mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 10:38:20 +00:00
Expand smb2 unit test.
This commit is contained in:
Julien Wallior
parent
a76e50d2e1
commit
f165ff943e
2 changed files with 249 additions and 0 deletions
238
testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
Normal file
238
testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
Normal file
|
|
@ -0,0 +1,238 @@
|
||||||
|
smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=6, num_bytes_ip=1257, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=760, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006812, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM
|
||||||
|
}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
[4] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
|
||||||
|
}, fid_map={
|
||||||
|
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
|
||||||
|
smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=7, num_bytes_ip=1517, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1004, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006958, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM
|
||||||
|
}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=145.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
|
||||||
|
smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=8, num_bytes_ip=1665, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1088, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.007847, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM
|
||||||
|
}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], pending_cmds={
|
||||||
|
[6] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=srvsvc, disposition=1, create_options=4194368]
|
||||||
|
smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=9, num_bytes_ip=1841, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1244, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.008011, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM
|
||||||
|
}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=164.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], pending_cmds={
|
||||||
|
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584398] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>],
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
|
||||||
|
smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2342, state=4, num_pkts=13, num_bytes_ip=2654, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1924, state=4, num_pkts=12, num_bytes_ip=2416, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.010734, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM,
|
||||||
|
DCE_RPC
|
||||||
|
}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
|
||||||
|
[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
|
||||||
|
}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
[11] = [ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=11, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=2, create_options=2097185]
|
||||||
|
smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=16, num_bytes_ip=3323, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2297, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.061545, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM,
|
||||||
|
DCE_RPC
|
||||||
|
}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
|
||||||
|
[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
|
||||||
|
}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
[15] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
|
||||||
|
smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=17, num_bytes_ip=3639, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2573, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.062223, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM,
|
||||||
|
DCE_RPC
|
||||||
|
}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
|
||||||
|
[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
|
||||||
|
}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=677.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584406] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>],
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
|
||||||
|
smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1064, num_bytes_ip=1557690, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=4957, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229267, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM,
|
||||||
|
DCE_RPC
|
||||||
|
}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
|
||||||
|
[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
|
||||||
|
}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
[44] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
|
||||||
|
SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=104, flags=0, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
|
||||||
|
smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1065, num_bytes_ip=1557950, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5201, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229443, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM,
|
||||||
|
DCE_RPC
|
||||||
|
}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
|
||||||
|
[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
|
||||||
|
}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=175.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>],
|
||||||
|
[18446744069414584414] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
|
||||||
|
SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
|
||||||
|
smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1067, num_bytes_ip=1558254, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5541, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233359, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM,
|
||||||
|
DCE_RPC
|
||||||
|
}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
|
||||||
|
[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
|
||||||
|
}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
[47] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036],
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
|
||||||
|
SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=80, flags=0, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
|
||||||
|
smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1068, num_bytes_ip=1558514, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5785, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233475, service={
|
||||||
|
SMB,
|
||||||
|
GSSAPI,
|
||||||
|
NTLM,
|
||||||
|
DCE_RPC
|
||||||
|
}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
|
||||||
|
[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
|
||||||
|
}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=115.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
|
||||||
|
|
||||||
|
}, fid_map={
|
||||||
|
[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>],
|
||||||
|
[18446744069414584422] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>]
|
||||||
|
}, tid_map={
|
||||||
|
[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
|
||||||
|
[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
|
||||||
|
}, uid_map={
|
||||||
|
|
||||||
|
}, pipe_map={
|
||||||
|
|
||||||
|
}, recent_files={
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036],
|
||||||
|
SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
|
||||||
|
SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
|
||||||
|
}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
|
||||||
|
|
@ -4,6 +4,17 @@
|
||||||
# @TEST-EXEC: btest-diff files.log
|
# @TEST-EXEC: btest-diff files.log
|
||||||
# @TEST-EXEC: test ! -f dpd.log
|
# @TEST-EXEC: test ! -f dpd.log
|
||||||
# @TEST-EXEC: test ! -f weird.log
|
# @TEST-EXEC: test ! -f weird.log
|
||||||
|
# @TEST-EXEC: btest-diff .stdout
|
||||||
|
|
||||||
@load policy/protocols/smb
|
@load policy/protocols/smb
|
||||||
|
|
||||||
|
event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest )
|
||||||
|
{
|
||||||
|
print "smb2_create_request", c, hdr, request;
|
||||||
|
}
|
||||||
|
|
||||||
|
event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse )
|
||||||
|
{
|
||||||
|
print "smb2_create_response", c, hdr, response;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue