aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smb: probing parser improvement

Browse Source
pull/3440/head
Victor Julien 7 years ago
parent fd38989113
commit 177966970a
3 changed files with 32 additions and 10 deletions
Show Stats Download Patch File Download Diff File

6
rust/src/smb/nbss_records.rs
Unescape Escape View File

@ -32,7 +32,7 @@ pub struct NbssRecord<'a> {
} }
impl<'a> NbssRecord<'a> { impl<'a> NbssRecord<'a> {
pub fn is_smb(&self) -> bool { pub fn is_valid(&self) -> bool {
let valid = match self.message_type { let valid = match self.message_type {
NBSS_MSGTYPE_SESSION_MESSAGE | NBSS_MSGTYPE_SESSION_MESSAGE |
NBSS_MSGTYPE_SESSION_REQUEST | NBSS_MSGTYPE_SESSION_REQUEST |
@ -42,6 +42,10 @@ impl<'a> NbssRecord<'a> {
NBSS_MSGTYPE_KEEP_ALIVE => true, NBSS_MSGTYPE_KEEP_ALIVE => true,
_ => false, _ => false,
}; };
valid
}
pub fn is_smb(&self) -> bool {
let valid = self.is_valid();
let smb = if self.data.len() >= 4 && let smb = if self.data.len() >= 4 &&
self.data[1] == 'S' as u8 && self.data[2] == 'M' as u8 && self.data[3] == 'B' as u8 && self.data[1] == 'S' as u8 && self.data[2] == 'M' as u8 && self.data[3] == 'B' as u8 &&
(self.data[0] == b'\xFE' || self.data[0] == b'\xFF' || self.data[0] == b'\xFD') (self.data[0] == b'\xFE' || self.data[0] == b'\xFF' || self.data[0] == b'\xFD')

22
rust/src/smb/smb.rs
Unescape Escape View File

@ -1857,22 +1857,36 @@ pub extern "C" fn rs_smb_parse_response_tcp_gap(
return -1; return -1;
} }
// probing parser
// return 1 if found, 0 is not found
#[no_mangle] #[no_mangle]
pub extern "C" fn rs_smb_probe_tcp(input: *const libc::uint8_t, len: libc::uint32_t) pub extern "C" fn rs_smb_probe_tcp(input: *const libc::uint8_t, len: libc::uint32_t)
-> libc::int8_t -> libc::int8_t
{ {
let slice: &[u8] = unsafe { let slice = build_slice!(input, len as usize);
std::slice::from_raw_parts(input as *mut u8, len as usize) match search_smb_record(slice) {
}; IResult::Done(_, _) => {
SCLogDebug!("smb found");
return 1;
},
_ => {
SCLogDebug!("smb not found in {:?}", slice);
},
}
match parse_nbss_record_partial(slice) { match parse_nbss_record_partial(slice) {
IResult::Done(_, ref hdr) => { IResult::Done(_, ref hdr) => {
if hdr.is_smb() { if hdr.is_smb() {
SCLogDebug!("smb found");
return 1;
} else if hdr.is_valid() {
SCLogDebug!("nbss found, assume smb");
return 1; return 1;
} }
}, },
_ => { }, _ => { },
} }
return 1 SCLogDebug!("no smb");
return -1
} }
#[no_mangle] #[no_mangle]

12
src/app-layer-smb-tcp-rust.c
Unescape Escape View File

@ -86,12 +86,16 @@ static uint16_t RustSMBTCPProbe(Flow *f,
return ALPROTO_UNKNOWN; return ALPROTO_UNKNOWN;
} }
// Validate and return ALPROTO_FAILED if needed. const int r = rs_smb_probe_tcp(input, len);
if (!rs_smb_probe_tcp(input, len)) { switch (r) {
case 1:
return ALPROTO_SMB;
case 0:
return ALPROTO_UNKNOWN;
case -1:
default:
return ALPROTO_FAILED; return ALPROTO_FAILED;
} }
return ALPROTO_SMB;
} }
static int RustSMBGetAlstateProgress(void *tx, uint8_t direction) static int RustSMBGetAlstateProgress(void *tx, uint8_t direction)

Write Preview
Loading…
Cancel
Save