smb: probing parser improvement

7 years ago · 177966970a
parent fd38989113
commit 177966970a
3 changed files with 32 additions and 10 deletions
--- a/rust/src/smb/nbss_records.rs
+++ b/rust/src/smb/nbss_records.rs
@ -32,7 +32,7 @@ pub struct NbssRecord<'a> {
 }

 impl<'a> NbssRecord<'a> {
-    pub fn is_smb(&self) -> bool {
+    pub fn is_valid(&self) -> bool {
        let valid = match self.message_type {
            NBSS_MSGTYPE_SESSION_MESSAGE |
            NBSS_MSGTYPE_SESSION_REQUEST |
@ -42,6 +42,10 @@ impl<'a> NbssRecord<'a> {
            NBSS_MSGTYPE_KEEP_ALIVE => true,
            _ => false,
        };
+        valid
+    }
+    pub fn is_smb(&self) -> bool {
+        let valid = self.is_valid();
        let smb = if self.data.len() >= 4 &&
            self.data[1] == 'S' as u8 && self.data[2] == 'M' as u8 && self.data[3] == 'B' as u8 &&
            (self.data[0] == b'\xFE' || self.data[0] == b'\xFF' || self.data[0] == b'\xFD')
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@ -1857,22 +1857,36 @@ pub extern "C" fn rs_smb_parse_response_tcp_gap(
    return -1;
 }

+// probing parser
+// return 1 if found, 0 is not found
 #[no_mangle]
 pub extern "C" fn rs_smb_probe_tcp(input: *const libc::uint8_t, len: libc::uint32_t)
                               -> libc::int8_t
 {
-    let slice: &[u8] = unsafe {
-        std::slice::from_raw_parts(input as *mut u8, len as usize)
-    };
+    let slice = build_slice!(input, len as usize);
+    match search_smb_record(slice) {
+        IResult::Done(_, _) => {
+            SCLogDebug!("smb found");
+            return 1;
+        },
+        _ => {
+            SCLogDebug!("smb not found in {:?}", slice);
+        },
+    }
    match parse_nbss_record_partial(slice) {
        IResult::Done(_, ref hdr) => {
            if hdr.is_smb() {
+                SCLogDebug!("smb found");
+                return 1;
+            } else if hdr.is_valid() {
+                SCLogDebug!("nbss found, assume smb");
                return 1;
            }
        },
        _ => { },
    }
-    return 1
+    SCLogDebug!("no smb");
+    return -1
 }

 #[no_mangle]
--- a/src/app-layer-smb-tcp-rust.c
+++ b/src/app-layer-smb-tcp-rust.c
@ -86,12 +86,16 @@ static uint16_t RustSMBTCPProbe(Flow *f,
        return ALPROTO_UNKNOWN;
    }

-    // Validate and return ALPROTO_FAILED if needed.
-    if (!rs_smb_probe_tcp(input, len)) {
-        return ALPROTO_FAILED;
+    const int r = rs_smb_probe_tcp(input, len);
+    switch (r) {
+        case 1:
+            return ALPROTO_SMB;
+        case 0:
+            return ALPROTO_UNKNOWN;
+        case -1:
+        default:
+            return ALPROTO_FAILED;
    }
-
-    return ALPROTO_SMB;
 }

 static int RustSMBGetAlstateProgress(void *tx, uint8_t direction)