diff --git a/rust/src/nfs/nfs.rs b/rust/src/nfs/nfs.rs index 643af76279..f919ea8bb6 100644 --- a/rust/src/nfs/nfs.rs +++ b/rust/src/nfs/nfs.rs @@ -238,6 +238,9 @@ pub struct NFSRequestXidMap { /// READ replies can use this to get to the handle the request used pub file_handle:Vec, + + pub gssapi_proc: u32, + pub gssapi_service: u32, } impl NFSRequestXidMap { @@ -248,6 +251,8 @@ impl NFSRequestXidMap { chunk_offset:chunk_offset, file_name:Vec::new(), file_handle:Vec::new(), + gssapi_proc: 0, + gssapi_service: 0, } } } diff --git a/rust/src/nfs/nfs4.rs b/rust/src/nfs/nfs4.rs index 0d385ef305..a5d85fc089 100644 --- a/rust/src/nfs/nfs4.rs +++ b/rust/src/nfs/nfs4.rs @@ -195,16 +195,39 @@ impl NFSState { } } } else if r.procedure == NFSPROC4_COMPOUND { - match parse_nfs4_request_compound(r.prog_data) { + let mut data = r.prog_data; + + if let RpcRequestCreds::GssApi(ref creds) = r.creds { + if creds.procedure == 0 && creds.service == 2 { + SCLogDebug!("GSS INTEGRITIY: {:?}", creds); + match parse_rpc_gssapi_integrity(r.prog_data) { + IResult::Done(_rem, rec) => { + SCLogDebug!("GSS INTEGRITIY wrapper: {:?}", rec); + data = rec.data; + // store proc and serv for the reply + xidmap.gssapi_proc = creds.procedure; + xidmap.gssapi_service = creds.service; + }, + IResult::Incomplete(_n) => { + SCLogDebug!("NFSPROC4_COMPOUND/GSS INTEGRITIY: INCOMPLETE {:?}", _n); + self.set_event(NFSEvent::MalformedData); + return 0; + }, + IResult::Error(e) => { panic!("NFSPROC4_COMPOUND/GSS INTEGRITIY: Parsing failed: {:?}",e); }, + } + } + } + + match parse_nfs4_request_compound(data) { IResult::Done(_, rd) => { SCLogDebug!("NFSPROC4_COMPOUND: {:?}", rd); self.compound_request(&r, &rd, &mut xidmap); }, IResult::Incomplete(_n) => { - SCLogNotice!("NFSPROC4_COMPOUND: INCOMPLETE {:?}", _n); + SCLogDebug!("NFSPROC4_COMPOUND: INCOMPLETE {:?}", _n); self.set_event(NFSEvent::MalformedData); }, - IResult::Error(e) => { panic!("Parsing failed: {:?}",e); }, + IResult::Error(e) => { panic!("NFSPROC4_COMPOUND: Parsing failed: {:?}",e); }, }; } @@ -274,7 +297,25 @@ impl NFSState { pub fn process_reply_record_v4<'b>(&mut self, r: &RpcReplyPacket<'b>, xidmap: &mut NFSRequestXidMap) -> u32 { if xidmap.procedure == NFSPROC4_COMPOUND { - match parse_nfs4_response_compound(r.prog_data) { + let mut data = r.prog_data; + + if xidmap.gssapi_proc == 0 && xidmap.gssapi_service == 2 { + + SCLogDebug!("GSS INTEGRITIY as set by call: {:?}", xidmap); + match parse_rpc_gssapi_integrity(r.prog_data) { + IResult::Done(_rem, rec) => { + SCLogDebug!("GSS INTEGRITIY wrapper: {:?}", rec); + data = rec.data; + }, + IResult::Incomplete(_n) => { + SCLogDebug!("NFSPROC4_COMPOUND/GSS INTEGRITIY: INCOMPLETE {:?}", _n); + self.set_event(NFSEvent::MalformedData); + return 0; + }, + IResult::Error(e) => { panic!("NFSPROC4_COMPOUND/GSS INTEGRITIY: Parsing failed: {:?}",e); }, + } + } + match parse_nfs4_response_compound(data) { IResult::Done(_, rd) => { SCLogDebug!("COMPOUNDv4: {:?}", rd); self.compound_response(&r, &rd, xidmap);