smb/events: fix limit exceeded events and rules

4 years ago · 97bc7925d7
parent 7259ea8cf1
commit 97bc7925d7
4 changed files with 20 additions and 20 deletions
--- a/rules/smb-events.rules
+++ b/rules/smb-events.rules
@ -33,13 +33,13 @@ alert smb any any -> any any (msg:"SURICATA SMB supported READ size exceeded"; f
 alert smb any any -> any any (msg:"SURICATA SMB supported WRITE size exceeded"; flow:to_server; app-layer-event:smb.negotiate_max_write_size_too_large; classtype:protocol-command-decode; sid:2225013; rev:1;)

 # checks 'app-layer.protocols.smb.max-write-queue-size` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue size exceeded"; flow:to_server; app-layer-event:smb.write_queue_size_too_large; classtype:protocol-command-decode; sid:2225014; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue size exceeded"; flow:to_server; app-layer-event:smb.write_queue_size_exceeded; classtype:protocol-command-decode; sid:2225014; rev:1;)
 # checks 'app-layer.protocols.smb.max-write-queue-cnt` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue cnt exceeded"; flow:to_server; app-layer-event:smb.write_queue_cnt_too_large; classtype:protocol-command-decode; sid:2225015; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue cnt exceeded"; flow:to_server; app-layer-event:smb.write_queue_cnt_exceeded; classtype:protocol-command-decode; sid:2225015; rev:1;)

 # checks 'app-layer.protocols.smb.max-read-queue-size` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max READ queue size exceeded"; flow:to_client; app-layer-event:smb.read_queue_size_too_large; classtype:protocol-command-decode; sid:2225016; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max READ queue size exceeded"; flow:to_client; app-layer-event:smb.read_queue_size_exceeded; classtype:protocol-command-decode; sid:2225016; rev:1;)
 # checks 'app-layer.protocols.smb.max-read-queue-cnt` against out of order chunks
-alert smb any any -> any any (msg:"SURICATA SMB max READ queue cnt exceeded"; flow:to_client; app-layer-event:smb.read_queue_cnt_too_large; classtype:protocol-command-decode; sid:2225017; rev:1;)
+alert smb any any -> any any (msg:"SURICATA SMB max READ queue cnt exceeded"; flow:to_client; app-layer-event:smb.read_queue_cnt_exceeded; classtype:protocol-command-decode; sid:2225017; rev:1;)

 # next sid 2225018
--- a/rust/src/smb/events.rs
+++ b/rust/src/smb/events.rs
@ -38,8 +38,8 @@ pub enum SMBEvent {
    ReadRequestTooLarge = 12,
    /// READ response bigger than `max_read_size`
    ReadResponseTooLarge = 13,
-    ReadResponseQueueSizeExceeded = 14,
-    ReadResponseQueueCntExceeded = 15,
+    ReadQueueSizeExceeded = 14,
+    ReadQueueCntExceeded = 15,
    /// WRITE request for more than `max_write_size`
    WriteRequestTooLarge = 16,
    WriteQueueSizeExceeded = 17,
@ -63,8 +63,8 @@ impl SMBEvent {
            11 => Some(SMBEvent::NegotiateMaxWriteSizeTooLarge),
            12 => Some(SMBEvent::ReadRequestTooLarge),
            13 => Some(SMBEvent::ReadResponseTooLarge),
-            14 => Some(SMBEvent::ReadResponseQueueSizeExceeded),
-            15 => Some(SMBEvent::ReadResponseQueueCntExceeded),
+            14 => Some(SMBEvent::ReadQueueSizeExceeded),
+            15 => Some(SMBEvent::ReadQueueCntExceeded),
            16 => Some(SMBEvent::WriteRequestTooLarge),
            17 => Some(SMBEvent::WriteQueueSizeExceeded),
            18 => Some(SMBEvent::WriteQueueCntExceeded),
@ -90,11 +90,11 @@ pub fn smb_str_to_event(instr: &str) -> i32 {
        "negotiate_max_write_size_too_large" => SMBEvent::NegotiateMaxWriteSizeTooLarge as i32,
        "read_request_too_large"            => SMBEvent::ReadRequestTooLarge as i32,
        "read_response_too_large"           => SMBEvent::ReadResponseTooLarge as i32,
-        "read_queue_size_too_large"         => SMBEvent::ReadResponseQueueSizeExceeded as i32,
-        "read_queue_cnt_too_large"          => SMBEvent::ReadResponseQueueCntExceeded as i32,
+        "read_queue_size_exceeded"          => SMBEvent::ReadQueueSizeExceeded as i32,
+        "read_queue_cnt_exceeded"           => SMBEvent::ReadQueueCntExceeded as i32,
        "write_request_too_large"           => SMBEvent::WriteRequestTooLarge as i32,
-        "write_queue_size_too_large"        => SMBEvent::WriteQueueSizeExceeded as i32,
-        "write_queue_cnt_too_large"         => SMBEvent::WriteQueueCntExceeded as i32,
+        "write_queue_size_exceeded"         => SMBEvent::WriteQueueSizeExceeded as i32,
+        "write_queue_cnt_exceeded"          => SMBEvent::WriteQueueCntExceeded as i32,
        _ => -1,
    }
 }
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@ -2235,11 +2235,11 @@ pub extern "C" fn rs_smb_state_get_event_info_by_id(event_id: std::os::raw::c_in
            SMBEvent::NegotiateMaxWriteSizeTooLarge => { "negotiate_max_write_size_too_large\0" },
            SMBEvent::ReadRequestTooLarge => { "read_request_too_large\0" },
            SMBEvent::ReadResponseTooLarge => { "read_response_too_large\0" },
-            SMBEvent::ReadResponseQueueSizeExceeded => { "read_queue_size_too_large\0" },
-            SMBEvent::ReadResponseQueueCntExceeded => { "read_queue_cnt_too_large\0" },
+            SMBEvent::ReadQueueSizeExceeded => { "read_queue_size_exceeded\0" },
+            SMBEvent::ReadQueueCntExceeded => { "read_queue_cnt_exceeded\0" },
            SMBEvent::WriteRequestTooLarge => { "write_request_too_large\0" },
-            SMBEvent::WriteQueueSizeExceeded => { "write_queue_size_too_large\0" },
-            SMBEvent::WriteQueueCntExceeded => { "write_queue_cnt_too_large\0" },
+            SMBEvent::WriteQueueSizeExceeded => { "write_queue_size_exceeded\0" },
+            SMBEvent::WriteQueueCntExceeded => { "write_queue_cnt_exceeded\0" },
        };
        unsafe{
            *event_name = estr.as_ptr() as *const std::os::raw::c_char;
--- a/rust/src/smb/smb2.rs
+++ b/rust/src/smb/smb2.rs
@ -167,10 +167,10 @@ pub fn smb2_read_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                        set_event_fileoverlap = true;
                    }
                    if max_queue_size != 0 && tdf.file_tracker.get_inflight_size() + rd.len as u64 > max_queue_size.into() {
-                        event = Some(SMBEvent::ReadResponseQueueCntExceeded);
+                        event = Some(SMBEvent::ReadQueueCntExceeded);
                        skip = Some((rd.len, rd.data.len()));
                    } else if max_queue_cnt != 0 && tdf.file_tracker.get_inflight_cnt() >= max_queue_cnt as usize {
-                        event = Some(SMBEvent::ReadResponseQueueCntExceeded);
+                        event = Some(SMBEvent::ReadQueueCntExceeded);
                        skip = Some((rd.len, rd.data.len()));
                    } else {
                        filetracker_newchunk(&mut tdf.file_tracker, files, flags,
@ -250,10 +250,10 @@ pub fn smb2_read_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                            set_event_fileoverlap = true;
                        }
                        if max_queue_size != 0 && tdf.file_tracker.get_inflight_size() + rd.len as u64 > max_queue_size.into() {
-                            event = Some(SMBEvent::ReadResponseQueueSizeExceeded);
+                            event = Some(SMBEvent::ReadQueueSizeExceeded);
                            skip = Some((rd.len, rd.data.len()));
                        } else if max_queue_cnt != 0 && tdf.file_tracker.get_inflight_cnt() >= max_queue_cnt as usize {
-                            event = Some(SMBEvent::ReadResponseQueueCntExceeded);
+                            event = Some(SMBEvent::ReadQueueCntExceeded);
                            skip = Some((rd.len, rd.data.len()));
                        } else {
                            filetracker_newchunk(&mut tdf.file_tracker, files, flags,