From f165ff943efa83fdb5eed46a65a6e2bd21470e72 Mon Sep 17 00:00:00 2001 From: Julien Wallior Date: Thu, 11 Jan 2018 15:18:56 -0500 Subject: [PATCH] Expand smb2 unit test. --- .../scripts.base.protocols.smb.smb2/.stdout | 238 ++++++++++++++++++ .../scripts/base/protocols/smb/smb2.test | 11 + 2 files changed, 249 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout new file mode 100644 index 0000000000..015b55c71d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout @@ -0,0 +1,238 @@ +smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=6, num_bytes_ip=1257, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=760, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006812, service={ +SMB, +GSSAPI, +NTLM +}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ +[4] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] +}, fid_map={ + +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ + +}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=1, create_options=32] +smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=7, num_bytes_ip=1517, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1004, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006958, service={ +SMB, +GSSAPI, +NTLM +}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=145.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ + +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ + +}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=8, num_bytes_ip=1665, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1088, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.007847, service={ +SMB, +GSSAPI, +NTLM +}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=, name=srvsvc, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=, name=srvsvc, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], pending_cmds={ +[6] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=, name=srvsvc, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], smb1_offered_dialects=, smb2_offered_dialects=] +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] +}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=srvsvc, disposition=1, create_options=4194368] +smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=9, num_bytes_ip=1841, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1244, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.008011, service={ +SMB, +GSSAPI, +NTLM +}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=164.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=, times=, fid=18446744069414584398, uuid=], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=, times=, fid=18446744069414584398, uuid=], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE], pending_cmds={ + +}, fid_map={ +[18446744069414584398] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=, times=, fid=18446744069414584398, uuid=], +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] +}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2342, state=4, num_pkts=13, num_bytes_ip=2654, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1924, state=4, num_pkts=12, num_bytes_ip=2416, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.010734, service={ +SMB, +GSSAPI, +NTLM, +DCE_RPC +}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ +[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] +}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ +[11] = [ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] +}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=11, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=2, create_options=2097185] +smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=16, num_bytes_ip=3323, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2297, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.061545, service={ +SMB, +GSSAPI, +NTLM, +DCE_RPC +}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ +[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] +}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ +[15] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] +}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68] +smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=17, num_bytes_ip=3639, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2573, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.062223, service={ +SMB, +GSSAPI, +NTLM, +DCE_RPC +}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ +[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] +}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=677.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ + +}, fid_map={ +[18446744069414584406] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=], +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058] +}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] +smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1064, num_bytes_ip=1557690, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=4957, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229267, service={ +SMB, +GSSAPI, +NTLM, +DCE_RPC +}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ +[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] +}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ +[44] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], +SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] +}]], [credit_charge=0, status=0, command=5, credits=104, flags=0, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=1, create_options=32] +smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1065, num_bytes_ip=1557950, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5201, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229443, service={ +SMB, +GSSAPI, +NTLM, +DCE_RPC +}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ +[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] +}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=175.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ + +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], +[18446744069414584414] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], +SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] +}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] +smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1067, num_bytes_ip=1558254, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5541, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233359, service={ +SMB, +GSSAPI, +NTLM, +DCE_RPC +}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ +[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] +}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ +[47] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=, rtt=, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=, name=, size=0, prev_name=, times=, fid=, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=] +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], +SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] +}]], [credit_charge=0, status=0, command=5, credits=80, flags=0, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=, disposition=1, create_options=32] +smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1068, num_bytes_ip=1558514, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5785, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233475, service={ +SMB, +GSSAPI, +NTLM, +DCE_RPC +}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={ +[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]] +}, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=, argument=, status=SUCCESS, rtt=115.0 usecs, version=SMB2, username=, tree=, tree_service=, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], smb1_offered_dialects=, smb2_offered_dialects=], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], pending_cmds={ + +}, fid_map={ +[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=], +[18446744069414584422] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=, size=8192, prev_name=, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=] +}, tid_map={ +[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=, native_file_system=, share_type=DISK], +[65535] = [ts=, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=, service=, native_file_system=, share_type=DISK], +[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=, native_file_system=, share_type=PIPE] +}, uid_map={ + +}, pipe_map={ + +}, recent_files={ +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], +SMB::FILE_OPEN\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], +SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036] +}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test index 1a1dc980ca..3b8c45de47 100644 --- a/testing/btest/scripts/base/protocols/smb/smb2.test +++ b/testing/btest/scripts/base/protocols/smb/smb2.test @@ -4,6 +4,17 @@ # @TEST-EXEC: btest-diff files.log # @TEST-EXEC: test ! -f dpd.log # @TEST-EXEC: test ! -f weird.log +# @TEST-EXEC: btest-diff .stdout @load policy/protocols/smb +event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest ) + { + print "smb2_create_request", c, hdr, request; + } + +event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse ) + { + print "smb2_create_response", c, hdr, response; + } +