add parameters and data to smb1_transaction_request/response messages

expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of
SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section
2.2.4.33.1.

These fields are exposed to the script level as Bro strings. Note that
this commit also expose a new event smb1_transaction_response.

scripts/policy/protocols/smb/smb1-main.bro

@@ -263,7 +263,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons
 	# No behavior yet.
 	}
 	
-event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
 	}

src/analyzer/protocol/smb/smb1-com-transaction.pac

@@ -31,18 +31,96 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
 		%{
+		StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+		StringVal *payload_str = nullptr;
+		SMB1_transaction_data *payload = nullptr;
+
+		if ( !parameters )
+		{
+			parameters = new StringVal("");
+		}
+
+		if ( ${val.data_count > 0} )
+		{
+			payload = ${val.data};
+		}
+
+		if ( payload )
+		{
+			switch ( payload->trans_type() )
+			{
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+				break;
+			}
+		}
+
+		if ( !payload_str )
+		{
+			payload_str = new StringVal("");
+		}
+
 		if ( smb1_transaction_request )
 			BifEvent::generate_smb1_transaction_request(bro_analyzer(),
 			                                            bro_analyzer()->Conn(),
 			                                            BuildHeaderVal(header),
 			                                            smb_string2stringval(${val.name}),
-			                                            ${val.sub_cmd});
+			                                            ${val.sub_cmd},
+								    parameters,
+								    payload_str);
 
 		return true;
 		%}
 
 	function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
 		%{
+		StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+		StringVal *payload_str = nullptr;
+		SMB1_transaction_data *payload = nullptr;
+
+		if ( !parameters )
+		{
+			parameters = new StringVal("");
+		}
+
+		if ( ${val.data_count > 0} )
+		{
+			payload = ${val.data[0]};
+		}
+
+		if ( payload )
+		{
+			switch ( payload->trans_type() )
+			{
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
+				break;
+			}
+		}
+
+		if ( !payload_str )
+		{
+			payload_str = new StringVal("");
+		}
+
+		if ( smb1_transaction_response )
+			BifEvent::generate_smb1_transaction_response(bro_analyzer(),
+			                                             bro_analyzer()->Conn(),
+			                                             BuildHeaderVal(header),
+								     parameters,
+			                                             payload_str);
 		return true;
 		%}
 };
@@ -54,8 +132,8 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
 #	SMB_MAILSLOT_LANMAN -> lanman    : SMB_MailSlot_message(header.unicode, count);
 #	SMB_RAP             -> rap       : SMB_Pipe_message(header.unicode, count);
 	SMB_PIPE            -> pipe_data : bytestring &restofdata;
-	SMB_UNKNOWN         -> unknown   : bytestring &restofdata &transient;
+	SMB_UNKNOWN         -> unknown   : bytestring &restofdata;
-	default             -> data      : bytestring &restofdata &transient;
+	default             -> data      : bytestring &restofdata;
 } &let {
 	pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
 };

src/analyzer/protocol/smb/smb1_com_transaction.bif

@@ -3,7 +3,7 @@
 ## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
 ## which are interprocess communication endpoints within the CIFS file system.
 ##
-## For more information, see MS-CIFS:2.2.4.33
+## For more information, see MS-CIFS:2.2.4.33.1
 ##
 ## c: The connection.
 ##
@@ -14,5 +14,25 @@
 ##
 ## sub_cmd: The sub command, some may be parsed and have their own events.
 ##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+##
 ## .. bro:see:: smb1_message smb1_transaction2_request
-event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);
+event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction*. This command serves as the transport for the
+## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+## which are interprocess communication endpoints within the CIFS file system.
+##
+## For more information, see MS-CIFS:2.2.4.33.2
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction_response%(c: connection, hdr: SMB1::Header, parameters: string, data: string%);