9JXBeL|3+_wLKQ zYm_yD7G2SNPs6pV1>cWQ`r8u}F5RgV+d!k*4!q}m@w0ylc5fH$n+JA8Gv8hg7Ceu# z{z%_IG}Kr>{*eAz`E-{L>%_Aknk*626AQJ0uj*SFz2(0BJ6D~Smp<$s`xnfD+d&rI zy6D+6e|<(LY*+?%C<=*TRoYJM_rhB)SoT;2Hs@u&%P!HCBQJ3{W5+KuG4|c~p~92e$f%5J8hEO1n|3A17HnfpO1lT#^cgTf4Iu5wx0pMhR=Mc zX~5G*z>^{Iqy0Q3*8rcvxoRm{rj~hbsezp~D0sb0s35~|v7nE?*KM*E{L}#yOL+TV zoMyY@Gq5FiN3X5VywS$luN|}I>^A+ca(?w7Y;yHj5&j6F4cr$`gL1F4jb&=YmRwzk z_P297+S|IRKT6m2GO@0l;yLMGoPvz|t#gsSodYG|C+#9y zeW_ni{4-a@03RHZt4LvPP=4#|@DXs+4Y*-jb^a4;lELo=VQ%1DrIL2~3)*-dU-oT_ zDC=iwr)^QVLCsZjMmI&+JhJ050$3B9I+FI{vJKhRmy{6}Ey-1JG45lq1mVKw6{DuP!m-F-oV zO1H328?L(Beb{PwOg^C)Wz#A}UTt~KGkJPZq{cWp_UnV>sGQ?QhAxxb&!k#(aXJU> z?$xOWpLro%r1;i=SiIt?4bkj+nVTUR_emRVd$R2wK|7G7{*|jXRHP4Cv!OwQc|v(s z-_xyY@7M--a_uiaz!P|qwVSK(L<|))Prf)NG4Fbj+RChUo%dNnOOn)<|D$l2B-C70 zT;{uFpA?ERe{BOfYO=^e)%pT=tx)+q@sPmR|ew9=FfOU5+B*l69#hjQ= zsQ*f1GaB#OmHN8bL{hJKqK}EG&*gAs{T{{jJedix6gG;i2iQXEQ&4_})+nF?&2_Xc zOCOf2$Y6eM9E>}TZConv3?Y7Wa{uB7&Q&?|gyWNfKacpo!~Y>u5QJ@q!VhY$D)S8p zTe5YpTq#RFi~FJIR+;?9xo#h)`&C9M7TY>E=dSXyeXuPejJ)VBD_hZji*Uy2o%Ih9 zDdFnLb1GyQ&0)G6ZI3{qHqJhq?5g zq==W(y)EUus@0M~Hk@VB(;fQnT&1sfSgxW$hgonw7+c;M>e?f{0SnQ+z}36=RkT!i z<;f5WaIUgVa!-4gN$Trc+umTyu8N&Ju?f90yF5}fsDzoE0MTe5U` zkyf~;8jsnoPa$$}>g^u{q-xiKN)GZu8;20T2Rz;en& zi--$X+nzqmlO;`RH<`{p`fA2}EU7sh!J!#C`dskMi*~+8jwjw>3ed8-I=@J|FUs`O zCsO)W{kt)TD?hS(o|ic_Cb3v_fym*WQJk^6n?n3tzqKI)s74wLEeZKOSMZ%Sb3Y*l1UrzC~;YWcHsmpgm!-giyf~=+As^&mO)T8(ugC@^nWk$;)kyqrpXYjaLlpMiU| zmlIKRbhtVt z73eBeBy#H#!FU%knUL6IwK+v5>-G2#^HcEkcgOorV0#ldhAJxah)N_m93ztsGVeUa zrP8Mam}kiZ!ESdAA^A0kku;zU_?fA|lX6dVrU=;;io_=5dp21I6y_D6tL+=_>%~;m z4#@DvuKP{om)*u1uq1`~{ zj!d6R^m%{D-BC0j_?T{;n08|Cnd$y#T%30foiAa*`X(RLw@*pe-o*^)JMg$}Pu~+j zUvLMrJ73~Wo936kM9~=GL_S-w`aRkUPxhk179LBu%&xwu^QEFHU-cy^7J7SL|Mc%A zxRCVkv#|I?guvfk|g!)#-ToS5iLmqh9O6 zf3zl9yKYv0vr6$>i~5Fxb8c&!9os>}Gd;trr>FmG8={{_^Bg54J~Jjt%9; z+vBz@>D{^a>%Q!?dUVZYy|R8%H}Q_|{REpgmcOC7ow{pUbaKPhpzDdd%}{2z{M2ny PgLDa9)B72_^QHd>)N;5A literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb3.test b/testing/btest/scripts/base/protocols/smb/smb3.test new file mode 100644 index 0000000000..f762ea10f3 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb3.test @@ -0,0 +1,14 @@ +# @TEST-EXEC: bro -r $TRACES/smb/smb3.pcap %INPUT +# @TEST-EXEC: btest-diff smb_mapping.log +# @TEST-EXEC: test ! -f dpd.log +# @TEST-EXEC: test ! -f weird.log +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +# Add a test for SMB2 transform header. +event smb2_transform_header(c: connection, hdr: SMB2::Transform_header) + { + print fmt("smb2_transform_header %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, hdr); + } +