aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smb1: more exact tree connect record parsing

Browse Source
pull/3281/head
Victor Julien 7 years ago
parent 0ed00cf104
commit 668c747aee
2 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File

6
rust/src/smb/smb1.rs
Unescape Escape View File

@ -283,15 +283,13 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 {
}, },
SMB1_COMMAND_TREE_CONNECT_ANDX => { SMB1_COMMAND_TREE_CONNECT_ANDX => {
SCLogDebug!("SMB1_COMMAND_TREE_CONNECT_ANDX"); SCLogDebug!("SMB1_COMMAND_TREE_CONNECT_ANDX");
match parse_smb_connect_tree_andx_record(r.data) { match parse_smb_connect_tree_andx_record(r.data, r) {
IResult::Done(_, create_record) => { IResult::Done(_, create_record) => {
let name_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_TREE); let name_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_TREE);
let mut name_val = create_record.share.to_vec(); let mut name_val = create_record.path;
name_val.retain(|&i|i != 0x00);
if name_val.len() > 1 { if name_val.len() > 1 {
name_val = name_val[1..].to_vec(); name_val = name_val[1..].to_vec();
} }
//state.ssn2vec_map.insert(name_key, name_val);
// store hdr as SMBHDR_TYPE_TREE, so with tree id 0 // store hdr as SMBHDR_TYPE_TREE, so with tree id 0
// when the response finds this we update it // when the response finds this we update it

25
rust/src/smb/smb1_records.rs
Unescape Escape View File

@ -139,7 +139,7 @@ named!(pub parse_smb_connect_tree_andx_response_record<Smb1ResponseRecordTreeCon
>> cond!(wct == 7, take!(8)) // access masks >> cond!(wct == 7, take!(8)) // access masks
>> bcc: le_u16 >> bcc: le_u16
>> service: take_until_and_consume!("\x00") >> service: take_until_and_consume!("\x00")
>> nativefs: rest >> nativefs: take_until_and_consume!("\x00")
>> (Smb1ResponseRecordTreeConnectAndX { >> (Smb1ResponseRecordTreeConnectAndX {
service:service, service:service,
nativefs:nativefs, nativefs:nativefs,
@ -148,21 +148,24 @@ named!(pub parse_smb_connect_tree_andx_response_record<Smb1ResponseRecordTreeCon
#[derive(Debug,PartialEq)] #[derive(Debug,PartialEq)]
pub struct SmbRecordTreeConnectAndX<'a> { pub struct SmbRecordTreeConnectAndX<'a> {
pub share: &'a[u8], pub path: Vec<u8>,
pub service: &'a[u8],
} }
named!(pub parse_smb_connect_tree_andx_record<SmbRecordTreeConnectAndX>, pub fn parse_smb_connect_tree_andx_record<'a>(i: &'a[u8], r: &SmbRecord) -> IResult<&'a[u8], SmbRecordTreeConnectAndX<'a>> {
do_parse!( do_parse!(i,
skip1: take!(7) _skip1: take!(7)
>> pwlen: le_u16 >> pwlen: le_u16
>> bcc: le_u16 >> _bcc: le_u16
>> pw: take!(pwlen) >> _pw: take!(pwlen)
>> share: cond!(bcc >= (6 + pwlen), take!(bcc - (6 + pwlen))) >> unicode: value!(r.has_unicode_support())
>> service: take!(6) >> path: switch!(value!(unicode), true => call!(smb_get_unicode_string) | false => call!(smb_get_ascii_string))
>> service: take_until_and_consume!("\x00")
>> (SmbRecordTreeConnectAndX { >> (SmbRecordTreeConnectAndX {
share: share.unwrap_or(&[]), path: path,
service: service,
})) }))
); }
#[derive(Debug,PartialEq)] #[derive(Debug,PartialEq)]
pub struct SmbRecordTransRequest<'a> { pub struct SmbRecordTransRequest<'a> {

Write Preview
Loading…
Cancel
Save