From c564f545c09c3988c6e18daa69528815820f0cb5 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 20 Apr 2011 15:59:11 -0400
Subject: [PATCH] Updates and tests for netbios name BiF.

* New BiF named: decode_netbios_name_type
* \x01 and \x02 are now decoded because I saw those
  bytes being actively used in names.
---
 src/bro.bif                                    | 15 +++++++++++----
 .../btest/Baseline/bifs.netbios-functions/out  |  8 ++++++++
 testing/btest/bifs/netbios-functions.bro       | 18 ++++++++++++++++++
 3 files changed, 37 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/bifs.netbios-functions/out
 create mode 100644 testing/btest/bifs/netbios-functions.bro

diff --git a/src/bro.bif b/src/bro.bif
index ebd4df0aca..9151e4eaee 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1340,16 +1340,23 @@ function decode_netbios_name%(name: string%): string
 		}
 
 	for ( i = 0; i < 15; ++i )
-		if ( isalnum(buf[i]) || ispunct(buf[i]) )
+		if ( isalnum(buf[i]) || ispunct(buf[i]) ||
+		     // \x01\x02 is seen in at least one case as the first two bytes
+		     // I think that any \x01 and \x02 should always be passed through.
+		     buf[i] < 3 )
 			result[i] = buf[i];
 		else
 			break;
 
-	// The last byte denotes the name type.
-	snprintf(result + i, sizeof(result) - i, "<%02x>", buf[15]);
-
 	return new StringVal(result);
 	%}
+	
+function decode_netbios_name_type%(name: string%): count
+	%{
+	const u_char* s = name->Bytes();
+	char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A');
+	return new Val(return_val, TYPE_COUNT);
+	%}
 
 %%{
 #include "HTTP.h"
diff --git a/testing/btest/Baseline/bifs.netbios-functions/out b/testing/btest/Baseline/bifs.netbios-functions/out
new file mode 100644
index 0000000000..6bca776cee
--- /dev/null
+++ b/testing/btest/Baseline/bifs.netbios-functions/out
@@ -0,0 +1,8 @@
+MARTIN
+3
+^A^B__MSBROWSE__^B
+1
+WORKGROUP
+27
+ISATAP
+0
diff --git a/testing/btest/bifs/netbios-functions.bro b/testing/btest/bifs/netbios-functions.bro
new file mode 100644
index 0000000000..1fd033dd59
--- /dev/null
+++ b/testing/btest/bifs/netbios-functions.bro
@@ -0,0 +1,18 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local names_to_decode = set(
+		"ejfdebfeebfacacacacacacacacacaaa", # ISATAP
+		"fhepfcelehfcepfffacacacacacacabl", # WORKGROUP
+		"abacfpfpenfdecfcepfhfdeffpfpacab", # \001\002__MSBROWSE__\002
+		"enebfcfeejeocacacacacacacacacaad"); # MARTIN
+
+	for ( name in names_to_decode )
+		{
+		print decode_netbios_name(name);
+		print decode_netbios_name_type(name);
+		}
+	}