aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smb/dcerpc: use tx api

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent d318bfc934
commit 84ba9cf9df
5 changed files with 142 additions and 29 deletions
Show Stats Download Patch File Download Diff File

67
src/app-layer-dcerpc.c
Unescape Escape View File

@ -2018,9 +2018,61 @@ static void DCERPCStateFree(void *s)
DCERPCCleanup(&sstate->dcerpc); DCERPCCleanup(&sstate->dcerpc);
if (sstate->de_state != NULL) {
DetectEngineStateFree(sstate->de_state);
}
SCFree(s); SCFree(s);
} }
static int DCERPCStateHasTxDetectState(void *state)
{
DCERPCState *dce_state = (DCERPCState *)state;
if (dce_state->de_state)
return 1;
return 0;
}
static int DCERPCSetTxDetectState(void *state, void *vtx, DetectEngineState *de_state)
{
DCERPCState *dce_state = (DCERPCState *)state;
dce_state->de_state = de_state;
return 0;
}
static DetectEngineState *DCERPCGetTxDetectState(void *vtx)
{
DCERPCState *dce_state = (DCERPCState *)vtx;
return dce_state->de_state;
}
static void DCERPCStateTransactionFree(void *state, uint64_t tx_id)
{
/* do nothing */
}
static void *DCERPCGetTx(void *state, uint64_t tx_id)
{
DCERPCState *dce_state = (DCERPCState *)state;
return dce_state;
}
static uint64_t DCERPCGetTxCnt(void *state)
{
/* single tx */
return 1;
}
static int DCERPCGetAlstateProgressCompletionStatus(uint8_t direction)
{
return 1;
}
static int DCERPCGetAlstateProgress(void *tx, uint8_t direction)
{
return 0;
}
static int DCERPCRegisterPatternsForProtocolDetection(void) static int DCERPCRegisterPatternsForProtocolDetection(void)
{ {
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_DCERPC, if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_DCERPC,
@ -2059,6 +2111,21 @@ void RegisterDCERPCParsers(void)
AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateAlloc, AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateAlloc,
DCERPCStateFree); DCERPCStateFree);
AppLayerParserRegisterParserAcceptableDataDirection(IPPROTO_TCP, ALPROTO_DCERPC, STREAM_TOSERVER); AppLayerParserRegisterParserAcceptableDataDirection(IPPROTO_TCP, ALPROTO_DCERPC, STREAM_TOSERVER);
AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateTransactionFree);
AppLayerParserRegisterDetectStateFuncs(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateHasTxDetectState,
DCERPCGetTxDetectState, DCERPCSetTxDetectState);
AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetTx);
AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetTxCnt);
AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetAlstateProgress);
AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_DCERPC,
DCERPCGetAlstateProgressCompletionStatus);
} else { } else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection" SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name); "still on.", proto_name);

1
src/app-layer-dcerpc.h
Unescape Escape View File

@ -34,6 +34,7 @@
typedef struct DCERPCState_ { typedef struct DCERPCState_ {
DCERPC dcerpc; DCERPC dcerpc;
uint8_t data_needed_for_dir; uint8_t data_needed_for_dir;
DetectEngineState *de_state;
} DCERPCState; } DCERPCState;
void DCERPCInit(DCERPC *dcerpc); void DCERPCInit(DCERPC *dcerpc);

66
src/app-layer-smb.c
Unescape Escape View File

@ -1450,10 +1450,62 @@ static void SMBStateFree(void *s)
DCERPCCleanup(&sstate->ds.dcerpc); DCERPCCleanup(&sstate->ds.dcerpc);
if (sstate->ds.de_state) {
DetectEngineStateFree(sstate->ds.de_state);
}
SCFree(s); SCFree(s);
SCReturn; SCReturn;
} }
static int SMBStateHasTxDetectState(void *state)
{
SMBState *smb_state = (SMBState *)state;
if (smb_state->ds.de_state)
return 1;
return 0;
}
static int SMBSetTxDetectState(void *state, void *vtx, DetectEngineState *de_state)
{
SMBState *smb_state = (SMBState *)state;
smb_state->ds.de_state = de_state;
return 0;
}
static DetectEngineState *SMBGetTxDetectState(void *vtx)
{
SMBState *smb_state = (SMBState *)vtx;
return smb_state->ds.de_state;
}
static void SMBStateTransactionFree(void *state, uint64_t tx_id)
{
/* do nothing */
}
static void *SMBGetTx(void *state, uint64_t tx_id)
{
SMBState *smb_state = (SMBState *)state;
return smb_state;
}
static uint64_t SMBGetTxCnt(void *state)
{
/* single tx */
return 1;
}
static int SMBGetAlstateProgressCompletionStatus(uint8_t direction)
{
return 1;
}
static int SMBGetAlstateProgress(void *tx, uint8_t direction)
{
return 0;
}
#define SMB_PROBING_PARSER_MIN_DEPTH 8 #define SMB_PROBING_PARSER_MIN_DEPTH 8
static uint16_t SMBProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset) static uint16_t SMBProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset)
@ -1547,6 +1599,20 @@ void RegisterSMBParsers(void)
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest); AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest);
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse); AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse);
AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_SMB, SMBStateAlloc, SMBStateFree); AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_SMB, SMBStateAlloc, SMBStateFree);
AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_SMB, SMBStateTransactionFree);
AppLayerParserRegisterDetectStateFuncs(IPPROTO_TCP, ALPROTO_SMB, SMBStateHasTxDetectState,
SMBGetTxDetectState, SMBSetTxDetectState);
AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_SMB, SMBGetTx);
AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_SMB, SMBGetTxCnt);
AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_SMB, SMBGetAlstateProgress);
AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_SMB,
SMBGetAlstateProgressCompletionStatus);
} else { } else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection " SCLogInfo("Parsed disabled for %s protocol. Protocol detection "
"still on.", proto_name); "still on.", proto_name);

33
src/detect-dce-stub-data.c
Unescape Escape View File

@ -705,7 +705,6 @@ static int DetectDceStubDataTestParse02(void)
*/ */
static int DetectDceStubDataTestParse03(void) static int DetectDceStubDataTestParse03(void)
{ {
int result = 0;
Signature *s = NULL; Signature *s = NULL;
ThreadVars th_v; ThreadVars th_v;
Packet *p = NULL; Packet *p = NULL;
@ -1157,8 +1156,7 @@ static int DetectDceStubDataTestParse03(void)
StreamTcpInitConfig(TRUE); StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit(); de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) FAIL_IF(de_ctx == NULL);
goto end;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
@ -1167,53 +1165,34 @@ static int DetectDceStubDataTestParse03(void)
"(msg:\"DCERPC\"; " "(msg:\"DCERPC\"; "
"dce_stub_data; content:\"|42 42 42 42|\";" "dce_stub_data; content:\"|42 42 42 42|\";"
"sid:1;)"); "sid:1;)");
if (s == NULL) FAIL_IF(s == NULL);
goto end;
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOSERVER | STREAM_START, dcerpc_request, STREAM_TOSERVER | STREAM_START, dcerpc_request,
dcerpc_request_len); dcerpc_request_len);
if (r != 0) { FAIL_IF(r != 0);
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
dcerpc_state = f.alstate; dcerpc_state = f.alstate;
if (dcerpc_state == NULL) { FAIL_IF (dcerpc_state == NULL);
SCLogDebug("no dcerpc state: ");
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT; p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER; p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */ /* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 1));
if (!PacketAlertCheck(p, 1))
goto end;
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx); DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE); StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f); FLOW_DESTROY(&f);
UTHFreePackets(&p, 1); UTHFreePackets(&p, 1);
return result; PASS;
} }
static int DetectDceStubDataTestParse04(void) static int DetectDceStubDataTestParse04(void)

4
src/detect-engine-state.c
Unescape Escape View File

@ -616,9 +616,9 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
if (next_tx_no_progress) if (next_tx_no_progress)
break; break;
} /* for */ } /* for */
}
/* DCERPC matches */ /* DCERPC matches */
} else if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL && if (s->sm_arrays[DETECT_SM_LIST_DMATCH] != NULL &&
(alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB ||
alproto == ALPROTO_SMB2)) alproto == ALPROTO_SMB2))
{ {

Write Preview
Loading…
Cancel
Save