added more options to SMB2 set-info command

scripts/base/init-bare.bro

@@ -3327,6 +3327,25 @@ export {
 		## The action taken in establishing the open.
 		create_action : count;
 	};
+
+	## A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.
+	##
+	## For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2
+	##
+	type SMB2::Fscontrol: record {
+		## minimum amount of free disk space required to begin document filtering
+		free_space_start_filtering      : int;
+		## minimum amount of free disk space required to continue document filtering
+		free_space_threshold          	: int;
+		## minimum amount of free disk space required to continue document filtering
+		free_space_threshold          	: int;
+		## default per-user disk quota
+		delete_quota_threshold          : count;
+		## default per-user disk limit
+		default_quota_limit 		: count;
+		## file systems control flags passed as unsigned int
+		fs_control_flags		: count;
+	};
 }
 
 module GLOBAL;

src/analyzer/protocol/smb/smb2-com-set-info.pac

@@ -5,10 +5,22 @@ enum smb2_set_info_type {
 	SMB2_0_INFO_QUOTA      = 0x04,
 };
 
+# taken from MS-FSCC 2.4 and 2.5
 enum smb_file_info_type {
 	SMB2_FILE_BASIC_INFO        = 0x04,
 	SMB2_FILE_RENAME_INFO       = 0x0a,
 	SMB2_FILE_DISPOSITION_INFO = 0x0d,
+	SMB2_FILE_ALLOCATION_INFO = 0x13,
+	SMB2_FILE_ENDOFFILE_INFO = 0x14,
+	SMB2_FILE_FULLEA_INFO = 0x0f,
+	SMB2_FILE_LINK_INFO = 0x0b,
+	SMB2_FILE_MODE_INFO = 0x10,
+	SMB2_FILE_PIPE_INFO = 0x18,
+	SMB2_FILE_POSITION_INFO = 0x0e,
+	SMB2_FILE_SHORTNAME_INFO = 0x28,
+	SMB2_FILE_VALIDDATALENGTH_INFO = 0x27,
+	SMB2_FILE_FSCONTROL_INFO = 0x06,
+	SMB2_FILE_FSOBJECTID_INFO = 0x08,
 }
 
 refine connection SMB_Conn += {
@@ -53,7 +65,154 @@ refine connection SMB_Conn += {
 		return true;
 		%}
 
-};
+	function proc_smb2_set_info_request_file_allocation(val: SMB2_file_allocation_info): bool
+		%{
+		if ( smb2_file_allocation )
+			BifEvent::generate_smb2_file_allocation(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+			                                    (${val.allocation_size}));
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_endoffile(val: SMB2_file_endoffile_info): bool
+		%{
+		if ( smb2_file_endoffile )
+			BifEvent::generate_smb2_file_endoffile(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+			                                    ${val.endoffile});
+
+		return true;
+		%}
+
+	#TODO not sure how to handle multiple full_ea file information
+	function proc_smb2_set_info_request_file_fullea(val: SMB2_file_fullea_info): bool
+		%{
+		if ( smb2_file_fullea )
+			BifEvent::generate_smb2_file_fullea(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+							    smb2_string2stringval(${val.ea_name}),
+							    smb2_string2stringval(${val.ea_value}));
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_link(val: SMB2_file_link_info): bool
+		%{
+		if ( smb2_file_link )
+			BifEvent::generate_smb2_file_link(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+							    ${val.root_directory},
+							    smb2_string2stringval(${val.file_name}));
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_mode(val: SMB2_file_mode_info): bool
+		%{
+		if ( smb2_file_mode )
+			BifEvent::generate_smb2_file_mode(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+			                                    ${val.mode});
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_pipe(val: SMB2_file_pipe_info): bool
+		%{
+		if ( smb2_file_pipe )
+			BifEvent::generate_smb2_file_pipe(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+			                                    ${val.read_mode},
+							    ${val.completion_mode});
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_position(val: SMB2_file_position_info): bool
+		%{
+		if ( smb2_file_position )
+			BifEvent::generate_smb2_file_position(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+			                                    ${val.current_byte_offset});
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_shortname(val: SMB2_file_shortname_info): bool
+		%{
+		if ( smb2_file_shortname )
+			BifEvent::generate_smb2_file_shortname(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+							    smb2_string2stringval(${val.filename}));
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_validdatalength(val: SMB2_file_validdatalength_info): bool
+		%{
+		if ( smb2_file_validdatalength )
+			BifEvent::generate_smb2_file_validdatalength(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+							    ${val.validdatalength});
+
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_fscontrol(val: SMB2_file_fscontrol_info): bool
+		%{
+
+		RecordVal* r = new RecordVal(BifType::Record::SMB2::Fscontrol);
+
+		r->Assign(0, val_mgr->GetInt(${val.free_space_start_filtering}));
+		r->Assign(1, val_mgr->GetInt(${val.free_space_start_threshold}));
+		r->Assign(2, val_mgr->GetInt(${val.free_space_stop_filtering}));
+		r->Assign(3, val_mgr->GetCount(${val.default_quota_threshold}));
+		r->Assign(4, val_mgr->GetCount(${val.default_quota_limit}));
+		r->Assign(5, val_mgr->GetCount(${val.file_system_control_flags}));
+
+		if ( smb2_file_fscontrol )
+			BifEvent::generate_smb2_file_fscontrol(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+							    r);
+		return true;
+		%}
+
+	function proc_smb2_set_info_request_file_fsobjectid(val: SMB2_file_fsobjectid_info): bool
+		%{
+		if ( smb2_file_fsobjectid )
+			BifEvent::generate_smb2_file_fsobjectid(bro_analyzer(),
+			                                    bro_analyzer()->Conn(),
+			                                    BuildSMB2HeaderVal(${val.sir.header}),
+			                                    BuildSMB2GUID(${val.sir.file_id}),
+							    BuildSMB2GUID(${val.object_id}),
+							    smb2_string2stringval(${val.extended_info}));
+
+		return true;
+		%}
+
+}
+
 
 type SMB2_file_basic_info(sir: SMB2_set_info_request) = record {
 	creation_time    : SMB_timestamp;
@@ -81,13 +240,109 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record {
 	proc: bool = $context.connection.proc_smb2_set_info_request_file_delete(this);
 };
 
+type SMB2_file_allocation_info(sir: SMB2_set_info_request) = record {
+	allocation_size : int64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_allocation(this);
+};
+
+type SMB2_file_endoffile_info(sir: SMB2_set_info_request) = record {
+	endoffile : int64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_endoffile(this);
+};
+
+type SMB2_file_fullea_info(sir: SMB2_set_info_request) = record {
+	next_entry_offset : uint32;
+	flags		  : uint8;
+	ea_name_length    : uint8;
+	ea_value_length	  : uint16;
+	ea_name		  : SMB2_string(ea_name_length); 
+	ea_value	  : SMB2_string(ea_value_length);
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_fullea(this);
+};
+
+type SMB2_file_link_info(sir: SMB2_set_info_request) = record {
+	replace_if_exists : uint8;	#TODO this is a bool, not sure it is correct here
+	reserved	  : uint8[7];   #ignored...
+	root_directory 	  : uint64;
+	file_name_length  : uint32;
+	file_name	  : SMB2_string(file_name_length);
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_link(this);
+};
+
+type SMB2_file_mode_info(sir: SMB2_set_info_request) = record {
+	mode : uint32;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_mode(this);
+};
+
+type SMB2_file_pipe_info(sir: SMB2_set_info_request) = record {
+	read_mode 	: uint32;
+	completion_mode : uint32;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_pipe(this);
+};
+
+type SMB2_file_position_info(sir: SMB2_set_info_request) = record {
+	current_byte_offset 	: int64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_position(this);
+};
+
+type SMB2_file_shortname_info(sir: SMB2_set_info_request) = record {
+	filename_length  : uint32;
+	filename	  : SMB2_string(filename_length);
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_shortname(this);
+};
+
+type SMB2_file_validdatalength_info(sir: SMB2_set_info_request) = record {
+	validdatalength  : int64;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_validdatalength(this);
+};
+
+type SMB2_file_fscontrol_info(sir: SMB2_set_info_request) = record {
+	free_space_start_filtering  	: int64;
+	free_space_start_threshold  	: int64;
+	free_space_stop_filtering	: int64;
+	default_quota_threshold		: uint64;
+	default_quota_limit		: uint64;
+	file_system_control_flags	: uint32;
+	pad				: padding[4];
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_fscontrol(this);
+};
+
+type SMB2_file_fsobjectid_info(sir: SMB2_set_info_request) = record {
+	object_id  	: SMB2_guid;
+	extended_info	: SMB2_string(48);	
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file_fsobjectid(this);
+};
+
 type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of {
 	SMB2_FILE_BASIC_INFO       	-> file_basic           : SMB2_file_basic_info(sir);
 	SMB2_FILE_RENAME_INFO      	-> file_rename          : SMB2_file_rename_info(sir);
 	SMB2_FILE_DISPOSITION_INFO 	-> file_disposition     : SMB2_file_disposition_info(sir);
+	SMB2_FILE_ALLOCATION_INFO  	-> file_allocation      : SMB2_file_allocation_info(sir);
+	SMB2_FILE_ENDOFFILE_INFO   	-> file_endoffile       : SMB2_file_endoffile_info(sir);
+	SMB2_FILE_FULLEA_INFO     	-> file_fullea          : SMB2_file_fullea_info(sir);
+	SMB2_FILE_LINK_INFO        	-> file_link            : SMB2_file_link_info(sir);
+	SMB2_FILE_MODE_INFO       	-> file_mode            : SMB2_file_mode_info(sir);
+	SMB2_FILE_PIPE_INFO        	-> file_pipe           	: SMB2_file_pipe_info(sir);
+	SMB2_FILE_POSITION_INFO    	-> file_position       	: SMB2_file_position_info(sir);
+	SMB2_FILE_SHORTNAME_INFO      	-> file_shortname      	: SMB2_file_shortname_info(sir);
+	SMB2_FILE_VALIDDATALENGTH_INFO 	-> file_validdatalength	: SMB2_file_validdatalength_info(sir);
+	SMB2_FILE_FSCONTROL_INFO 	-> file_fscontrol     	: SMB2_file_fscontrol_info(sir);
+	SMB2_FILE_FSOBJECTID_INFO	-> file_fsobjectid	: SMB2_file_fsobjectid_info(sir);
 	default                    	-> info_file_unhandled  : empty;
 };
 
+
 type SMB2_set_info_request(header: SMB2_Header) = record {
 	structure_size  : uint16;
 	info_class      : uint8;

src/analyzer/protocol/smb/smb2_com_set_info.bif

@@ -11,7 +11,7 @@
 ##
 ## dst_filename: The filename to rename the file into.
 ##
-## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
 event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -28,7 +28,7 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
 ## delete_pending: A boolean value to indicate that a file should be deleted 
 ##                 when it's closed if set to T.
 ##
-## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
 event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -46,9 +46,174 @@ event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
 ##
 ## attrs: File attributes.
 ##
-## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
 event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
 
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *allocation* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## alloc_size: desired allocation size.
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_allocation%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, alloc_size: int%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *end_of_file* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## end_of_file: the absolute new end of file position as a byte offset from the start of the file
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_endoffile%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, end_of_file: int%);
+
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *mode* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## mode: specifies how the file will subsequently be accessed.
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_mode%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, mode: count%);
+
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *pipe* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## read_mode: specifies if data must be read as a stream of bytes or messages
+##
+## completion_mode: specifies if blocking mode must be enabled or not
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_pipe%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, read_mode: count, completion_mode: count%);
+
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *position* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## current_byte_offset: specifies the offset, in bytes, of the file pointer from the beginning of the file
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_position%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, current_byte_offset: int%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *short_name* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## file_name: specifies the name of the file to be changed
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_shortname%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_name: string %);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *valid_data_length* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## valid_data_length: specifies the new valid data length
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_validdatalength%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, valid_data_length: int %);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *full_EA* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## ea_name: contains the extended attribute name
+##
+## ea_value: contains the extended attribute value
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_fullea%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ea_name: string, ea_value: string %);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *link* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## root_directory: contains the file handle for the directory where the link is to be created
+##
+## file_name: contains the name to be assigned to the newly created link
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_link%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, root_directory: count, file_name: string %);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *fs_control* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## fs_control: contains fs_control info (see MS-FCC 2.5.2)
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_fscontrol%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol %);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *fs_object_id* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## object_id: contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6)
+##
+## extended_info: contains extended information on the file system volume
+##
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid
+event smb2_file_fsobjectid%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, object_id: SMB2::GUID, extended_info: string %);
+
 # TODO - Not implemented
 
 # Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`

src/analyzer/protocol/smb/types.bif

@@ -5,3 +5,4 @@ type SMB1::Header: record;
 type SMB2::Header: record;
 type SMB2::GUID: record;
 type SMB2::FileAttrs: record;
+type SMB2::Fscontrol: record;