Merge remote branch 'origin/topic/seth/decode-nbns-names'

* origin/topic/seth/decode-nbns-names:
  Updates and tests for netbios name BiF.

src/bro.bif

@@ -1360,17 +1360,26 @@ function decode_netbios_name%(name: string%): string
 		}
 
 	for ( i = 0; i < 15; ++i )
-		if ( isalnum(buf[i]) || ispunct(buf[i]) )
+		{
+		if ( isalnum(buf[i]) || ispunct(buf[i]) ||
+		     // \x01\x02 is seen in at least one case as the first two bytes.
+		     // I think that any \x01 and \x02 should always be passed through.
+		     buf[i] < 3 )
 			result[i] = buf[i];
 		else
 			break;
-
-	// The last byte denotes the name type.
-	snprintf(result + i, sizeof(result) - i, "<%02x>", buf[15]);
+		}
 
 	return new StringVal(result);
 	%}
 
+function decode_netbios_name_type%(name: string%): count
+	%{
+	const u_char* s = name->Bytes();
+	char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A');
+	return new Val(return_val, TYPE_COUNT);
+	%}
+
 %%{
 #include "HTTP.h"
 

testing/btest/Baseline/bifs.netbios-functions/out

@@ -0,0 +1,8 @@
+MARTIN
+3
+WORKGROUP
+27
+^A^B__MSBROWSE__^B
+1
+ISATAP
+0

testing/btest/bifs/netbios-functions.bro

@@ -0,0 +1,18 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local names_to_decode = set(
+		"ejfdebfeebfacacacacacacacacacaaa", # ISATAP
+		"fhepfcelehfcepfffacacacacacacabl", # WORKGROUP
+		"abacfpfpenfdecfcepfhfdeffpfpacab", # \001\002__MSBROWSE__\002
+		"enebfcfeejeocacacacacacacacacaad"); # MARTIN
+
+	for ( name in names_to_decode )
+		{
+		print decode_netbios_name(name);
+		print decode_netbios_name_type(name);
+		}
+	}