smb: relax probing parser to handle first NBSS message

cf dcerpc-udp S-V test : First message is Message Type: Session request (0x81) Second message is SMB (cherry picked from commit 8307010255)
5 years ago · 90fdb53439
parent bfa66c6d6c
commit 90fdb53439
1 changed files with 20 additions and 0 deletions
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@ -1989,6 +1989,26 @@ pub extern "C" fn rs_smb_probe_tcp(flags: u8,
                return 1;
            } else if hdr.needs_more(){
                return 0;
+            } else if hdr.is_valid() &&
+                hdr.message_type != NBSS_MSGTYPE_SESSION_MESSAGE {
+                //we accept a first small netbios message before real SMB
+                let hl = hdr.length as usize;
+                if hdr.data.len() >= hl + 8 {
+                    // 8 is 4 bytes NBSS + 4 bytes SMB0xFX magic
+                    match parse_nbss_record_partial(&hdr.data[hl..]) {
+                        Ok((_, ref hdr2)) => {
+                            if hdr2.is_smb() {
+                                SCLogDebug!("smb found");
+                                return 1;
+                            }
+                        }
+                        _ => {}
+                    }
+                } else if hdr.length < 256 {
+                    // we want more data, 256 is some random value
+                    return 0;
+                }
+                // default is failure
            }
        },
        _ => { },