Well, I think you're on the right track. You need to do something like
Val* bro_ts = new Val(secs, TYPE_TIME);
The Val constructor with a type of time takes a double of seconds since
Does that make sense? If you can provide more information on how the
--Vlad
"Bortoli, Tomas" <tomas.bortoli@sit.fraunhofer.de> writes:
That solution looks good but I am stuck with the encoding of the timestamp.
It's a 64 bit timestamp but I don't know how to interpret it. Picture attaced.
Thanks,
That solution looks good but I am stuck with the encoding of the timestamp.
It's a 64 bit timestamp but I don't know how to interpret it. Picture attaced.
Thanks,
Well, that's protocol specific, but I did some digging:
>>> TIME_FIXUP_CONSTANT
This is already implemented in smb-time.pac:
double time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz);
zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
uint64_t create, uint64_t change);
%}
%code{
double filetime2zeektime(uint64_t ts)
{
// Zeek can't support times back to the 1600's
// so we subtract a lot of seconds.
return (ts / 10000000.0L) - 11644473600.0L;
}
double time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz)
{
tm lTime;
lTime.tm_sec = ${t.two_seconds} * 2;
lTime.tm_min = ${t.minutes};
lTime.tm_hour = ${t.hours};
lTime.tm_mday = ${d.day};
You could try just adding this to your PAC file and then you'll be able
%include ../smb/smb-time.pac
Check out krb-asn1.pac for an example of including another PAC file:
%include ../asn1/asn1.pac
%header{
zeek::ValPtr GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
zeek::ValPtr GetTimeFromAsn1(zeek::StringVal* atime, int64 usecs);
%}
%code{
zeek::ValPtr GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
{
auto atime_bytestring = to_stringval(atime->time());
auto result = GetTimeFromAsn1(atime_bytestring.get(), usecs);
return result;
}
zeek::ValPtr GetTimeFromAsn1(zeek::StringVal* atime, int64 usecs)
{
time_t lResult = 0;
show original
--Vlad
Thank you very much Vlad!
Tomas
