aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8eac5fc221'
${ noResults }
suricata/rust/src/smb/events.rs

91 lines
3.1 KiB
Rust
Raw Normal View History Unescape Escape

rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
/* Copyright (C) 2018 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
rust: update to Rust 2018 with cargo fix Migrate to Rust 2018 edition. Credit to Danny Browning for first demontrating this: https://github.com/OISF/suricata/pull/3604/commits
6 years ago
use crate::core::*;
use crate::smb::smb::*;
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
#[repr(u32)]
pub enum SMBEvent {
InternalError = 0,
MalformedData = 1,
RecordOverflow = 2,
MalformedNtlmsspRequest = 3,
MalformedNtlmsspResponse = 4,
DuplicateNegotiate = 5,
smb1: set event on empty/malformed dialect
7 years ago
NegotiateMalformedDialects = 6,
smb: adds file overlap event against evasions Evasion scenario is - a first dummy write of one byte at offset 0 is done - the second full write of EICAR at offset 0 is then done and does not trigger detection The last write had the final value, and as we cannot "cancel" the previous write, we set an event which is then transformed into an app-layer decoder alert
5 years ago
FileOverlap = 7,
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
}
rust/smb: Implement get event by id
6 years ago
impl SMBEvent {
pub fn from_i32(value: i32) -> Option<SMBEvent> {
match value {
0 => Some(SMBEvent::InternalError),
1 => Some(SMBEvent::MalformedData),
2 => Some(SMBEvent::RecordOverflow),
3 => Some(SMBEvent::MalformedNtlmsspRequest),
4 => Some(SMBEvent::MalformedNtlmsspResponse),
5 => Some(SMBEvent::DuplicateNegotiate),
6 => Some(SMBEvent::NegotiateMalformedDialects),
smb: adds file overlap event against evasions Evasion scenario is - a first dummy write of one byte at offset 0 is done - the second full write of EICAR at offset 0 is then done and does not trigger detection The last write had the final value, and as we cannot "cancel" the previous write, we set an event which is then transformed into an app-layer decoder alert
5 years ago
7 => Some(SMBEvent::FileOverlap),
rust/smb: Implement get event by id
6 years ago
_ => None,
}
}
}
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
pub fn smb_str_to_event(instr: &str) -> i32 {
SCLogDebug!("checking {}", instr);
match instr {
"internal_error" => SMBEvent::InternalError as i32,
"malformed_data" => SMBEvent::MalformedData as i32,
"record_overflow" => SMBEvent::RecordOverflow as i32,
"malformed_ntlmssp_request" => SMBEvent::MalformedNtlmsspRequest as i32,
"malformed_ntlmssp_response" => SMBEvent::MalformedNtlmsspResponse as i32,
"duplicate_negotiate" => SMBEvent::DuplicateNegotiate as i32,
smb1: set event on empty/malformed dialect
7 years ago
"negotiate_malformed_dialects" => SMBEvent::NegotiateMalformedDialects as i32,
smb: adds file overlap event against evasions Evasion scenario is - a first dummy write of one byte at offset 0 is done - the second full write of EICAR at offset 0 is then done and does not trigger detection The last write had the final value, and as we cannot "cancel" the previous write, we set an event which is then transformed into an app-layer decoder alert
5 years ago
"file_overlap" => SMBEvent::FileOverlap as i32,
rust/smb: initial support Implement SMB app-layer parser for SMB1/2/3. Features: - file extraction - eve logging - existing dce keyword support - smb_share/smb_named_pipe keyword support (stickybuffers) - auth meta data extraction (ntlmssp, kerberos5)
8 years ago
_ => -1,
}
}
impl SMBTransaction {
/// Set event.
pub fn set_event(&mut self, e: SMBEvent) {
sc_app_layer_decoder_events_set_event_raw(&mut self.events, e as u8);
}
/// Set events from vector of events.
pub fn set_events(&mut self, events: Vec<SMBEvent>) {
for e in events {
sc_app_layer_decoder_events_set_event_raw(&mut self.events, e as u8);
}
}
}
impl SMBState {
/// Set an event. The event is set on the most recent transaction.
pub fn set_event(&mut self, event: SMBEvent) {
let len = self.transactions.len();
if len == 0 {
return;
}
let tx = &mut self.transactions[len - 1];
tx.set_event(event);
//sc_app_layer_decoder_events_set_event_raw(&mut tx.events, event as u8);
}
}