smb: fix event types for limit exceeded rules

3 years ago · dc57460427
parent e7417a8e96
commit dc57460427
3 changed files with 10 additions and 10 deletions
--- a/rules/smb-events.rules
+++ b/rules/smb-events.rules
@ -32,13 +32,13 @@ alert smb any any -> any any (msg:"SURICATA SMB supported READ size exceeded"; f
 alert smb any any -> any any (msg:"SURICATA SMB supported WRITE size exceeded"; flow:to_server; app-layer-event:smb.negotiate_max_write_size_too_large; classtype:protocol-command-decode; sid:2225013; rev:1;)

 # checks 'app-layer.protocols.smb.max-write-queue-size` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue size exceeded"; flow:to_server; app-layer-event:smb.write_queue_size_too_large; classtype:protocol-command-decode; sid:2225014; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue size exceeded"; flow:to_server; app-layer-event:smb.write_queue_size_exceeded; classtype:protocol-command-decode; sid:2225014; rev:1;)
 # checks 'app-layer.protocols.smb.max-write-queue-cnt` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue cnt exceeded"; flow:to_server; app-layer-event:smb.write_queue_cnt_too_large; classtype:protocol-command-decode; sid:2225015; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue cnt exceeded"; flow:to_server; app-layer-event:smb.write_queue_cnt_exceeded; classtype:protocol-command-decode; sid:2225015; rev:1;)

 # checks 'app-layer.protocols.smb.max-read-queue-size` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max READ queue size exceeded"; flow:to_client; app-layer-event:smb.read_queue_size_too_large; classtype:protocol-command-decode; sid:2225016; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max READ queue size exceeded"; flow:to_client; app-layer-event:smb.read_queue_size_exceeded; classtype:protocol-command-decode; sid:2225016; rev:1;)
 # checks 'app-layer.protocols.smb.max-read-queue-cnt` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max READ queue cnt exceeded"; flow:to_client; app-layer-event:smb.read_queue_cnt_too_large; classtype:protocol-command-decode; sid:2225017; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max READ queue cnt exceeded"; flow:to_client; app-layer-event:smb.read_queue_cnt_exceeded; classtype:protocol-command-decode; sid:2225017; rev:1;)

 # next sid 2225018
--- a/rust/src/smb/events.rs
+++ b/rust/src/smb/events.rs
@ -40,8 +40,8 @@ pub enum SMBEvent {
    ReadRequestTooLarge,
    /// READ response bigger than `max_read_size`
    ReadResponseTooLarge,
-    ReadResponseQueueSizeExceeded,
-    ReadResponseQueueCntExceeded,
+    ReadQueueSizeExceeded,
+    ReadQueueCntExceeded,
    /// WRITE request for more than `max_write_size`
    WriteRequestTooLarge,
    WriteQueueSizeExceeded,
--- a/rust/src/smb/smb2.rs
+++ b/rust/src/smb/smb2.rs
@ -164,10 +164,10 @@ pub fn smb2_read_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                            set_event_fileoverlap = true;
                        }
                        if max_queue_size != 0 && tdf.file_tracker.get_inflight_size() + rd.len as u64 > max_queue_size.into() {
-                            state.set_event(SMBEvent::ReadResponseQueueSizeExceeded);
+                            state.set_event(SMBEvent::ReadQueueSizeExceeded);
                            state.set_skip(Direction::ToClient, rd.len, rd.data.len() as u32);
                        } else if max_queue_cnt != 0 && tdf.file_tracker.get_inflight_cnt() >= max_queue_cnt as usize {
-                            state.set_event(SMBEvent::ReadResponseQueueCntExceeded);
+                            state.set_event(SMBEvent::ReadQueueCntExceeded);
                            state.set_skip(Direction::ToClient, rd.len, rd.data.len() as u32);
                        } else {
                            filetracker_newchunk(&mut tdf.file_tracker, files, flags,
@ -238,10 +238,10 @@ pub fn smb2_read_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                            set_event_fileoverlap = true;
                        }
                        if max_queue_size != 0 && tdf.file_tracker.get_inflight_size() + rd.len as u64 > max_queue_size.into() {
-                            state.set_event(SMBEvent::ReadResponseQueueSizeExceeded);
+                            state.set_event(SMBEvent::ReadQueueSizeExceeded);
                            state.set_skip(Direction::ToClient, rd.len, rd.data.len() as u32);
                        } else if max_queue_cnt != 0 && tdf.file_tracker.get_inflight_cnt() >= max_queue_cnt as usize {
-                            state.set_event(SMBEvent::ReadResponseQueueCntExceeded);
+                            state.set_event(SMBEvent::ReadQueueCntExceeded);
                            state.set_skip(Direction::ToClient, rd.len, rd.data.len() as u32);
                        } else {
                            filetracker_newchunk(&mut tdf.file_tracker, files, flags,