Add support for transaction2 Find_First2.

scripts/base/init-bare.bro

@@ -2628,7 +2628,7 @@ export {
 
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
-		search_attrs		: string;
+		search_attrs		: count;
 		## Max search results
 		search_count		: count;
 		## Misc. flags for how the server should manage the transaction

scripts/base/protocols/smb/smb1-main.bro

@@ -222,6 +222,11 @@ event smb1_trans2_query_path_info_request(c: connection, hdr: SMB1::Header, file
 	{
 	c$smb_state$current_cmd$argument = file_name;
 	}
+
+event smb1_trans2_find_first2_request(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args)
+	{
+	c$smb_state$current_cmd$argument = args$file_name;
+	}
 	
 event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5
 	{

src/analyzer/protocol/smb/smb1-com-transaction2.pac

@@ -109,8 +109,19 @@ refine connection SMB_Conn += {
 
 	function proc_trans2_find_first2_request(header: SMB_Header, val: trans2_find_first2_request): bool
 		%{
-		// TODO: implement this.
-		//printf("trans2_find_first2 request!\n");
+		if ( smb1_trans2_find_first2_request )
+			{
+			RecordVal* result = new RecordVal(BifType::Record::SMB1::Find_First2_Request_Args);
+			result->Assign(0, new Val(${val.search_attrs}, TYPE_COUNT));
+			result->Assign(1, new Val(${val.search_count}, TYPE_COUNT));
+			result->Assign(2, new Val(${val.flags}, TYPE_COUNT));
+			result->Assign(3, new Val(${val.info_level}, TYPE_COUNT));
+			result->Assign(4, new Val(${val.search_storage_type}, TYPE_COUNT));
+			result->Assign(5, smb_string2stringval(${val.file_name}));
+			BifEvent::generate_smb1_trans2_find_first2_request(bro_analyzer(), bro_analyzer()->Conn(), \
+															   BuildHeaderVal(header), result);
+			
+			}
 		return true;
 		%}