smb1: parse and log timestamps in CREATE

7 years ago · caf29e92b3
parent 0e05ef7369
commit caf29e92b3
2 changed files with 37 additions and 3 deletions
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@ -488,11 +488,32 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
                                SCLogDebug!("SMBv1 response: GUID NOT FOUND");
                            },
                        }
+
+                        let tx_hdr = SMBCommonHdr::from1(r, SMBHDR_TYPE_GENERICTX);
+                        if let Some(tx) = state.get_generic_tx(1, r.command as u16, &tx_hdr) {
+                            SCLogDebug!("tx {} with {}/{} marked as done",
+                                    tx.id, r.command, &smb1_command_string(r.command));
+                            tx.set_status(r.nt_status, false);
+                            tx.response_done = true;
+
+                            if let Some(SMBTransactionTypeData::CREATE(ref mut tdn)) = tx.type_data {
+                                tdn.create_ts = cr.create_ts.as_unix();
+                                tdn.last_access_ts = cr.last_access_ts.as_unix();
+                                tdn.last_write_ts = cr.last_write_ts.as_unix();
+                                tdn.last_change_ts = cr.last_change_ts.as_unix();
+                                tdn.size = cr.file_size;
+                            }
+                        }
+                        true
+                    },
+                    _ => {
+                        events.push(SMBEvent::MalformedData);
+                        false
                    },
-                    _ => { events.push(SMBEvent::MalformedData); },
                }
+            } else {
+                false
            }
-            false
        },
        SMB1_COMMAND_TRANS => {
            smb1_trans_response_record(state, r);
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@ -17,6 +17,7 @@

 use log::*;
 use nom::{rest, le_u8, le_u16, le_u32, le_u64, IResult};
+use smb::smb::*;

 #[derive(Debug,PartialEq)]
 pub struct Smb1WriteRequestRecord<'a> {
@ -529,6 +530,10 @@ named!(pub parse_smb_create_andx_request_record<SmbRequestCreateAndXRecord>,
 #[derive(Debug,PartialEq)]
 pub struct SmbResponseCreateAndXRecord<'a> {
    pub fid: &'a[u8],
+    pub create_ts: SMBFiletime,
+    pub last_access_ts: SMBFiletime,
+    pub last_write_ts: SMBFiletime,
+    pub last_change_ts: SMBFiletime,
    pub file_size: u64,
 }

@ -541,7 +546,11 @@ named!(pub parse_smb_create_andx_response_record<SmbResponseCreateAndXRecord>,
        >>  oplock_level: le_u8
        >>  fid: take!(2)
        >>  create_action: le_u32
-        >>  take!(36)
+        >>  create_ts: le_u64
+        >>  last_access_ts: le_u64
+        >>  last_write_ts: le_u64
+        >>  last_change_ts: le_u64
+        >>  take!(8)
        >>  file_size: le_u64
        >>  take!(8)
        >>  file_type: le_u16
@ -549,6 +558,10 @@ named!(pub parse_smb_create_andx_response_record<SmbResponseCreateAndXRecord>,
        >>  is_dir: le_u8
        >> (SmbResponseCreateAndXRecord {
                fid:fid,
+                create_ts: SMBFiletime::new(create_ts),
+                last_access_ts: SMBFiletime::new(last_access_ts),
+                last_write_ts: SMBFiletime::new(last_write_ts),
+                last_change_ts: SMBFiletime::new(last_change_ts),
                file_size:file_size,
           }))
 );