From a4f73ee45faf7591e529aefbfa60e31f167cc1f2 Mon Sep 17 00:00:00 2001
From: mvhensbergen <46875782+mvhensbergen@users.noreply.github.com>
Date: Fri, 17 May 2024 15:03:06 +0200
Subject: [PATCH] Copy timestamp from file object

In some cases, e.g. running zeek on short pcaps as opposed to continuous packet streams, network_time() may not equal the time that was used when generating the file object.

This results in the pe.log entry having a different timestamp than its corresponding files.log entry which is strange as they refer to the exact same file.
---
 scripts/base/files/pe/main.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/files/pe/main.zeek b/scripts/base/files/pe/main.zeek
index 372a9e94ea..22577079d3 100644
--- a/scripts/base/files/pe/main.zeek
+++ b/scripts/base/files/pe/main.zeek
@@ -66,7 +66,7 @@ event zeek_init() &priority=5
 hook set_file(f: fa_file) &priority=5
 	{
 	if ( ! f?$pe )
-		f$pe = [$ts=network_time(), $id=f$id];
+		f$pe = [$ts=f$info$ts, $id=f$id];
 	}
 
 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5