diff --git a/scripts/base/protocols/smb/files.zeek b/scripts/base/protocols/smb/files.zeek index 08e62c6954..2f5bc07c59 100644 --- a/scripts/base/protocols/smb/files.zeek +++ b/scripts/base/protocols/smb/files.zeek @@ -27,10 +27,10 @@ function get_file_handle(c: connection, is_orig: bool): string # should be considered a new file. We use the raw version here to avoid # getting differences when double precision varies by architecture. local last_mod = cat(current_file?$times ? current_file$times$modified_raw : 0); - # TODO: This is doing hexdump to avoid problems due to file analysis handling + # TODO: This is doing clean to avoid problems due to file analysis handling # using CheckString which is not immune to encapsulated null bytes. # This needs to be fixed lower in the file analysis code later. - return hexdump(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod)); + return clean(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod)); } function describe_file(f: fa_file): string diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log index 20a6d49517..17798525c2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count -XXXXXXXXXX.XXXXXX FVTHwlRSH2WI8fFw2 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile 0.000000 T F 16 16 0 0 F - - - - - - - -XXXXXXXXXX.XXXXXX FAI5Dc4cLr5RAw3j0e CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile2 0.000000 T T 7000 - 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FH8ukp35vOgBQD0yi CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile 0.000000 T F 16 16 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FZwWEMkEEYbonVSe2 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile2 0.000000 T T 7000 - 0 0 F - - - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log index c1b80a0c12..2d42051f37 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log @@ -9,9 +9,9 @@ #types time string addr port addr port string enum string string count string time time time time XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FVTHwlRSH2WI8fFw2 SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FH8ukp35vOgBQD0yi SMB::FILE_READ - pythonfile 16 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FAI5Dc4cLr5RAw3j0e SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FZwWEMkEEYbonVSe2 SMB::FILE_WRITE - pythonfile2 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - 0 - XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log index 93bf183246..76a62554ea 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count -XXXXXXXXXX.XXXXXX FwL5Z01az5ZsFYcHh5 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 T T 1508939 - 0 0 F - - - - - - - +XXXXXXXXXX.XXXXXX FB7E9n1ZwSgkhBhU27 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 T T 1508939 - 0 0 F - - - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log index 8bf960834d..0b7877c82b 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FVTHwlRSH2WI8fFw2 - pythonfile +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME zeek Intel::FILE_NAME source1 FH8ukp35vOgBQD0yi - pythonfile #close XXXX-XX-XX-XX-XX-XX