aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smb1: set event on empty/malformed dialect

Browse Source
pull/3281/head
Victor Julien 8 years ago
parent c91242e71c
commit 1d4aac1d4d
3 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File

2
rules/smb-events.rules
Unescape Escape View File

@ -12,3 +12,5 @@ alert smb any any -> any any (msg:"SURICATA SMB malformed request data"; flow:to
alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;) alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;)
alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;) alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)
alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)

2
rust/src/smb/events.rs
Unescape Escape View File

@ -27,6 +27,7 @@ pub enum SMBEvent {
MalformedNtlmsspRequest = 3, MalformedNtlmsspRequest = 3,
MalformedNtlmsspResponse = 4, MalformedNtlmsspResponse = 4,
DuplicateNegotiate = 5, DuplicateNegotiate = 5,
NegotiateMalformedDialects = 6,
} }
pub fn smb_str_to_event(instr: &str) -> i32 { pub fn smb_str_to_event(instr: &str) -> i32 {
@ -38,6 +39,7 @@ pub fn smb_str_to_event(instr: &str) -> i32 {
"malformed_ntlmssp_request" => SMBEvent::MalformedNtlmsspRequest as i32, "malformed_ntlmssp_request" => SMBEvent::MalformedNtlmsspRequest as i32,
"malformed_ntlmssp_response" => SMBEvent::MalformedNtlmsspResponse as i32, "malformed_ntlmssp_response" => SMBEvent::MalformedNtlmsspResponse as i32,
"duplicate_negotiate" => SMBEvent::DuplicateNegotiate as i32, "duplicate_negotiate" => SMBEvent::DuplicateNegotiate as i32,
"negotiate_malformed_dialects" => SMBEvent::NegotiateMalformedDialects as i32,
_ => -1, _ => -1,
} }
} }

21
rust/src/smb/smb1.rs
Unescape Escape View File

@ -211,8 +211,15 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 {
IResult::Done(_, pr) => { IResult::Done(_, pr) => {
SCLogDebug!("SMB_COMMAND_NEGOTIATE_PROTOCOL {:?}", pr); SCLogDebug!("SMB_COMMAND_NEGOTIATE_PROTOCOL {:?}", pr);
let mut bad_dialects = false;
let mut dialects : Vec<Vec<u8>> = Vec::new(); let mut dialects : Vec<Vec<u8>> = Vec::new();
for d in &pr.dialects { for d in &pr.dialects {
if d.len() == 0 {
bad_dialects = true;
continue;
} else if d.len() == 1 {
bad_dialects = true;
}
let x = &d[1..d.len()]; let x = &d[1..d.len()];
let dvec = x.to_vec(); let dvec = x.to_vec();
dialects.push(dvec); dialects.push(dvec);
@ -232,6 +239,9 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 {
tdn.dialects = dialects; tdn.dialects = dialects;
} }
tx.request_done = true; tx.request_done = true;
if bad_dialects {
tx.set_event(SMBEvent::NegotiateMalformedDialects);
}
} }
true true
}, },
@ -388,18 +398,15 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
_ => { None }, _ => { None },
}; };
if d == None { if d == None {
tx.set_event(SMBEvent::MalformedData); tx.set_event(SMBEvent::NegotiateMalformedDialects);
} }
(true, d) (true, d)
}, },
None => { (false, None) }, None => { (false, None) },
}; };
match dialect { if let Some(d) = dialect {
Some(d) => { SCLogDebug!("dialect {:?}", d);
SCLogDebug!("dialect {:?}", d); state.dialect_vec = Some(d);
state.dialect_vec = Some(d);
},
_ => { },
} }
have_ntx have_ntx
}, },

Write Preview
Loading…
Cancel
Save