diff --git a/rust/src/smb/auth.rs b/rust/src/smb/auth.rs index f342a73ada..0953dcbf1b 100644 --- a/rust/src/smb/auth.rs +++ b/rust/src/smb/auth.rs @@ -151,6 +151,7 @@ pub struct NtlmsspData { pub user: Vec, pub domain: Vec, pub version: Option, + pub warning: bool, } /// take in blob, search for the header and parse it @@ -179,6 +180,7 @@ fn parse_ntlmssp_blob(blob: &[u8]) -> Option host, user, domain, + warning: ad.warning, version: ad.version, }; ntlmssp_data = Some(d); diff --git a/rust/src/smb/events.rs b/rust/src/smb/events.rs index 4c621e5d4b..94bd066139 100644 --- a/rust/src/smb/events.rs +++ b/rust/src/smb/events.rs @@ -46,6 +46,8 @@ pub enum SMBEvent { WriteRequestTooLarge, WriteQueueSizeExceeded, WriteQueueCntExceeded, + /// Unusal NTLMSSP fields order + UnusualNtlmsspOrder, } impl SMBTransaction { diff --git a/rust/src/smb/ntlmssp_records.rs b/rust/src/smb/ntlmssp_records.rs index e0cda8e3bc..c923421127 100644 --- a/rust/src/smb/ntlmssp_records.rs +++ b/rust/src/smb/ntlmssp_records.rs @@ -65,6 +65,7 @@ pub struct NTLMSSPAuthRecord<'a> { pub user: &'a [u8], pub host: &'a [u8], pub version: Option, + pub warning: bool, } fn parse_ntlm_auth_nego_flags(i: &[u8]) -> IResult<&[u8], (u8, u8, u32)> { @@ -121,10 +122,19 @@ pub fn parse_ntlm_auth_record(i: &[u8]) -> IResult<&[u8], NTLMSSPAuthRecord> { let (_, user_blob) = extract_ntlm_substring(orig_i, user_blob_offset, user_blob_len)?; let (_, host_blob) = extract_ntlm_substring(orig_i, host_blob_offset, host_blob_len)?; + let mut warning = false; + if (user_blob_offset > 0 && user_blob_offset < domain_blob_offset + domain_blob_len as u32) + || (host_blob_offset > 0 && host_blob_offset < user_blob_offset + user_blob_len as u32) + { + // to set event in transaction + warning = true; + } + let record = NTLMSSPAuthRecord { domain: domain_blob, user: user_blob, host: host_blob, + warning, version, }; diff --git a/rust/src/smb/smb1_session.rs b/rust/src/smb/smb1_session.rs index 45732dfc35..c39c7ce98f 100644 --- a/rust/src/smb/smb1_session.rs +++ b/rust/src/smb/smb1_session.rs @@ -135,11 +135,16 @@ pub fn smb1_session_setup_request(state: &mut SMBState, r: &SmbRecord, andx_offs tx.vercmd.set_smb1_cmd(r.command); if let Some(SMBTransactionTypeData::SESSIONSETUP(ref mut td)) = tx.type_data { + td.request_host = Some(smb1_session_setup_request_host_info(r, rem)); if let Some(s) = parse_secblob(setup.sec_blob) { td.ntlmssp = s.ntlmssp; td.krb_ticket = s.krb; + if let Some(ntlm) = &td.ntlmssp { + if ntlm.warning { + tx.set_event(SMBEvent::UnusualNtlmsspOrder); + } + } } - td.request_host = Some(smb1_session_setup_request_host_info(r, rem)); } }, _ => { diff --git a/rust/src/smb/smb2_session.rs b/rust/src/smb/smb2_session.rs index c8fc7d2de6..93cc99cdd4 100644 --- a/rust/src/smb/smb2_session.rs +++ b/rust/src/smb/smb2_session.rs @@ -17,7 +17,7 @@ use crate::smb::smb2_records::*; use crate::smb::smb::*; -//use smb::events::*; +use crate::smb::events::*; use crate::smb::auth::*; pub fn smb2_session_setup_request(state: &mut SMBState, r: &Smb2Record) @@ -34,6 +34,11 @@ pub fn smb2_session_setup_request(state: &mut SMBState, r: &Smb2Record) if let Some(s) = parse_secblob(setup.data) { td.ntlmssp = s.ntlmssp; td.krb_ticket = s.krb; + if let Some(ntlm) = &td.ntlmssp { + if ntlm.warning { + tx.set_event(SMBEvent::UnusualNtlmsspOrder); + } + } } } },