aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smb: set event for ntlmssp unusual order

Browse Source
pull/8314/head
Philippe Antoine 3 years ago committed by Victor Julien
parent e41c01a483
commit 3979acb5ed
5 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File

2
rust/src/smb/auth.rs
Unescape Escape View File

@ -151,6 +151,7 @@ pub struct NtlmsspData {
pub user: Vec<u8>,
pub domain: Vec<u8>,
pub version: Option<NTLMSSPVersion>,
pub warning: bool,
}
/// take in blob, search for the header and parse it
@ -179,6 +180,7 @@ fn parse_ntlmssp_blob(blob: &[u8]) -> Option<NtlmsspData>
host,
user,
domain,
warning: ad.warning,
version: ad.version,
};
ntlmssp_data = Some(d);

2
rust/src/smb/events.rs
Unescape Escape View File

@ -46,6 +46,8 @@ pub enum SMBEvent {
WriteRequestTooLarge,
WriteQueueSizeExceeded,
WriteQueueCntExceeded,
/// Unusal NTLMSSP fields order
UnusualNtlmsspOrder,
}
impl SMBTransaction {

10
rust/src/smb/ntlmssp_records.rs
Unescape Escape View File

@ -65,6 +65,7 @@ pub struct NTLMSSPAuthRecord<'a> {
pub user: &'a [u8],
pub host: &'a [u8],
pub version: Option<NTLMSSPVersion>,
pub warning: bool,
}
fn parse_ntlm_auth_nego_flags(i: &[u8]) -> IResult<&[u8], (u8, u8, u32)> {
@ -121,10 +122,19 @@ pub fn parse_ntlm_auth_record(i: &[u8]) -> IResult<&[u8], NTLMSSPAuthRecord> {
let (_, user_blob) = extract_ntlm_substring(orig_i, user_blob_offset, user_blob_len)?;
let (_, host_blob) = extract_ntlm_substring(orig_i, host_blob_offset, host_blob_len)?;
let mut warning = false;
if (user_blob_offset > 0 && user_blob_offset < domain_blob_offset + domain_blob_len as u32)
|| (host_blob_offset > 0 && host_blob_offset < user_blob_offset + user_blob_len as u32)
{
// to set event in transaction
warning = true;
}
let record = NTLMSSPAuthRecord {
domain: domain_blob,
user: user_blob,
host: host_blob,
warning,
version,
};

7
rust/src/smb/smb1_session.rs
Unescape Escape View File

@ -135,11 +135,16 @@ pub fn smb1_session_setup_request(state: &mut SMBState, r: &SmbRecord, andx_offs
tx.vercmd.set_smb1_cmd(r.command);
if let Some(SMBTransactionTypeData::SESSIONSETUP(ref mut td)) = tx.type_data {
td.request_host = Some(smb1_session_setup_request_host_info(r, rem));
if let Some(s) = parse_secblob(setup.sec_blob) {
td.ntlmssp = s.ntlmssp;
td.krb_ticket = s.krb;
if let Some(ntlm) = &td.ntlmssp {
if ntlm.warning {
tx.set_event(SMBEvent::UnusualNtlmsspOrder);
}
}
}
td.request_host = Some(smb1_session_setup_request_host_info(r, rem));
}
},
_ => {

7
rust/src/smb/smb2_session.rs
Unescape Escape View File

@ -17,7 +17,7 @@
use crate::smb::smb2_records::*;
use crate::smb::smb::*;
//use smb::events::*;
use crate::smb::events::*;
use crate::smb::auth::*;
pub fn smb2_session_setup_request(state: &mut SMBState, r: &Smb2Record)
@ -34,6 +34,11 @@ pub fn smb2_session_setup_request(state: &mut SMBState, r: &Smb2Record)
if let Some(s) = parse_secblob(setup.data) {
td.ntlmssp = s.ntlmssp;
td.krb_ticket = s.krb;
if let Some(ntlm) = &td.ntlmssp {
if ntlm.warning {
tx.set_event(SMBEvent::UnusualNtlmsspOrder);
}
}
}
}
},

Write Preview
Loading…
Cancel
Save