performance speed-up for SMB base scripts

scripts/base/protocols/smb/files.zeek

@@ -27,10 +27,10 @@ function get_file_handle(c: connection, is_orig: bool): string
 	# should be considered a new file. We use the raw version here to avoid
 	# getting differences when double precision varies by architecture.
 	local last_mod  = cat(current_file?$times ? current_file$times$modified_raw : 0);
-	# TODO: This is doing hexdump to avoid problems due to file analysis handling
+	# TODO: This is doing clean to avoid problems due to file analysis handling
 	#       using CheckString which is not immune to encapsulated null bytes.
 	#       This needs to be fixed lower in the file analysis code later.
-	return hexdump(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod));
+	return clean(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod));
 	}
 
 function describe_file(f: fa_file): string

testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log

@@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
-XXXXXXXXXX.XXXXXX	FVTHwlRSH2WI8fFw2	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	SMB	0	(empty)	text/plain	pythonfile	0.000000	T	F	16	16	0	0	F	-	-	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	FAI5Dc4cLr5RAw3j0e	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	SMB	0	(empty)	text/plain	pythonfile2	0.000000	T	T	7000	-	0	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	FH8ukp35vOgBQD0yi	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	SMB	0	(empty)	text/plain	pythonfile	0.000000	T	F	16	16	0	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	FZwWEMkEEYbonVSe2	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	SMB	0	(empty)	text/plain	pythonfile2	0.000000	T	T	7000	-	0	0	F	-	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log

@@ -9,9 +9,9 @@
 #types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_OPEN	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_READ	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FVTHwlRSH2WI8fFw2	SMB::FILE_READ	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FH8ukp35vOgBQD0yi	SMB::FILE_READ	-	pythonfile	16	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_OPEN	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_WRITE	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FAI5Dc4cLr5RAw3j0e	SMB::FILE_WRITE	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	FZwWEMkEEYbonVSe2	SMB::FILE_WRITE	-	pythonfile2	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	-	SMB::FILE_OPEN	-	<share_root>	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
-XXXXXXXXXX.XXXXXX	FwL5Z01az5ZsFYcHh5	CHhAvVGS1DHFjwGM9	10.0.0.11	49208	10.0.0.12	445	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	T	T	1508939	-	0	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	FB7E9n1ZwSgkhBhU27	CHhAvVGS1DHFjwGM9	10.0.0.11	49208	10.0.0.12	445	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	T	T	1508939	-	0	0	F	-	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	pythonfile	Intel::FILE_NAME	SMB::IN_FILE_NAME	zeek	Intel::FILE_NAME	source1	FVTHwlRSH2WI8fFw2	-	pythonfile
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	pythonfile	Intel::FILE_NAME	SMB::IN_FILE_NAME	zeek	Intel::FILE_NAME	source1	FH8ukp35vOgBQD0yi	-	pythonfile
 #close XXXX-XX-XX-XX-XX-XX