From c6d50764e5276a46a3a92fb0c91272f17d5a1a76 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Wed, 27 Feb 2013 20:51:36 +0530 Subject: [PATCH] temporarily patched smb + dcerpc parsers for direction demaraction. --- src/app-layer-dcerpc.c | 280 ++++++++++++++++++++++++++++++++++++++++- src/app-layer-dcerpc.h | 1 + src/app-layer-smb.c | 113 ++++++++++++++++- src/app-layer-smb.h | 1 + 4 files changed, 387 insertions(+), 8 deletions(-) diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index 48b5bd2944..b856c5d452 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -1775,17 +1775,23 @@ int32_t DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { static int DCERPCParse(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - void *local_data, AppLayerParserResult *output) { + void *local_data, AppLayerParserResult *output, int dir) { SCEnter(); int32_t retval = 0; DCERPCState *sstate = (DCERPCState *) dcerpc_state; + if (sstate->dcerpc.bytesprocessed != 0 && sstate->data_needed_for_dir != dir) { + SCReturnInt(-1); + } + retval = DCERPCParser(&sstate->dcerpc, input, input_len); if (retval == -1) { SCReturnInt(0); } + sstate->data_needed_for_dir = dir; + if (pstate == NULL) SCReturnInt(-1); @@ -1794,6 +1800,24 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, SCReturnInt(1); } +static int DCERPCParseRequest(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, + uint8_t *input, uint32_t input_len, + void *local_data, AppLayerParserResult *output) +{ + return DCERPCParse(f, dcerpc_state, pstate, input, input_len, + local_data, output, 0); +} + +static int DCERPCParseResponse(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, + uint8_t *input, uint32_t input_len, + void *local_data, AppLayerParserResult *output) +{ + return DCERPCParse(f, dcerpc_state, pstate, input, input_len, + local_data, output, 1); +} + static void *DCERPCStateAlloc(void) { SCEnter(); @@ -1863,9 +1887,9 @@ void RegisterDCERPCParsers(void) { AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOSERVER); AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOSERVER, - DCERPCParse); + DCERPCParseRequest); AppLayerRegisterProto(proto_name, ALPROTO_DCERPC, STREAM_TOCLIENT, - DCERPCParse); + DCERPCParseResponse); AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc, DCERPCStateFree); AppLayerRegisterTransactionIdFuncs(ALPROTO_DCERPC, @@ -4699,7 +4723,7 @@ int DCERPCParserTest12(void) { StreamTcpInitConfig(TRUE); - r = AppLayerParse(NULL, &f, ALPROTO_DCERPC, STREAM_TOSERVER, + r = AppLayerParse(NULL, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack1, bind_ack1_len); if (r != 0) { printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); @@ -5747,6 +5771,253 @@ end: return result; } +int DCERPCParserTest19(void) +{ + int result = 0; + Flow f; + uint8_t dcerpcbind[] = { + 0x05, 0x00, + 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16, + 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0, + 0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f, + 0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00, + 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b, + 0x06, 0xac, 0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7, + 0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2, + 0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d, 0x2f, 0x80, + 0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, + 0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c, + 0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36, + 0x79, 0x17, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65, + 0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37, + 0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00, + 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, + 0x01, 0x00, 0x14, 0x96, 0x80, 0x01, 0x2e, 0x78, + 0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa, + 0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x3b, 0x04, + 0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55, + 0xcd, 0xe7, 0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, + 0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25, + 0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b, 0x3e, 0x93, + 0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4, + 0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc, + 0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55, + 0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17, + 0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17, + 0x55, 0x0c, 0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0, + 0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, + 0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, + 0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, + 0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f, + 0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78, + 0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d, 0x01, 0x00, + 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00, + 0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6, + 0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56, + 0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xee, 0x99, + 0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa, + 0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00, + 0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b, + 0xba, 0xe4, 0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d, + 0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24, + 0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe, 0x49, 0x11, + 0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00, + 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00, + 0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28, + 0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d, + 0xc6, 0x65, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4, + 0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e, + 0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00, + 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00, + 0x01, 0x00, 0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4, + 0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70, + 0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xb8, 0xd0, + 0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6, + 0x7d, 0x08, 0x0d, 0x33, 0x73, 0x18, 0x02, 0x00, + 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + }; + + uint8_t dcerpcbindack[] = { + 0x05, 0x00, 0x0c, 0x03, + 0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, + 0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50, + 0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73, + 0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + + uint32_t bindlen = sizeof(dcerpcbind); + uint32_t bindacklen = sizeof(dcerpcbindack); + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + + int r = AppLayerParse(NULL, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, dcerpcbind, bindlen); + if (r != 0) { + printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); + goto end; + } + + DCERPCState *dcerpc_state = f.alstate; + if (dcerpc_state == NULL) { + printf("no dcerpc state: "); + goto end; + } + + if (dcerpc_state->dcerpc.bytesprocessed == 0) { + printf("request - dce parser bytesprocessed should not be 0.\n"); + goto end; + } + + r = AppLayerParse(NULL, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpcbindack, bindacklen); + if (r == 0) { + printf("dce parser didn't return fail\n"); + goto end; + } + + result = 1; +end: + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + return result; +} + #endif /* UNITTESTS */ void DCERPCParserRegisterTests(void) { @@ -5769,6 +6040,7 @@ void DCERPCParserRegisterTests(void) { UtRegisterTest("DCERPCParserTest16", DCERPCParserTest16, 1); UtRegisterTest("DCERPCParserTest17", DCERPCParserTest17, 1); UtRegisterTest("DCERPCParserTest18", DCERPCParserTest18, 1); + UtRegisterTest("DCERPCParserTest19", DCERPCParserTest19, 1); #endif /* UNITTESTS */ return; diff --git a/src/app-layer-dcerpc.h b/src/app-layer-dcerpc.h index bc6abe14ac..4781f0d1ae 100644 --- a/src/app-layer-dcerpc.h +++ b/src/app-layer-dcerpc.h @@ -33,6 +33,7 @@ typedef struct DCERPCState_ { DCERPC dcerpc; + uint8_t data_needed_for_dir; } DCERPCState; void RegisterDCERPCParsers(void); diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index 3e8eaffa45..399a36c4da 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -1046,7 +1046,7 @@ static int SMBParseHeader(Flow *f, void *smb_state, static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - void *local_data, AppLayerParserResult *output) + void *local_data, AppLayerParserResult *output, uint8_t dir) { SCEnter(); @@ -1061,11 +1061,15 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, SCReturnInt(0); } + if (sstate->bytesprocessed != 0 && sstate->data_needed_for_dir != dir) { + SCReturnInt(-1); + } + while (input_len) { /* till we clear corner cases */ if (counter++ == 30) { SCLogDebug("Somehow seem to be stuck inside the smb " - "parser for quite sometime. Let's get out of here."); + "parser for quite sometime. Let's get out of here."); sstate->bytesprocessed = 0; SCReturnInt(0); } @@ -1255,9 +1259,25 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, pstate->parse_field = 0; + sstate->data_needed_for_dir = dir; SCReturnInt(1); } +static int SMBParseRequest(Flow *f, void *smb_state, AppLayerParserState *pstate, + uint8_t *input, uint32_t input_len, + void *local_data, AppLayerParserResult *output) +{ + return SMBParse(f, smb_state, pstate, input, input_len, local_data, output, 0); +} + +static int SMBParseResponse(Flow *f, void *smb_state, AppLayerParserState *pstate, + uint8_t *input, uint32_t input_len, + void *local_data, AppLayerParserResult *output) +{ + return SMBParse(f, smb_state, pstate, input, input_len, local_data, output, 1); +} + + /** * \brief determines if the SMB command is an ANDX command * \retval 1 if smb command is an AndX command @@ -1400,8 +1420,8 @@ void RegisterSMBParsers(void) { /** SMB2 */ AlpProtoAdd(&alp_proto_ctx, "smb2", IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); - AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParse); - AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParse); + AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOSERVER, SMBParseRequest); + AppLayerRegisterProto(proto_name, ALPROTO_SMB, STREAM_TOCLIENT, SMBParseResponse); AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree); AppLayerRegisterTransactionIdFuncs(ALPROTO_SMB, SMBUpdateTransactionId, NULL); @@ -2376,6 +2396,90 @@ end: return result; } +/** + * \test Test to temporarily to show the direction demaraction issue in the + * smb parser. + */ +int SMBParserTest10(void) +{ + int result = 0; + Flow f; + uint8_t smbbuf1[] = { + /* partial request */ + 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42, + 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, + 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, + 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, + 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, + 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, + 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, + 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57, + 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, + 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02, + 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, + 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, + }; + //0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, + //0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, + //0x00 + + uint8_t smbbuf2[] = { + /* response */ + 0x00, 0x00, 0x00, 0x55, 0xff, 0x53, 0x4d, 0x42, + 0x72, 0x00, 0x00, 0x00, 0x00, 0x98, 0x53, 0xc8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, + 0x00, 0x00, 0x00, 0x00, 0x11, 0x05, 0x00, 0x03, + 0x32, 0x00, 0x01, 0x00, 0x04, 0x41, 0x00, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xfd, 0xf3, 0x00, 0x80, 0x20, 0x03, 0x1a, 0x2d, + 0x77, 0x98, 0xc5, 0x01, 0xa4, 0x01, 0x00, 0x10, + 0x00, 0xb7, 0xeb, 0x0b, 0x05, 0x21, 0x22, 0x50, + 0x42, 0x8c, 0x38, 0x2a, 0x7f, 0xc5, 0x6a, 0x7c, + 0x0c + }; + uint32_t smblen1 = sizeof(smbbuf1); + uint32_t smblen2 = sizeof(smbbuf2); + TcpSession ssn; + int r = 0; + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + + r = AppLayerParse(NULL, &f, ALPROTO_SMB, STREAM_TOSERVER | STREAM_START, smbbuf1, smblen1); + if (r != 0) { + printf("smb header check returned %" PRId32 ", expected 0: ", r); + goto end; + } + + SMBState *smb_state = f.alstate; + if (smb_state == NULL) { + printf("no smb state: "); + goto end; + } + + if (smb_state->bytesprocessed == 0) { + printf("request - smb parser bytesprocessed should not be 0.\n"); + goto end; + } + + r = AppLayerParse(NULL, &f, ALPROTO_SMB, STREAM_TOCLIENT, smbbuf2, smblen2); + if (r == 0) { + printf("smb parser didn't return fail\n"); + goto end; + } + + result = 1; +end: + StreamTcpFreeConfig(TRUE); + return result; +} + #endif void SMBParserRegisterTests(void) { @@ -2389,6 +2493,7 @@ void SMBParserRegisterTests(void) { UtRegisterTest("SMBParserTest07", SMBParserTest07, 1); UtRegisterTest("SMBParserTest08", SMBParserTest08, 1); UtRegisterTest("SMBParserTest09", SMBParserTest09, 1); + UtRegisterTest("SMBParserTest10", SMBParserTest10, 1); #endif } diff --git a/src/app-layer-smb.h b/src/app-layer-smb.h index 30265d9897..48d4fa8430 100644 --- a/src/app-layer-smb.h +++ b/src/app-layer-smb.h @@ -85,6 +85,7 @@ typedef struct SMBState_ { SMBAndX andx; DCERPC dcerpc; uint8_t dcerpc_present; + uint8_t data_needed_for_dir; } SMBState; #define SMB_FLAGS_SERVER_TO_REDIR 0x80