aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rust: upgrade all parsers to nom 5

Browse Source
pull/4624/head
Pierre Chifflier 6 years ago committed by Victor Julien
parent a2d91d9bf5
commit 5b809f77f1
26 changed files with 170 additions and 131 deletions
Show Stats Download Patch File Download Diff File

16
rust/Cargo.toml.in
Unescape Escape View File

@ -17,7 +17,7 @@ strict = []
debug = []
[dependencies]
nom = "4.2"
nom = "5.0"
bitflags = "1.0"
byteorder = "1.3"
crc = "1.8"
@ -27,11 +27,11 @@ num-derive = "0.2"
num-traits = "0.2"
widestring = "0.4"
der-parser = "1.1"
kerberos-parser = "0.2"
der-parser = "3.0"
kerberos-parser = "0.4"
ntp-parser = "0.3"
ipsec-parser = "0.4"
snmp-parser = "0.3.0"
tls-parser = "0.8"
x509-parser = "0.4"
ntp-parser = "0.4"
ipsec-parser = "0.5"
snmp-parser = "0.5"
tls-parser = "0.9"
x509-parser = "0.6"

6
rust/src/dhcp/parser.rs
Unescape Escape View File

@ -18,7 +18,9 @@
use std::cmp::min;
use crate::dhcp::dhcp::*;
use nom::*;
use nom::IResult;
use nom::combinator::rest;
use nom::number::complete::{be_u8, be_u16, be_u32};
pub struct DHCPMessage {
pub header: DHCPHeader,
@ -121,7 +123,7 @@ named!(pub parse_header<DHCPHeader>,
named!(pub parse_clientid_option<DHCPOption>,
do_parse!(
code: be_u8 >>
len: verify!(be_u8, |v| v > 1) >>
len: verify!(be_u8, |&v| v > 1) >>
_htype: be_u8 >>
data: take!(len - 1) >>
(

8
rust/src/dns/dns.rs
Unescape Escape View File

@ -25,6 +25,8 @@ use crate::applayer::LoggerFlags;
use crate::core;
use crate::dns::parser;
use nom::number::complete::be_u16;
/// DNS record types.
pub const DNS_RECORD_TYPE_A : u16 = 1;
pub const DNS_RECORD_TYPE_NS : u16 = 2;
@ -443,7 +445,7 @@ impl DNSState {
let mut count = 0;
while self.request_buffer.len() > 0 {
let size = match nom::be_u16(&self.request_buffer) {
let size = match be_u16(&self.request_buffer) {
Ok((_, len)) => len,
_ => 0
} as usize;
@ -484,7 +486,7 @@ impl DNSState {
let mut count = 0;
while self.response_buffer.len() > 0 {
let size = match nom::be_u16(&self.response_buffer) {
let size = match be_u16(&self.response_buffer) {
Ok((_, len)) => len,
_ => 0
} as usize;
@ -533,7 +535,7 @@ fn probe(input: &[u8]) -> (bool, bool) {
/// Probe TCP input to see if it looks like DNS.
pub fn probe_tcp(input: &[u8]) -> (bool, bool) {
match nom::be_u16(input) {
match be_u16(input) {
Ok((rem, _)) => {
return probe(rem);
},

16
rust/src/dns/parser.rs
Unescape Escape View File

@ -17,7 +17,9 @@
//! Nom parsers for DNS.
use nom::{IResult, be_u8, be_u16, be_u32};
use nom::IResult;
use nom::error::ErrorKind;
use nom::number::complete::{be_u8, be_u16, be_u32};
use nom;
use crate::dns::dns::*;
@ -67,7 +69,7 @@ pub fn dns_parse_name<'a, 'b>(start: &'b [u8],
pos = &pos[1..];
break;
} else if len & 0b1100_0000 == 0 {
match length_bytes!(pos, be_u8) {
match length_data!(pos, be_u8) {
Ok((rem, label)) => {
if name.len() > 0 {
name.push('.' as u8);
@ -77,7 +79,7 @@ pub fn dns_parse_name<'a, 'b>(start: &'b [u8],
}
_ => {
return Err(nom::Err::Error(
error_position!(pos, nom::ErrorKind::OctDigit)));
error_position!(pos, ErrorKind::OctDigit)));
}
}
} else if len & 0b1100_0000 == 0b1100_0000 {
@ -86,7 +88,7 @@ pub fn dns_parse_name<'a, 'b>(start: &'b [u8],
let offset = leader & 0x3fff;
if offset as usize > message.len() {
return Err(nom::Err::Error(
error_position!(pos, nom::ErrorKind::OctDigit)));
error_position!(pos, ErrorKind::OctDigit)));
}
pos = &message[offset as usize..];
if pivot == start {
@ -95,19 +97,19 @@ pub fn dns_parse_name<'a, 'b>(start: &'b [u8],
}
_ => {
return Err(nom::Err::Error(
error_position!(pos, nom::ErrorKind::OctDigit)));
error_position!(pos, ErrorKind::OctDigit)));
}
}
} else {
return Err(nom::Err::Error(
error_position!(pos, nom::ErrorKind::OctDigit)));
error_position!(pos, ErrorKind::OctDigit)));
}
// Return error if we've looped a certain number of times.
count += 1;
if count > 255 {
return Err(nom::Err::Error(
error_position!(pos, nom::ErrorKind::OctDigit)));
error_position!(pos, ErrorKind::OctDigit)));
}
}

21
rust/src/ftp/mod.rs
Unescape Escape View File

@ -17,6 +17,8 @@
extern crate nom;
use nom::IResult;
use nom::character::complete::digit1;
use nom::digit;
use nom::types::CompleteByteSlice;
use std::str;
@ -39,8 +41,9 @@ named!(getu16<u16>,
)
);
named!(parse_digits<CompleteByteSlice, &[u8]>,
map!(take_while!(nom::is_digit), |b| b.0));
fn parse_digits(input: &str) -> IResult<&str, &str> {
digit1(input)
}
named!(parse_u16<CompleteByteSlice, u16>,
map_res!(map_res!(parse_digits, str::from_utf8), u16::from_str));
@ -51,9 +54,9 @@ named!(pub ftp_active_port<CompleteByteSlice, u16>,
tag!("PORT") >>
ws!(digit) >> tag!(",") >> digit >> tag!(",") >>
digit >> tag!(",") >> digit >> tag!(",") >>
part1: verify!(parse_u16, |v| v <= std::u8::MAX as u16) >>
part1: verify!(parse_u16, |&v| v <= std::u8::MAX as u16) >>
tag!(",") >>
part2: verify!(parse_u16, |v| v <= std::u8::MAX as u16) >>
part2: verify!(parse_u16, |&v| v <= std::u8::MAX as u16) >>
(
part1 * 256 + part2
)
@ -64,12 +67,13 @@ named!(pub ftp_active_port<CompleteByteSlice, u16>,
named!(pub ftp_pasv_response<u16>,
do_parse!(
tag!("227") >>
take_until_and_consume!("(") >>
take_until!("(") >>
tag!("(") >>
digit >> tag!(",") >> digit >> tag!(",") >>
digit >> tag!(",") >> digit >> tag!(",") >>
part1: verify!(getu16, |v| v <= std::u8::MAX as u16) >>
part1: verify!(getu16, |&v| v <= std::u8::MAX as u16) >>
tag!(",") >>
part2: verify!(getu16, |v| v <= std::u8::MAX as u16) >>
part2: verify!(getu16, |&v| v <= std::u8::MAX as u16) >>
alt! (tag!(").") | tag!(")")) >>
(
part1 * 256 + part2
@ -119,7 +123,8 @@ pub extern "C" fn rs_ftp_pasv_response(input: *const u8, len: u32) -> u16 {
named!(pub ftp_epsv_response<u16>,
do_parse!(
tag!("229") >>
take_until_and_consume!("|||") >>
take_until!("|||") >>
tag!("|||") >>
port: getu16 >>
alt! (tag!("|).") | tag!("|)")) >>
(

6
rust/src/kerberos.rs
Unescape Escape View File

@ -18,9 +18,11 @@
use kerberos_parser::krb5_parser::parse_ap_req;
use kerberos_parser::krb5::{ApReq,Realm,PrincipalName};
use nom;
use nom::{ErrorKind, IResult, le_u16};
use nom::IResult;
use nom::error::ErrorKind;
use nom::number::complete::le_u16;
use der_parser;
use der_parser::parse_der_oid;
use der_parser::der::parse_der_oid;
use crate::log::*;

14
rust/src/krb/krb5.rs
Unescape Escape View File

@ -20,8 +20,8 @@
use std;
use std::ffi::{CStr,CString};
use nom;
use nom::be_u32;
use der_parser::der_read_element_header;
use nom::number::complete::be_u32;
use der_parser::der::der_read_element_header;
use kerberos_parser::krb5_parser;
use kerberos_parser::krb5::{EncryptionType,ErrorCode,MessageType,PrincipalName,Realm};
use crate::applayer;
@ -121,9 +121,9 @@ impl KRB5State {
Ok((_rem,hdr)) => {
// Kerberos messages start with an APPLICATION header
if hdr.class != 0b01 { return 1; }
match hdr.tag {
match hdr.tag.0 {
10 => {
self.req_id = hdr.tag;
self.req_id = 10;
},
11 => {
let res = krb5_parser::parse_as_rep(i);
@ -142,7 +142,7 @@ impl KRB5State {
self.req_id = 0;
},
12 => {
self.req_id = hdr.tag;
self.req_id = 12;
},
13 => {
let res = krb5_parser::parse_tgs_rep(i);
@ -161,7 +161,7 @@ impl KRB5State {
self.req_id = 0;
},
14 => {
self.req_id = hdr.tag;
self.req_id = 14;
},
15 => {
self.req_id = 0;
@ -445,7 +445,7 @@ pub extern "C" fn rs_krb5_probing_parser(_flow: *const Flow,
// Kerberos messages start with an APPLICATION header
if hdr.class != 0b01 { return unsafe{ALPROTO_FAILED}; }
// Tag number should be <= 30
if hdr.tag >= 30 { return unsafe{ALPROTO_FAILED}; }
if hdr.tag.0 >= 30 { return unsafe{ALPROTO_FAILED}; }
// Kerberos messages contain sequences
if rem.is_empty() || rem[0] != 0x30 { return unsafe{ALPROTO_FAILED}; }
// Check kerberos version

5
rust/src/nfs/nfs2.rs
Unescape Escape View File

@ -17,7 +17,6 @@
// written by Victor Julien
use nom;
use crate::log::*;
use crate::nfs::nfs::*;
@ -25,6 +24,8 @@ use crate::nfs::types::*;
use crate::nfs::rpc_records::*;
use crate::nfs::nfs2_records::*;
use nom::number::complete::be_u32;
impl NFSState {
/// complete request record
pub fn process_request_record_v2<'b>(&mut self, r: &RpcPacket<'b>) -> u32 {
@ -108,7 +109,7 @@ impl NFSState {
},
}
} else {
let stat = match nom::be_u32(&r.prog_data) {
let stat = match be_u32(&r.prog_data) {
Ok((_, stat)) => {
stat as u32
}

3
rust/src/nfs/nfs2_records.rs
Unescape Escape View File

@ -16,7 +16,8 @@
*/
//! Nom parsers for NFSv2 records
use nom::{be_u32, rest};
use nom::combinator::rest;
use nom::number::complete::be_u32;
use crate::nfs::nfs_records::*;
#[derive(Debug,PartialEq)]

5
rust/src/nfs/nfs3.rs
Unescape Escape View File

@ -17,7 +17,6 @@
// written by Victor Julien
use nom;
use crate::log::*;
use crate::core::*;
@ -26,6 +25,8 @@ use crate::nfs::types::*;
use crate::nfs::rpc_records::*;
use crate::nfs::nfs3_records::*;
use nom::number::complete::be_u32;
impl NFSState {
/// complete NFS3 request record
pub fn process_request_record_v3<'b>(&mut self, r: &RpcPacket<'b>) -> u32 {
@ -326,7 +327,7 @@ impl NFSState {
}
// for all other record types only parse the status
else {
let stat = match nom::be_u32(&r.prog_data) {
let stat = match be_u32(&r.prog_data) {
Ok((_, stat)) => {
stat as u32
}

4
rust/src/nfs/nfs3_records.rs
Unescape Escape View File

@ -17,7 +17,9 @@
//! Nom parsers for RPC & NFSv3
use nom::{IResult, be_u32, be_u64, rest};
use nom::IResult;
use nom::combinator::rest;
use nom::number::complete::{be_u32, be_u64};
use crate::nfs::nfs_records::*;
#[derive(Debug,PartialEq)]

2
rust/src/nfs/nfs4.rs
Unescape Escape View File

@ -18,7 +18,7 @@
// written by Victor Julien
use nom;
use nom::be_u32;
use nom::number::complete::be_u32;
use crate::core::*;
use crate::log::*;

2
rust/src/nfs/nfs4_records.rs
Unescape Escape View File

@ -16,7 +16,7 @@
*/
//! Nom parsers for NFSv4 records
use nom::{be_u32, be_u64};
use nom::number::complete::{be_u32, be_u64};
use crate::nfs::types::*;

7
rust/src/nfs/rpc_records.rs
Unescape Escape View File

@ -17,7 +17,8 @@
//! Nom parsers for RPCv2
use nom::{be_u32, rest};
use nom::combinator::rest;
use nom::number::complete::be_u32;
#[derive(Debug,PartialEq)]
pub enum RpcRequestCreds<'a> {
@ -122,8 +123,8 @@ pub struct RpcPacketHeader<> {
named!(pub parse_rpc_packet_header<RpcPacketHeader>,
do_parse!(
fraghdr: bits!(tuple!(
take_bits!(u8, 1), // is_last
take_bits!(u32, 31))) // len
take_bits!(1u8), // is_last
take_bits!(31u32))) // len
>> xid: be_u32
>> msgtype: be_u32

64
rust/src/rdp/parser.rs
Unescape Escape View File

@ -26,7 +26,9 @@
//! * x.224-spec: <https://www.itu.int/rec/T-REC-X.224-199511-I/en>
//! * x.691-spec: <https://www.itu.int/rec/T-REC-X.691/en>
use nom::{be_u16, be_u8, le_u16, le_u32, le_u8, ErrorKind, IResult};
use nom::IResult;
use nom::error::ErrorKind;
use nom::number::complete::{be_u16, be_u8, le_u16, le_u32, le_u8};
use crate::rdp::error::RDP_NOT_X224_CLASS_0_ERROR;
use crate::rdp::util::{
le_slice_to_string, parse_per_length_determinant, utf7_slice_to_string,
@ -433,7 +435,7 @@ pub struct McsConnectResponse {}
/// t.123-spec, section 8
pub fn parse_t123_tpkt(input: &[u8]) -> IResult<&[u8], T123Tpkt> {
let (i1, _version) =
verify!(input, be_u8, |x| x == TpktVersion::T123 as u8)?;
verify!(input, be_u8, |&x| x == TpktVersion::T123 as u8)?;
let (i2, _reserved) = try_parse!(i1, be_u8);
// less u8, u8, u16
let (i3, sz) = map_opt!(i2, be_u16, |x: u16| x.checked_sub(4))?;
@ -482,22 +484,22 @@ pub fn parse_t123_tpkt(input: &[u8]) -> IResult<&[u8], T123Tpkt> {
fn parse_x224_connection_request(
input: &[u8],
) -> IResult<&[u8], X224ConnectionRequest> {
let (i1, length) = verify!(input, be_u8, |x| x != 0xff)?; // 0xff is reserved
let (i1, length) = verify!(input, be_u8, |&x| x != 0xff)?; // 0xff is reserved
let (i2, cr_cdt) = bits!(
i1,
tuple!(
verify!(take_bits!(u8, 4), |x| x
verify!(take_bits!(4u8), |&x| x
== X224Type::ConnectionRequest as u8),
verify!(take_bits!(u8, 4), |x| x == 0 || x == 1)
verify!(take_bits!(4u8), |&x| x == 0 || x == 1)
)
)?;
let (i3, dst_ref) = verify!(i2, be_u16, |x| x == 0)?;
let (i3, dst_ref) = verify!(i2, be_u16, |&x| x == 0)?;
let (i4, src_ref) = try_parse!(i3, be_u16);
let (i5, class_options) = bits!(
i4,
tuple!(
verify!(take_bits!(u8, 4), |x| x <= 4),
verify!(take_bits!(u8, 4), |x| x <= 3)
verify!(take_bits!(4u8), |&x| x <= 4),
verify!(take_bits!(4u8), |&x| x <= 3)
)
)?;
// less cr_cdt (u8), dst_ref (u16), src_ref (u16), class_options (u8)
@ -592,14 +594,14 @@ fn parse_negotiation_request(
input,
_typ: verify!(
le_u8,
|x| x == X224ConnectionRequestType::NegotiationRequest as u8)
|&x| x == X224ConnectionRequestType::NegotiationRequest as u8)
>> flags: map_opt!(
le_u8,
NegotiationRequestFlags::from_bits)
// u8, u8, u16, and u32 give _length of 8
>> _length: verify!(
le_u16,
|x| x == 8)
|&x| x == 8)
>> protocols: map_opt!(
le_u32,
ProtocolFlags::from_bits)
@ -612,22 +614,22 @@ fn parse_negotiation_request(
fn parse_x224_connection_confirm(
input: &[u8],
) -> IResult<&[u8], X224ConnectionConfirm> {
let (i1, length) = verify!(input, be_u8, |x| x != 0xff)?; // 0xff is reserved
let (i1, length) = verify!(input, be_u8, |&x| x != 0xff)?; // 0xff is reserved
let (i2, cr_cdt) = bits!(
i1,
tuple!(
verify!(take_bits!(u8, 4), |x| x
verify!(take_bits!(4u8), |&x| x
== X224Type::ConnectionConfirm as u8),
verify!(take_bits!(u8, 4), |x| x == 0 || x == 1)
verify!(take_bits!(4u8), |&x| x == 0 || x == 1)
)
)?;
let (i3, dst_ref) = verify!(i2, be_u16, |x| x == 0)?;
let (i3, dst_ref) = verify!(i2, be_u16, |&x| x == 0)?;
let (i4, src_ref) = try_parse!(i3, be_u16);
let (i5, class_options) = bits!(
i4,
tuple!(
verify!(take_bits!(u8, 4), |x| x <= 4),
verify!(take_bits!(u8, 4), |x| x <= 3)
verify!(take_bits!(4u8), |&x| x <= 4),
verify!(take_bits!(4u8), |&x| x <= 3)
)
)?;
@ -702,14 +704,14 @@ fn parse_negotiation_response(
input,
_typ: verify!(
le_u8,
|x| x == X224ConnectionRequestType::NegotiationResponse as u8)
|&x| x == X224ConnectionRequestType::NegotiationResponse as u8)
>> flags: map_opt!(
le_u8,
NegotiationResponseFlags::from_bits)
// u8, u8, u16, and u32 give _length of 8
>> _length: verify!(
le_u16,
|x| x == 8)
|&x| x == 8)
>> protocol: map_opt!(
le_u32,
num::FromPrimitive::from_u32)
@ -725,12 +727,12 @@ fn parse_negotiation_failure(
input,
_typ: verify!(
le_u8,
|x| x == X224ConnectionRequestType::NegotiationFailure as u8)
|&x| x == X224ConnectionRequestType::NegotiationFailure as u8)
>> _flags: le_u8
// u8, u8, u16, and u32 give _length of 8
>> _length: verify!(
le_u16,
|x| x == 8)
|&x| x == 8)
>> code: map_opt!(
le_u32,
num::FromPrimitive::from_u32)
@ -740,16 +742,16 @@ fn parse_negotiation_failure(
/// x224-spec, section 13.7
fn parse_x223_data_class_0(input: &[u8]) -> IResult<&[u8], X223Data> {
let (i1, _length) = verify!(input, be_u8, |x| x == 2)?;
let (i1, _length) = verify!(input, be_u8, |&x| x == 2)?;
let (i2, _dt_x_roa) = bits!(
i1,
tuple!(
verify!(take_bits!(u8, 4), |x| x == 0xf),
verify!(take_bits!(u8, 3), |x| x == 0),
verify!(take_bits!(u8, 1), |x| x == 0)
verify!(take_bits!(4u8), |&x| x == 0xf),
verify!(take_bits!(3u8), |&x| x == 0),
verify!(take_bits!(1u8), |&x| x == 0)
)
)?;
let (i3, _eot) = verify!(i2, be_u8, |x| x == 0x80)?;
let (i3, _eot) = verify!(i2, be_u8, |&x| x == 0x80)?;
//
// optionally find exactly one of the child messages
@ -788,9 +790,9 @@ fn parse_mcs_connect(input: &[u8]) -> IResult<&[u8], McsConnectRequest> {
input,
le_u8,
// BER: 0b01=application, 0b1=non-primitive, 0b11111
|x| x == 0x7f
|&x| x == 0x7f
)?;
let (i2, _t125_type) = verify!(i1, le_u8, |x| x
let (i2, _t125_type) = verify!(i1, le_u8, |&x| x
== T125Type::T125TypeMcsConnectRequest as u8)?;
// skip to, and consume, H.221 client-to-server key
@ -863,7 +865,7 @@ fn parse_mcs_connect(input: &[u8]) -> IResult<&[u8], McsConnectRequest> {
/// rdp-spec, section 2.2.1.3.2
fn parse_cs_client_core_data(input: &[u8]) -> IResult<&[u8], CsClientCoreData> {
let (i1, _typ) = verify!(input, le_u16, |x| x == CsType::Core as u16)?;
let (i1, _typ) = verify!(input, le_u16, |&x| x == CsType::Core as u16)?;
// less u16, u16
let (i2, sz) = map_opt!(i1, le_u16, |x: u16| x.checked_sub(4))?;
let (i3, data) = take!(i2, sz)?;
@ -1049,7 +1051,7 @@ fn parse_cs_client_core_data(input: &[u8]) -> IResult<&[u8], CsClientCoreData> {
/// rdp-spec, section 2.2.1.3.4
fn parse_cs_net(input: &[u8]) -> IResult<&[u8], CsNet> {
let (i1, _typ) = verify!(input, le_u16, |x| x == CsType::Net as u16)?;
let (i1, _typ) = verify!(input, le_u16, |&x| x == CsType::Net as u16)?;
// less _typ (u16), this length indicator (u16), count (u32)
let (i2, sz) = map_opt!(i1, le_u16, |x: u16| x.checked_sub(8))?;
let (i3, count) = try_parse!(i2, le_u32);
@ -1101,10 +1103,10 @@ fn parse_mcs_connect_response(
_ber_type: verify!(
le_u8,
// BER: 0b01=application, 0b1=non-primitive, 0b11111
|x| x == 0x7f)
|&x| x == 0x7f)
>> _t125_type: verify!(
le_u8,
|x| x == T125Type::T125TypeMcsConnectResponse as u8)
|&x| x == T125Type::T125TypeMcsConnectResponse as u8)
>> (McsConnectResponse {})
}
}

3
rust/src/rdp/util.rs
Unescape Escape View File

@ -20,7 +20,8 @@
use byteorder::ReadBytesExt;
use memchr::memchr;
use nom;
use nom::{ErrorKind, IResult, Needed};
use nom::{IResult, Needed};
use nom::error::ErrorKind;
use crate::rdp::error::RDP_UNIMPLEMENTED_LENGTH_DETERMINANT;
use std::io::Cursor;
use widestring::U16CString;

4
rust/src/sip/parser.rs
Unescape Escape View File

@ -18,7 +18,9 @@
// written by Giuseppe Longo <giuseppe@glono.it>
use nom::*;
use nom::{crlf, IResult};
use nom::IResult;
use nom::character::{is_alphabetic, is_alphanumeric, is_space};
use nom::character::complete::crlf;
use std;
use std::collections::HashMap;

16
rust/src/smb/auth.rs
Unescape Escape View File

@ -22,8 +22,10 @@ use crate::smb::ntlmssp_records::*;
use crate::smb::smb::*;
use nom;
use nom::{IResult, ErrorKind};
use der_parser;
use nom::IResult;
use nom::error::ErrorKind;
use der_parser::ber::BerObjectContent;
use der_parser::der::{parse_der_oid, parse_der_sequence};
fn parse_secblob_get_spnego(blob: &[u8]) -> IResult<&[u8], &[u8]>
{
@ -33,7 +35,7 @@ fn parse_secblob_get_spnego(blob: &[u8]) -> IResult<&[u8], &[u8]>
Err(_) => { return Err(nom::Err::Error(error_position!(blob,ErrorKind::Custom(SECBLOB_NOT_SPNEGO)))); },
Ok(d) => d,
};
let (next, o) = der_parser::parse_der_oid(d)?;
let (next, o) = parse_der_oid(d)?;
SCLogDebug!("parse_secblob_get_spnego: sub_o {:?}", o);
let oid = match o.content.as_oid() {
@ -85,7 +87,7 @@ fn parse_secblob_spnego(blob: &[u8]) -> Option<SpnegoRequest>
let mut kticket : Option<Kerberos5Ticket> = None;
let mut ntlmssp : Option<NtlmsspData> = None;
let o = match der_parser::parse_der_sequence(blob) {
let o = match parse_der_sequence(blob) {
Ok((_, o)) => o,
_ => { return None; },
};
@ -102,11 +104,11 @@ fn parse_secblob_spnego(blob: &[u8]) -> Option<SpnegoRequest>
};
SCLogDebug!("o {:?}", o);
match o.content {
der_parser::DerObjectContent::Sequence(ref seq) => {
BerObjectContent::Sequence(ref seq) => {
for se in seq {
SCLogDebug!("SEQ {:?}", se);
match se.content {
der_parser::DerObjectContent::OID(ref oid) => {
BerObjectContent::OID(ref oid) => {
SCLogDebug!("OID {:?}", oid);
match oid.to_string().as_str() {
"1.2.840.48018.1.2.2" => { SCLogDebug!("Microsoft Kerberos 5"); },
@ -123,7 +125,7 @@ fn parse_secblob_spnego(blob: &[u8]) -> Option<SpnegoRequest>
}
}
},
der_parser::DerObjectContent::OctetString(ref os) => {
BerObjectContent::OctetString(ref os) => {
if have_kerberos {
match parse_kerberos5_request(os) {
Ok((_, t)) => {

18
rust/src/smb/dcerpc_records.rs
Unescape Escape View File

@ -16,7 +16,11 @@
*/
use nom;
use nom::{rest, le_u8, be_u16, le_u16, le_u32, IResult, ErrorKind, Endianness};
use nom::IResult;
use nom::error::ErrorKind;
use nom::combinator::rest;
use nom::number::Endianness;
use nom::number::complete::{be_u16, le_u8, le_u16, le_u32};
#[derive(Debug,PartialEq)]
pub struct DceRpcResponseRecord<'a> {
@ -208,13 +212,13 @@ named!(pub parse_dcerpc_record<DceRpcRecord>,
>> version_minor: le_u8
>> packet_type: le_u8
>> packet_flags: bits!(tuple!(
take_bits!(u8, 6),
take_bits!(u8, 1), // last (1)
take_bits!(u8, 1))) // first (2)
take_bits!(6u8),
take_bits!(1u8), // last (1)
take_bits!(1u8))) // first (2)
>> data_rep: bits!(tuple!(
take_bits!(u32, 3),
take_bits!(u32, 1), // endianess
take_bits!(u32, 28)))
take_bits!(3u32),
take_bits!(1u32), // endianess
take_bits!(28u32)))
>> endian: value!(if data_rep.1 == 0 { Endianness::Big } else { Endianness::Little })
>> frag_len: u16!(endian)
>> _auth: u16!(endian)

10
rust/src/smb/nbss_records.rs
Unescape Escape View File

@ -15,7 +15,7 @@
* 02110-1301, USA.
*/
use nom::{rest};
use nom::combinator::rest;
pub const NBSS_MSGTYPE_SESSION_MESSAGE: u8 = 0x00;
pub const NBSS_MSGTYPE_SESSION_REQUEST: u8 = 0x81;
@ -62,8 +62,8 @@ impl<'a> NbssRecord<'a> {
named!(pub parse_nbss_record<NbssRecord>,
do_parse!(
type_and_len: bits!(tuple!(
take_bits!(u8, 8),
take_bits!(u32, 24)))
take_bits!(8u8),
take_bits!(24u32)))
>> data: take!(type_and_len.1 as usize)
>> (NbssRecord {
message_type:type_and_len.0,
@ -75,8 +75,8 @@ named!(pub parse_nbss_record<NbssRecord>,
named!(pub parse_nbss_record_partial<NbssRecord>,
do_parse!(
type_and_len: bits!(tuple!(
take_bits!(u8, 8),
take_bits!(u32, 24)))
take_bits!(8u8),
take_bits!(24u32)))
>> data: rest
>> (NbssRecord {
message_type:type_and_len.0,

8
rust/src/smb/ntlmssp_records.rs
Unescape Escape View File

@ -15,7 +15,8 @@
* 02110-1301, USA.
*/
use nom::{rest, le_u8, le_u16, le_u32};
use nom::combinator::rest;
use nom::number::complete::{le_u8, le_u16, le_u32};
#[derive(Debug,PartialEq)]
pub struct NTLMSSPVersion {
@ -82,7 +83,7 @@ named!(pub parse_ntlm_auth_record<NTLMSSPAuthRecord>,
>> _ssnkey_blob_maxlen: le_u16
>> _ssnkey_blob_offset: le_u32
>> nego_flags: bits!(tuple!(take_bits!(u8, 6),take_bits!(u8,1),take_bits!(u32,25)))
>> nego_flags: bits!(tuple!(take_bits!(6u8),take_bits!(1u8),take_bits!(25u32)))
>> version: cond!(nego_flags.1==1, parse_ntlm_auth_version)
// subtrack 12 as idenfier (8) and type (4) are cut before we are called
@ -112,7 +113,8 @@ pub struct NTLMSSPRecord<'a> {
named!(pub parse_ntlmssp<NTLMSSPRecord>,
do_parse!(
take_until_and_consume!("NTLMSSP\x00")
take_until!("NTLMSSP\x00")
>> tag!("NTLMSSP\x00")
>> msg_type: le_u32
>> data: rest
>> (NTLMSSPRecord {

10
rust/src/smb/smb1_records.rs
Unescape Escape View File

@ -16,7 +16,9 @@
*/
use crate::log::*;
use nom::{rest, le_u8, le_u16, le_u32, le_u64, IResult};
use nom::IResult;
use nom::combinator::rest;
use nom::number::complete::{le_u8, le_u16, le_u32, le_u64};
use crate::smb::smb::*;
use crate::smb::smb_records::*;
@ -202,7 +204,7 @@ pub fn parse_smb_connect_tree_andx_record<'a>(i: &'a[u8], r: &SmbRecord) -> IRes
>> pwlen: le_u16
>> _bcc: le_u16
>> _pw: take!(pwlen)
>> path: apply!(smb1_get_string, r, 11 + pwlen as usize)
>> path: call!(smb1_get_string, r, 11 + pwlen as usize)
>> service: take_until_and_consume!("\x00")
>> (SmbRecordTreeConnectAndX {
path,
@ -522,7 +524,7 @@ named!(pub parse_smb_rename_request_record<SmbRequestRenameRecord>,
>> _oldtype: le_u8
>> oldname: smb_get_unicode_string
>> _newtype: le_u8
>> newname: apply!(smb_get_unicode_string_with_offset, 1) // HACK if we assume oldname is a series of utf16 chars offset would be 1
>> newname: call!(smb_get_unicode_string_with_offset, 1) // HACK if we assume oldname is a series of utf16 chars offset would be 1
>> (SmbRequestRenameRecord {
oldname,
newname
@ -547,7 +549,7 @@ pub fn parse_smb_create_andx_request_record<'a>(i: &'a[u8], r: &SmbRecord)
>> create_options: le_u32
>> _skip2: take!(5)
>> bcc: le_u16
>> file_name: cond!(bcc >= file_name_len, apply!(smb1_get_string, r, (bcc - file_name_len) as usize))
>> file_name: cond!(bcc >= file_name_len, call!(smb1_get_string, r, (bcc - file_name_len) as usize))
>> _skip3: rest
>> (SmbRequestCreateAndXRecord {
disposition: disposition,

40
rust/src/smb/smb2_records.rs
Unescape Escape View File

@ -16,7 +16,9 @@
*/
use nom;
use nom::{rest, le_u8, le_u16, le_u32, le_u64, IResult};
use nom::IResult;
use nom::combinator::rest;
use nom::number::complete::{le_u8, le_u16, le_u32, le_u64};
use crate::smb::smb::*;
#[derive(Debug,PartialEq)]
@ -75,14 +77,14 @@ named!(pub parse_smb2_request_record<Smb2Record>,
>> command: le_u16
>> _credits_requested: le_u16
>> flags: bits!(tuple!(
take_bits!(u8, 2), // reserved / unused
take_bits!(u8, 1), // replay op
take_bits!(u8, 1), // dfs op
take_bits!(u32, 24), // reserved / unused
take_bits!(u8, 1), // signing
take_bits!(u8, 1), // chained
take_bits!(u8, 1), // async
take_bits!(u8, 1) // response
take_bits!(2u8), // reserved / unused
take_bits!(1u8), // replay op
take_bits!(1u8), // dfs op
take_bits!(24u32), // reserved / unused
take_bits!(1u8), // signing
take_bits!(1u8), // chained
take_bits!(1u8), // async
take_bits!(1u8) // response
))
>> chain_offset: le_u32
>> message_id: le_u64
@ -379,7 +381,7 @@ named!(pub parse_smb2_request_write<Smb2WriteRequestRecord>,
>> _remaining_bytes: le_u32
>> _write_flags: le_u32
>> _skip2: take!(4)
>> data: apply!(parse_smb2_data, wr_len)
>> data: call!(parse_smb2_data, wr_len)
>> (Smb2WriteRequestRecord {
wr_len:wr_len,
wr_offset:wr_offset,
@ -439,7 +441,7 @@ named!(pub parse_smb2_response_read<Smb2ReadResponseRecord>,
>> rd_len: le_u32
>> _rd_rem: le_u32
>> _padding: take!(4)
>> data: apply!(parse_smb2_data, rd_len)
>> data: call!(parse_smb2_data, rd_len)
>> (Smb2ReadResponseRecord {
len : rd_len,
data : data,
@ -506,14 +508,14 @@ named!(pub parse_smb2_response_record<Smb2Record>,
>> command: le_u16
>> _credit_granted: le_u16
>> flags: bits!(tuple!(
take_bits!(u8, 2), // reserved / unused
take_bits!(u8, 1), // replay op
take_bits!(u8, 1), // dfs op
take_bits!(u32, 24), // reserved / unused
take_bits!(u8, 1), // signing
take_bits!(u8, 1), // chained
take_bits!(u8, 1), // async
take_bits!(u8, 1) // response
take_bits!(2u8), // reserved / unused
take_bits!(1u8), // replay op
take_bits!(1u8), // dfs op
take_bits!(24u32), // reserved / unused
take_bits!(1u8), // signing
take_bits!(1u8), // chained
take_bits!(1u8), // async
take_bits!(1u8) // response
))
>> chain_offset: le_u32
>> message_id: le_u64

2
rust/src/smb/smb3.rs
Unescape Escape View File

@ -15,7 +15,7 @@
* 02110-1301, USA.
*/
use nom::{le_u16, le_u32, le_u64};
use nom::number::complete::{le_u16, le_u32, le_u64};
#[derive(Debug,PartialEq)]
pub struct Smb3TransformRecord<'a> {

3
rust/src/smb/smb_records.rs
Unescape Escape View File

@ -16,7 +16,8 @@
*/
use nom;
use nom::{ErrorKind, IResult};
use nom::IResult;
use nom::error::ErrorKind;
use crate::log::*;
/// parse a UTF16 string that is null terminated. Normally by 2 null

8
rust/src/snmp/snmp.rs
Unescape Escape View File

@ -28,10 +28,12 @@ use std::mem::transmute;
use crate::log::*;
use der_parser::{DerObjectContent,parse_der_sequence};
use der_parser::ber::BerObjectContent;
use der_parser::der::parse_der_sequence;
use der_parser::oid::Oid;
use nom;
use nom::{ErrorKind,IResult};
use nom::IResult;
use nom::error::ErrorKind;
#[repr(u32)]
pub enum SNMPEvent {
@ -537,7 +539,7 @@ fn parse_pdu_enveloppe_version(i:&[u8]) -> IResult<&[u8],u32> {
match parse_der_sequence(i) {
Ok((_,x)) => {
match x.content {
DerObjectContent::Sequence(ref v) => {
BerObjectContent::Sequence(ref v) => {
if v.len() == 3 {
match v[0].as_u32() {
Ok(0) => { return Ok((i,1)); }, // possibly SNMPv1

Write Preview
Loading…
Cancel
Save