From: Victor Julien <victor@inliniac.net>
Date: Fri, 9 Mar 2018 15:04:22 +0000 (+0100)
Subject: smb1: parse and log timestamps in CREATE
X-Git-Tag: suricata-4.1.0-beta1~85
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=caf29e92b3f314f552bc9fece4f2e7a542551ed5;p=thirdparty%2Fsuricata.git

smb1: parse and log timestamps in CREATE
---

diff --git a/rust/src/smb/smb1.rs b/rust/src/smb/smb1.rs
index 64afbefb78..90b7a79f81 100644
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@@ -488,11 +488,32 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
                                 SCLogDebug!("SMBv1 response: GUID NOT FOUND");
                             },
                         }
+
+                        let tx_hdr = SMBCommonHdr::from1(r, SMBHDR_TYPE_GENERICTX);
+                        if let Some(tx) = state.get_generic_tx(1, r.command as u16, &tx_hdr) {
+                            SCLogDebug!("tx {} with {}/{} marked as done",
+                                    tx.id, r.command, &smb1_command_string(r.command));
+                            tx.set_status(r.nt_status, false);
+                            tx.response_done = true;
+
+                            if let Some(SMBTransactionTypeData::CREATE(ref mut tdn)) = tx.type_data {
+                                tdn.create_ts = cr.create_ts.as_unix();
+                                tdn.last_access_ts = cr.last_access_ts.as_unix();
+                                tdn.last_write_ts = cr.last_write_ts.as_unix();
+                                tdn.last_change_ts = cr.last_change_ts.as_unix();
+                                tdn.size = cr.file_size;
+                            }
+                        }
+                        true
+                    },
+                    _ => {
+                        events.push(SMBEvent::MalformedData);
+                        false
                     },
-                    _ => { events.push(SMBEvent::MalformedData); },
                 }
+            } else {
+                false
             }
-            false
         },
         SMB1_COMMAND_TRANS => {
             smb1_trans_response_record(state, r);
diff --git a/rust/src/smb/smb1_records.rs b/rust/src/smb/smb1_records.rs
index 0f5d9a5d8f..ef18a4c2a2 100644
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@@ -17,6 +17,7 @@
 
 use log::*;
 use nom::{rest, le_u8, le_u16, le_u32, le_u64, IResult};
+use smb::smb::*;
 
 #[derive(Debug,PartialEq)]
 pub struct Smb1WriteRequestRecord<'a> {
@@ -529,6 +530,10 @@ named!(pub parse_smb_create_andx_request_record<SmbRequestCreateAndXRecord>,
 #[derive(Debug,PartialEq)]
 pub struct SmbResponseCreateAndXRecord<'a> {
     pub fid: &'a[u8],
+    pub create_ts: SMBFiletime,
+    pub last_access_ts: SMBFiletime,
+    pub last_write_ts: SMBFiletime,
+    pub last_change_ts: SMBFiletime,
     pub file_size: u64,
 }
 
@@ -541,7 +546,11 @@ named!(pub parse_smb_create_andx_response_record<SmbResponseCreateAndXRecord>,
         >>  oplock_level: le_u8
         >>  fid: take!(2)
         >>  create_action: le_u32
-        >>  take!(36)
+        >>  create_ts: le_u64
+        >>  last_access_ts: le_u64
+        >>  last_write_ts: le_u64
+        >>  last_change_ts: le_u64
+        >>  take!(8)
         >>  file_size: le_u64
         >>  take!(8)
         >>  file_type: le_u16
@@ -549,6 +558,10 @@ named!(pub parse_smb_create_andx_response_record<SmbResponseCreateAndXRecord>,
         >>  is_dir: le_u8
         >> (SmbResponseCreateAndXRecord {
                 fid:fid,
+                create_ts: SMBFiletime::new(create_ts),
+                last_access_ts: SMBFiletime::new(last_access_ts),
+                last_write_ts: SMBFiletime::new(last_write_ts),
+                last_change_ts: SMBFiletime::new(last_change_ts),
                 file_size:file_size,
            }))
 );