smb1: set event on empty/malformed dialect

8 years ago · 1d4aac1d4d
parent c91242e71c
commit 1d4aac1d4d
3 changed files with 18 additions and 7 deletions
--- a/rules/smb-events.rules
+++ b/rules/smb-events.rules
@ -12,3 +12,5 @@ alert smb any any -> any any (msg:"SURICATA SMB malformed request data"; flow:to
 alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;)

 alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)
+
+alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)
--- a/rust/src/smb/events.rs
+++ b/rust/src/smb/events.rs
@ -27,6 +27,7 @@ pub enum SMBEvent {
    MalformedNtlmsspRequest = 3,
    MalformedNtlmsspResponse = 4,
    DuplicateNegotiate = 5,
+    NegotiateMalformedDialects = 6,
 }

 pub fn smb_str_to_event(instr: &str) -> i32 {
@ -38,6 +39,7 @@ pub fn smb_str_to_event(instr: &str) -> i32 {
        "malformed_ntlmssp_request"     => SMBEvent::MalformedNtlmsspRequest as i32,
        "malformed_ntlmssp_response"    => SMBEvent::MalformedNtlmsspResponse as i32,
        "duplicate_negotiate"           => SMBEvent::DuplicateNegotiate as i32,
+        "negotiate_malformed_dialects"  => SMBEvent::NegotiateMalformedDialects as i32,
        _ => -1,
    }
 }
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@ -211,8 +211,15 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 {
                IResult::Done(_, pr) => {
                    SCLogDebug!("SMB_COMMAND_NEGOTIATE_PROTOCOL {:?}", pr);

+                    let mut bad_dialects = false;
                    let mut dialects : Vec<Vec<u8>> = Vec::new();
                    for d in &pr.dialects {
+                        if d.len() == 0 {
+                            bad_dialects = true;
+                            continue;
+                        } else if d.len() == 1 {
+                            bad_dialects = true;
+                        }
                        let x = &d[1..d.len()];
                        let dvec = x.to_vec();
                        dialects.push(dvec);
@ -232,6 +239,9 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 {
                            tdn.dialects = dialects;
                        }
                        tx.request_done = true;
+                        if bad_dialects {
+                            tx.set_event(SMBEvent::NegotiateMalformedDialects);
+                        }
                    }
                    true
                },
@ -388,18 +398,15 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
                                _ => { None },
                            };
                            if d == None {
-                                tx.set_event(SMBEvent::MalformedData);
+                                tx.set_event(SMBEvent::NegotiateMalformedDialects);
                            }
                            (true, d)
                        },
                        None => { (false, None) },
                    };
-                    match dialect {
-                        Some(d) => {
-                            SCLogDebug!("dialect {:?}", d);
-                            state.dialect_vec = Some(d);
-                        },
-                        _ => { },
+                    if let Some(d) = dialect {
+                        SCLogDebug!("dialect {:?}", d);
+                        state.dialect_vec = Some(d);
                    }
                    have_ntx
                },