aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smb: move common parsing funcs into own file

Browse Source
pull/3281/head
Victor Julien 8 years ago
parent 1c701dc50e
commit 0ed00cf104
5 changed files with 68 additions and 46 deletions
Show Stats Download Patch File Download Diff File

1
rust/src/smb/mod.rs
Unescape Escape View File

@ -15,6 +15,7 @@
* 02110-1301, USA.
*/
pub mod smb_records;
pub mod smb1_records;
pub mod smb2_records;
pub mod nbss_records;

4
rust/src/smb/smb1.rs
Unescape Escape View File

@ -604,12 +604,12 @@ pub fn smb1_trans_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>)
pipe.fid.to_vec());
}
let (sername, is_dcerpc) = get_service_for_nameslice(&rd.txname.name);
let (sername, is_dcerpc) = get_service_for_nameslice(&rd.txname.tx_name);
SCLogDebug!("service: {} dcerpc {}", sername, is_dcerpc);
if is_dcerpc {
// store tx name so the response also knows this is dcerpc
let txn_hdr = SMBCommonHdr::from1(r, SMBHDR_TYPE_TXNAME);
state.ssn2vec_map.insert(txn_hdr, rd.txname.name.to_vec());
state.ssn2vec_map.insert(txn_hdr, rd.txname.tx_name);
// trans request will tell us the max size of the response
// if there is more response data, it will first give a

19
rust/src/smb/smb1_records.rs
Unescape Escape View File

@ -18,6 +18,7 @@
use log::*;
use nom::{rest, le_u8, le_u16, le_u32, le_u64, IResult};
use smb::smb::*;
use smb::smb_records::*;
#[derive(Debug,PartialEq)]
pub struct Smb1WriteRequestRecord<'a> {
@ -167,7 +168,7 @@ named!(pub parse_smb_connect_tree_andx_record<SmbRecordTreeConnectAndX>,
pub struct SmbRecordTransRequest<'a> {
pub params: SmbRecordTransRequestParams,
pub pipe: Option<SmbPipeProtocolRecord<'a>>,
pub txname: SmbRecordTransRequestTxname<'a>,
pub txname: SmbRecordTransRequestTxname<>,
pub data: SmbRecordTransRequestData<'a>,
}
@ -231,29 +232,29 @@ named!(pub parse_smb_trans_request_record_params<(SmbRecordTransRequestParams, O
);
#[derive(Debug,PartialEq)]
pub struct SmbRecordTransRequestTxname<'a> {
pub name: &'a[u8],
pub struct SmbRecordTransRequestTxname<> {
pub tx_name: Vec<u8>,
}
pub fn parse_smb_trans_request_tx_name_ascii(i: &[u8])
fn parse_smb_trans_request_tx_name_ascii(i: &[u8])
-> IResult<&[u8], SmbRecordTransRequestTxname>
{
do_parse!(i,
name: take_until_and_consume!("\0")
name: smb_get_ascii_string
>> (SmbRecordTransRequestTxname {
name: name,
tx_name: name,
})
)
}
pub fn parse_smb_trans_request_tx_name_unicode(i: &[u8], offset: usize)
fn parse_smb_trans_request_tx_name_unicode(i: &[u8], offset: usize)
-> IResult<&[u8], SmbRecordTransRequestTxname>
{
do_parse!(i,
cond!(offset % 2 == 1, take!(1))
>> name: take_until_and_consume!("\0\0\0")
>> name: smb_get_unicode_string
>> (SmbRecordTransRequestTxname {
name: name,
tx_name: name,
})
)
}

37
rust/src/smb/smb1_session.rs
Unescape Escape View File

@ -15,10 +15,11 @@
* 02110-1301, USA.
*/
use nom::{IResult, ErrorKind};
use nom::{IResult};
use log::*;
use smb::smb_records::*;
use smb::smb1_records::*;
use smb::smb::*;
use smb::events::*;
@ -37,40 +38,6 @@ pub struct SessionSetupResponse {
pub native_lm: Vec<u8>,
}
/// parse a UTF16 string that is null terminated. Normally by 2 null
/// bytes, but at the end of the data it can also be a single null.
/// Skip every second byte.
pub fn smb_get_unicode_string(blob: &[u8]) -> IResult<&[u8], Vec<u8>>
{
SCLogDebug!("get_unicode_string: blob {} {:?}", blob.len(), blob);
let mut name : Vec<u8> = Vec::new();
let mut c = blob;
while c.len() >= 1 {
if c.len() == 1 && c[0] == 0 {
let rem = &c[1..];
SCLogDebug!("get_unicode_string: name {:?}", name);
return IResult::Done(rem, name)
} else if c.len() == 1 {
break;
} else if c[0] == 0 && c[1] == 0 {
let rem = &c[2..];
SCLogDebug!("get_unicode_string: name {:?}", name);
return IResult::Done(rem, name)
}
name.push(c[0]);
c = &c[2..];
//SCLogNotice!("get_unicode_string: c {:?}", c);
}
IResult::Error(error_code!(ErrorKind::Custom(130)))
}
/// parse an ASCII string that is null terminated
named!(pub smb_get_ascii_string<Vec<u8>>,
do_parse!(
s: take_until_and_consume!("\x00")
>> ( s.to_vec() )
));
pub fn smb1_session_setup_request_host_info(r: &SmbRecord, blob: &[u8]) -> SessionSetupRequest
{
if blob.len() > 1 && r.has_unicode_support() {

53
rust/src/smb/smb_records.rs
Unescape Escape View File

@ -0,0 +1,53 @@
/* Copyright (C) 2018 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
use nom::{IResult, ErrorKind};
use log::*;
/// parse a UTF16 string that is null terminated. Normally by 2 null
/// bytes, but at the end of the data it can also be a single null.
/// Skip every second byte.
pub fn smb_get_unicode_string(blob: &[u8]) -> IResult<&[u8], Vec<u8>>
{
SCLogDebug!("get_unicode_string: blob {} {:?}", blob.len(), blob);
let mut name : Vec<u8> = Vec::new();
let mut c = blob;
while c.len() >= 1 {
if c.len() == 1 && c[0] == 0 {
let rem = &c[1..];
SCLogDebug!("get_unicode_string: name {:?}", name);
return IResult::Done(rem, name)
} else if c.len() == 1 {
break;
} else if c[0] == 0 && c[1] == 0 {
let rem = &c[2..];
SCLogDebug!("get_unicode_string: name {:?}", name);
return IResult::Done(rem, name)
}
name.push(c[0]);
c = &c[2..];
}
IResult::Error(error_code!(ErrorKind::Custom(130)))
}
/// parse an ASCII string that is null terminated
named!(pub smb_get_ascii_string<Vec<u8>>,
do_parse!(
s: take_until_and_consume!("\x00")
>> ( s.to_vec() )
));
Write Preview
Loading…
Cancel
Save