From a40fdc794ea1b1d7003492ed4e38fe5f941b1e60 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Sun, 1 May 2011 15:49:32 +0530 Subject: [PATCH] Added probing parser for nbss/smb on port 139 --- src/app-layer-detect-proto.c | 6 +- src/app-layer-detect-proto.h | 4 + src/app-layer-parser.c | 214 ++++++++------ src/app-layer-parser.h | 11 +- src/app-layer-smb.c | 528 ++++++++++++++++++++++++++++++++++- 5 files changed, 674 insertions(+), 89 deletions(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 9e35facb22..06dc305122 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -243,7 +243,7 @@ void AlpProtoAdd(AlpProtoDetectCtx *ctx, uint16_t ip_proto, uint16_t al_proto, c } #ifdef UNITTESTS -static void AlpProtoTestDestroy(AlpProtoDetectCtx *ctx) { +void AlpProtoTestDestroy(AlpProtoDetectCtx *ctx) { mpm_table[ctx->toserver.mpm_ctx.mpm_type].DestroyCtx(&ctx->toserver.mpm_ctx); mpm_table[ctx->toclient.mpm_ctx.mpm_type].DestroyCtx(&ctx->toclient.mpm_ctx); AlpProtoFreeSignature(ctx->head); @@ -515,7 +515,7 @@ uint16_t AppLayerDetectGetProtoProbingParser(AlpProtoDetectCtx *ctx, Flow *f, AppLayerProbingParser *pp = NULL; if (flags & STREAM_TOSERVER) { - pp = AppLayerGetProbingParsers(ipproto, f->dp); + pp = AppLayerGetProbingParsers(probing_parsers, ipproto, f->dp); if (pp == NULL) { SCLogDebug("toserver-No probing parser registered for port %"PRIu16, f->dp); @@ -536,7 +536,7 @@ uint16_t AppLayerDetectGetProtoProbingParser(AlpProtoDetectCtx *ctx, Flow *f, } pe = pp->toserver; } else { - pp = AppLayerGetProbingParsers(ipproto, f->sp); + pp = AppLayerGetProbingParsers(probing_parsers, ipproto, f->sp); if (pp == NULL) { SCLogDebug("toclient-No probing parser registered for port %"PRIu16, f->sp); diff --git a/src/app-layer-detect-proto.h b/src/app-layer-detect-proto.h index 1a327634d9..53b456d5eb 100644 --- a/src/app-layer-detect-proto.h +++ b/src/app-layer-detect-proto.h @@ -78,6 +78,7 @@ typedef struct AlpProtoDetectCtx_ { extern AlpProtoDetectCtx alp_proto_ctx; +void AlpProtoInit(AlpProtoDetectCtx *); void *AppLayerDetectProtoThread(void *td); void AppLayerDetectProtoThreadInit(void); @@ -97,8 +98,11 @@ void AlpProtoAdd(AlpProtoDetectCtx *, uint16_t, uint16_t, char *, uint16_t, uint void AppLayerDetectProtoThreadSpawn(void); void AlpDetectRegisterTests(void); +void AlpProtoFinalizeGlobal(AlpProtoDetectCtx *); +void AlpProtoFinalizeThread(AlpProtoDetectCtx *, AlpProtoDetectThreadCtx *); void AlpProtoFinalize2Thread(AlpProtoDetectThreadCtx *); void AlpProtoDeFinalize2Thread (AlpProtoDetectThreadCtx *); +void AlpProtoTestDestroy(AlpProtoDetectCtx *); void AlpProtoDestroy(void); #endif /* __APP_LAYER_DETECT_PROTO_H__ */ diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 51d56a22d4..1d79e5ff5b 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -1348,10 +1348,11 @@ AppLayerCreateAppLayerProbingParserElement(const char *al_proto_name, return pe; } -static void AppLayerInsertNewProbingParserElement(AppLayerProbingParserElement *new_pe, +static void AppLayerInsertNewProbingParserElement(AppLayerProbingParser **probing_parsers, + AppLayerProbingParserElement *new_pe, uint8_t flags) { - AppLayerProbingParser *pp = probing_parsers; + AppLayerProbingParser *pp = probing_parsers[0]; while (pp != NULL) { if (pp->port == new_pe->port) { break; @@ -1367,10 +1368,10 @@ static void AppLayerInsertNewProbingParserElement(AppLayerProbingParserElement * new_pp->port = new_pe->port; - if (probing_parsers == NULL) { - probing_parsers = new_pp; + if (probing_parsers[0] == NULL) { + probing_parsers[0] = new_pp; } else { - AppLayerProbingParser *pp = probing_parsers; + AppLayerProbingParser *pp = probing_parsers[0]; while (pp->next != NULL) { pp = pp->next; } @@ -1450,9 +1451,8 @@ static void AppLayerInsertNewProbingParserElement(AppLayerProbingParserElement * return; } -void AppLayerPrintProbingParsers(void) +void AppLayerPrintProbingParsers(AppLayerProbingParser *pp) { - AppLayerProbingParser *pp = probing_parsers; AppLayerProbingParserElement *pe = NULL; printf("\n"); @@ -1516,7 +1516,8 @@ void AppLayerPrintProbingParsers(void) return; } -void AppLayerRegisterProbingParser(uint16_t port, +void AppLayerRegisterProbingParser(AppLayerProbingParser **probing_parsers, + uint16_t port, uint16_t ip_proto, const char *al_proto_name, uint16_t al_proto, @@ -1529,7 +1530,8 @@ void AppLayerRegisterProbingParser(uint16_t port, (uint8_t *input, uint32_t input_len)) { AppLayerProbingParserElement *pe = NULL; - AppLayerProbingParser *pp = AppLayerGetProbingParsers(ip_proto, port); + AppLayerProbingParser *pp = AppLayerGetProbingParsers(probing_parsers[0], + ip_proto, port); if (pp != NULL) { if (flags & STREAM_TOSERVER) { pe = pp->toserver; @@ -1562,11 +1564,11 @@ void AppLayerRegisterProbingParser(uint16_t port, if (new_pe == NULL) return; - AppLayerInsertNewProbingParserElement(new_pe, flags); + AppLayerInsertNewProbingParserElement(probing_parsers, new_pe, flags); return; } -void AppLayerFreeProbingParsers(void) +void AppLayerFreeProbingParsers(AppLayerProbingParser *probing_parsers) { while (probing_parsers != NULL) { AppLayerProbingParserElement *pe; @@ -1753,9 +1755,11 @@ end: static int AppLayerProbingParserTest01(void) { - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -1766,7 +1770,7 @@ static int AppLayerProbingParserTest01(void) if (probing_parsers == NULL) return 0; - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return 1; } @@ -1776,9 +1780,10 @@ static int AppLayerProbingParserTest02(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); - - AppLayerRegisterProbingParser(80, + //AppLayerFreeProbingParsers(); + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -1821,7 +1826,8 @@ static int AppLayerProbingParserTest02(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -1882,7 +1888,8 @@ static int AppLayerProbingParserTest02(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -1964,7 +1971,7 @@ static int AppLayerProbingParserTest02(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -1974,9 +1981,10 @@ static int AppLayerProbingParserTest03(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); - - AppLayerRegisterProbingParser(80, + //AppLayerFreeProbingParsers(); + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -2019,7 +2027,8 @@ static int AppLayerProbingParserTest03(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -2080,7 +2089,8 @@ static int AppLayerProbingParserTest03(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -2162,7 +2172,7 @@ static int AppLayerProbingParserTest03(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -2172,9 +2182,11 @@ static int AppLayerProbingParserTest04(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -2217,7 +2229,8 @@ static int AppLayerProbingParserTest04(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -2278,7 +2291,8 @@ static int AppLayerProbingParserTest04(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -2360,7 +2374,7 @@ static int AppLayerProbingParserTest04(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -2370,9 +2384,10 @@ static int AppLayerProbingParserTest05(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); - - AppLayerRegisterProbingParser(80, + //AppLayerFreeProbingParsers(); + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -2415,7 +2430,8 @@ static int AppLayerProbingParserTest05(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -2476,7 +2492,8 @@ static int AppLayerProbingParserTest05(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -2558,7 +2575,7 @@ static int AppLayerProbingParserTest05(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -2568,9 +2585,11 @@ static int AppLayerProbingParserTest06(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -2613,7 +2632,8 @@ static int AppLayerProbingParserTest06(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -2674,7 +2694,8 @@ static int AppLayerProbingParserTest06(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -2756,7 +2777,7 @@ static int AppLayerProbingParserTest06(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -2766,9 +2787,11 @@ static int AppLayerProbingParserTest07(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -2811,7 +2834,8 @@ static int AppLayerProbingParserTest07(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -2872,7 +2896,8 @@ static int AppLayerProbingParserTest07(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -2954,7 +2979,7 @@ static int AppLayerProbingParserTest07(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -2964,9 +2989,11 @@ static int AppLayerProbingParserTest08(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -3009,7 +3036,8 @@ static int AppLayerProbingParserTest08(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -3070,7 +3098,8 @@ static int AppLayerProbingParserTest08(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -3152,7 +3181,7 @@ static int AppLayerProbingParserTest08(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -3162,9 +3191,11 @@ static int AppLayerProbingParserTest09(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -3207,7 +3238,8 @@ static int AppLayerProbingParserTest09(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -3268,7 +3300,8 @@ static int AppLayerProbingParserTest09(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -3350,7 +3383,7 @@ static int AppLayerProbingParserTest09(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -3360,9 +3393,11 @@ static int AppLayerProbingParserTest10(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -3405,7 +3440,8 @@ static int AppLayerProbingParserTest10(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -3466,7 +3502,8 @@ static int AppLayerProbingParserTest10(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -3548,7 +3585,7 @@ static int AppLayerProbingParserTest10(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -3558,9 +3595,11 @@ static int AppLayerProbingParserTest11(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -3603,7 +3642,8 @@ static int AppLayerProbingParserTest11(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -3664,7 +3704,8 @@ static int AppLayerProbingParserTest11(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(81, + AppLayerRegisterProbingParser(&probing_parsers, + 81, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -3757,7 +3798,8 @@ static int AppLayerProbingParserTest11(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(81, + AppLayerRegisterProbingParser(&probing_parsers, + 81, IPPROTO_TCP, "ftp", ALPROTO_FTP, @@ -3871,7 +3913,7 @@ static int AppLayerProbingParserTest11(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -3881,9 +3923,11 @@ static int AppLayerProbingParserTest12(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -3926,7 +3970,8 @@ static int AppLayerProbingParserTest12(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(81, + AppLayerRegisterProbingParser(&probing_parsers, + 81, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -4001,7 +4046,8 @@ static int AppLayerProbingParserTest12(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -4093,7 +4139,8 @@ static int AppLayerProbingParserTest12(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(81, + AppLayerRegisterProbingParser(&probing_parsers, + 81, IPPROTO_TCP, "ftp", ALPROTO_FTP, @@ -4207,7 +4254,7 @@ static int AppLayerProbingParserTest12(void) result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } @@ -4217,9 +4264,11 @@ static int AppLayerProbingParserTest13(void) AppLayerProbingParser *pp; AppLayerProbingParserElement *pe; - AppLayerFreeProbingParsers(); + //AppLayerFreeProbingParsers(); - AppLayerRegisterProbingParser(80, + AppLayerProbingParser *probing_parsers = NULL; + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "http", ALPROTO_HTTP, @@ -4262,7 +4311,8 @@ static int AppLayerProbingParserTest13(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(81, + AppLayerRegisterProbingParser(&probing_parsers, + 81, IPPROTO_TCP, "dcerpc", ALPROTO_DCERPC, @@ -4337,7 +4387,8 @@ static int AppLayerProbingParserTest13(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(80, + AppLayerRegisterProbingParser(&probing_parsers, + 80, IPPROTO_TCP, "smb", ALPROTO_SMB, @@ -4429,7 +4480,8 @@ static int AppLayerProbingParserTest13(void) if (pe->ProbingParser != NULL) goto end; - AppLayerRegisterProbingParser(81, + AppLayerRegisterProbingParser(&probing_parsers, + 81, IPPROTO_TCP, "ftp", ALPROTO_FTP, @@ -4540,12 +4592,12 @@ static int AppLayerProbingParserTest13(void) if (pe->ProbingParser != NULL) goto end; - AppLayerPrintProbingParsers(); + AppLayerPrintProbingParsers(probing_parsers); result = 1; end: - AppLayerFreeProbingParsers(); + AppLayerFreeProbingParsers(probing_parsers); return result; } diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index 8e3405ac94..ec6e8481a2 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -167,8 +167,10 @@ typedef struct AppLayerProbingParser_ { extern AppLayerProbingParser *probing_parsers; -static inline AppLayerProbingParser *AppLayerGetProbingParsers(uint16_t ip_proto, - uint16_t port) +static inline +AppLayerProbingParser *AppLayerGetProbingParsers(AppLayerProbingParser *probing_parsers, + uint16_t ip_proto, + uint16_t port) { if (probing_parsers == NULL) return NULL; @@ -197,7 +199,8 @@ int AppLayerRegisterParser(char *name, uint16_t proto, uint16_t parser_id, AppLayerParserState *parser_state, uint8_t *input, uint32_t input_len, AppLayerParserResult *output), char *dependency); -void AppLayerRegisterProbingParser(uint16_t, uint16_t, const char *, uint16_t, +void AppLayerRegisterProbingParser(AppLayerProbingParser **, uint16_t, uint16_t, + const char *, uint16_t, uint16_t, uint16_t, uint8_t, uint8_t, uint8_t, uint16_t (*ProbingParser) (uint8_t *, uint32_t)); @@ -234,9 +237,9 @@ void AppLayerParserRegisterTests(void); void AppLayerParserCleanupState(Flow *); - uint8_t AppLayerRegisterModule(void); uint8_t AppLayerGetStorageSize(void); +void AppLayerFreeProbingParsers(AppLayerProbingParser *); #endif /* __APP_LAYER_PARSER_H__ */ diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index 0e97985f52..068822a672 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -38,6 +38,7 @@ #include "stream-tcp.h" #include "stream.h" +#include "app-layer-detect-proto.h" #include "app-layer-protos.h" #include "app-layer-parser.h" @@ -1026,14 +1027,24 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, uint64_t retval = 0; uint64_t parsed = 0; int hdrretval = 0; + int counter = 0; if (pstate == NULL) { SCLogDebug("pstate == NULL"); SCReturnInt(0); } + while (input_len) { + /* till we clear corner cases */ + if (counter++ == 30) { + SCLogDebug("Somehow seem to be stuck inside the smb " + "parser for quite sometime. Let's get out of here."); + sstate->bytesprocessed = 0; + SCReturnInt(0); + } + while (input_len && sstate->bytesprocessed < NBSS_HDR_LEN) { - retval = NBSSParseHeader(f, smb_state, pstate, input, + retval = NBSSParseHeader(f, smb_state, pstate, input + parsed, input_len, output); if (retval) { parsed += retval; @@ -1181,6 +1192,30 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, /* inside if */ sstate->bytesprocessed = 0; sstate->transaction_id++; + input_len = 0; + } + break; + + case NBSS_SESSION_REQUEST: + case NBSS_POSITIVE_SESSION_RESPONSE: + case NBSS_NEGATIVE_SESSION_RESPONSE: + case NBSS_RETARGET_SESSION_RESPONSE: + case NBSS_SESSION_KEEP_ALIVE: + if (sstate->bytesprocessed < (sstate->nbss.length + NBSS_HDR_LEN)) { + if (input_len >= (sstate->nbss.length + NBSS_HDR_LEN - + sstate->bytesprocessed)) { + /* inside if */ + input_len -= (sstate->nbss.length + NBSS_HDR_LEN - + sstate->bytesprocessed); + parsed += (sstate->nbss.length + NBSS_HDR_LEN - + sstate->bytesprocessed); + sstate->bytesprocessed = 0; + } else { + sstate->bytesprocessed += input_len; + input_len = 0; + } + } else { + sstate->bytesprocessed = 0; } break; @@ -1189,6 +1224,8 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, break; } + } /* while (input_len) */ + pstate->parse_field = 0; SCReturnInt(1); @@ -1284,6 +1321,41 @@ void SMBUpdateTransactionId(void *state, uint16_t *id) { SCReturn; } +static uint16_t SMBProbingParser(uint8_t *input, uint32_t input_len) +{ + uint32_t len; + + while (input_len > 0) { + switch (input[0]) { + case NBSS_SESSION_MESSAGE: + if (input[4] == 0xFF && input[5] == 'S' && input[6] == 'M' && + input[7] == 'B') { + return ALPROTO_SMB; + } + + case NBSS_SESSION_REQUEST: + case NBSS_POSITIVE_SESSION_RESPONSE: + case NBSS_NEGATIVE_SESSION_RESPONSE: + case NBSS_RETARGET_SESSION_RESPONSE: + case NBSS_SESSION_KEEP_ALIVE: + len = (input[1] & 0x01) << 16; + len = input[2] << 8; + len |= input[3]; + break; + } + + input_len -= 4; + if (len >= input_len) { + return ALPROTO_UNKNOWN; + } + + input_len -= len; + input += 4 + len; + } + + return ALPROTO_UNKNOWN; +} + void RegisterSMBParsers(void) { /** SMB */ AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT); @@ -1298,6 +1370,18 @@ void RegisterSMBParsers(void) { AppLayerRegisterStateFuncs(ALPROTO_SMB, SMBStateAlloc, SMBStateFree); AppLayerRegisterTransactionIdFuncs(ALPROTO_SMB, SMBUpdateTransactionId, NULL); + + AppLayerRegisterProbingParser(&probing_parsers, + 139, + IPPROTO_TCP, + "smb", + ALPROTO_SMB, + 8, 0, + STREAM_TOSERVER, + APP_LAYER_PROBING_PARSER_PRIORITY_HIGH, 1, + SMBProbingParser); + + return; } /* UNITTESTS */ @@ -1838,6 +1922,443 @@ end: return result; } +int SMBParserTest05(void) +{ + uint8_t smbbuf1[] = { + /* session request */ + 0x81, 0x00, 0x00, 0x44, 0x20, 0x43, 0x4b, 0x46, + 0x44, 0x45, 0x4e, 0x45, 0x43, 0x46, 0x44, 0x45, + 0x46, 0x46, 0x43, 0x46, 0x47, 0x45, 0x46, 0x46, + 0x43, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00 + }; + uint32_t smblen1 = sizeof(smbbuf1); + uint8_t smbbuf2[] = { + /* session request */ + 0x81, 0x00, 0x00, 0x44, 0x20, 0x43, 0x4b, 0x46, + 0x44, 0x45, 0x4e, 0x45, 0x43, 0x46, 0x44, 0x45, + 0x46, 0x46, 0x43, 0x46, 0x47, 0x45, 0x46, 0x46, + 0x43, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00, + /* session message */ + 0x00, 0x00, 0x00, 0x60, 0xff, 0x53, 0x4d, 0x42, + 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x2d, + 0x00, 0x00, 0xdd, 0xca, 0x00, 0x3d, 0x00, 0x02, + 0x4d, 0x45, 0x54, 0x41, 0x53, 0x50, 0x4c, 0x4f, + 0x49, 0x54, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, + 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, + 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, + 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, + 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, + 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, + 0x2e, 0x31, 0x32, 0x00 + }; + uint32_t smblen2 = sizeof(smbbuf2); + + int result = 0; + AlpProtoDetectCtx ctx; + AlpProtoDetectThreadCtx tctx; + AppLayerProbingParser *probing_parsers = NULL; + uint16_t alproto; + Flow f; + memset(&f, 0, sizeof(f)); + f.dp = 139; + + AlpProtoInit(&ctx); + + /** SMB */ + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); + + /** SMB2 */ + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); + + AppLayerRegisterProbingParser(&probing_parsers, + f.dp, + IPPROTO_TCP, + "smb", + ALPROTO_SMB, + 8, 0, + STREAM_TOSERVER, + APP_LAYER_PROBING_PARSER_PRIORITY_HIGH, 1, + SMBProbingParser); + + + AlpProtoFinalizeGlobal(&ctx); + AlpProtoFinalizeThread(&ctx, &tctx); + + alproto = AppLayerDetectGetProto(&alp_proto_ctx, &tctx, &f, + smbbuf1, smblen1, + STREAM_TOSERVER, IPPROTO_TCP); + if (alproto != ALPROTO_UNKNOWN) { + printf("alproto is %"PRIu16 ". Should be ALPROTO_UNKNOWN\n", + alproto); + goto end; + } + + alproto = AppLayerDetectGetProto(&alp_proto_ctx, &tctx, &f, + smbbuf2, smblen2, + STREAM_TOSERVER, IPPROTO_TCP); + if (alproto != ALPROTO_SMB) { + printf("alproto is %"PRIu16 ". Should be ALPROTO_SMB\n", + alproto); + goto end; + } + + result = 1; + end: + AlpProtoTestDestroy(&ctx); + AppLayerFreeProbingParsers(probing_parsers); + PmqFree(&tctx.toclient.pmq); + PmqFree(&tctx.toserver.pmq); + return result; +} + +int SMBParserTest06(void) +{ + uint8_t smbbuf1[] = { + /* session request */ + 0x83, 0x00, 0x00, 0x01, 0x82 + }; + uint32_t smblen1 = sizeof(smbbuf1); + uint8_t smbbuf2[] = { + /* session request */ + 0x83, 0x00, 0x00, 0x01, 0x82, + /* session message */ + 0x00, 0x00, 0x00, 0x55, 0xff, 0x53, 0x4d, 0x42, + 0x72, 0x00, 0x00, 0x00, 0x00, 0x98, 0x53, 0xc8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, + 0x00, 0x00, 0x00, 0x00, 0x11, 0x05, 0x00, 0x03, + 0x0a, 0x00, 0x01, 0x00, 0x04, 0x11, 0x00, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xfd, 0xe3, 0x00, 0x80, 0xb8, 0xcb, 0x22, 0x5f, + 0xfd, 0xeb, 0xc3, 0x01, 0x68, 0x01, 0x00, 0x10, + 0x00, 0x50, 0xb5, 0xc3, 0x62, 0x59, 0x02, 0xd1, + 0x4d, 0x99, 0x6d, 0x85, 0x7d, 0xfa, 0x93, 0x2d, + 0xbb + }; + uint32_t smblen2 = sizeof(smbbuf2); + + int result = 0; + AlpProtoDetectCtx ctx; + AlpProtoDetectThreadCtx tctx; + AppLayerProbingParser *probing_parsers = NULL; + uint16_t alproto; + Flow f; + memset(&f, 0, sizeof(f)); + f.dp = 139; + + AlpProtoInit(&ctx); + + /** SMB */ + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER); + + /** SMB2 */ + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT); + AlpProtoAdd(&ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); + + AppLayerRegisterProbingParser(&probing_parsers, + f.dp, + IPPROTO_TCP, + "smb", + ALPROTO_SMB, + 8, 0, + STREAM_TOSERVER, + APP_LAYER_PROBING_PARSER_PRIORITY_HIGH, 1, + SMBProbingParser); + + + AlpProtoFinalizeGlobal(&ctx); + AlpProtoFinalizeThread(&ctx, &tctx); + + alproto = AppLayerDetectGetProto(&alp_proto_ctx, &tctx, &f, + smbbuf1, smblen1, + STREAM_TOSERVER, IPPROTO_TCP); + if (alproto != ALPROTO_UNKNOWN) { + printf("alproto is %"PRIu16 ". Should be ALPROTO_UNKNOWN\n", + alproto); + goto end; + } + + alproto = AppLayerDetectGetProto(&alp_proto_ctx, &tctx, &f, + smbbuf2, smblen2, + STREAM_TOSERVER, IPPROTO_TCP); + if (alproto != ALPROTO_SMB) { + printf("alproto is %"PRIu16 ". Should be ALPROTO_SMB\n", + alproto); + goto end; + } + + result = 1; + end: + AlpProtoTestDestroy(&ctx); + AppLayerFreeProbingParsers(probing_parsers); + PmqFree(&tctx.toclient.pmq); + PmqFree(&tctx.toserver.pmq); + return result; +} + +int SMBParserTest07(void) { + int result = 0; + Flow f; + uint8_t smbbuf1[] = { + /* negative session response */ + 0x83, 0x00, 0x00, 0x01, 0x82 + }; + uint32_t smblen1 = sizeof(smbbuf1); + TcpSession ssn; + int r = 0; + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + r = AppLayerParse(&f, ALPROTO_SMB, STREAM_TOCLIENT | STREAM_START, smbbuf1, smblen1); + if (r != 0) { + printf("smb header check returned %" PRId32 ", expected 0: ", r); + goto end; + } + + SMBState *smb_state = f.aldata[AlpGetStateIdx(ALPROTO_SMB)]; + if (smb_state == NULL) { + printf("no smb state: "); + goto end; + } + + if (smb_state->smb.command != 0) { + printf("we shouldn't have any smb state as yet\n"); + goto end; + } + + if (smb_state->nbss.length != 1 || + smb_state->nbss.type != NBSS_NEGATIVE_SESSION_RESPONSE) { + printf("something wrong with nbss parsing\n"); + goto end; + } + + if (smb_state->bytesprocessed != 0) { + printf("smb parser bytesprocessed should be 0, but it is not\n"); + goto end; + } + + result = 1; +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +int SMBParserTest08(void) { + int result = 0; + Flow f; + uint8_t smbbuf1[] = { + /* positive session response */ + 0x82, 0x00, 0x00, 0x00 + }; + uint8_t smbbuf2[] = { + /* negotiate protocol */ + 0x00, 0x00, 0x00, 0x55, 0xff, 0x53, 0x4d, 0x42, + 0x72, 0x00, 0x00, 0x00, 0x00, 0x98, 0x53, 0xc8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, + 0x00, 0x00, 0x00, 0x00, 0x11, 0x05, 0x00, 0x03, + 0x0a, 0x00, 0x01, 0x00, 0x04, 0x11, 0x00, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xfd, 0xe3, 0x00, 0x80, 0x40, 0x8a, 0x57, 0x5c, + 0xfd, 0xeb, 0xc3, 0x01, 0x68, 0x01, 0x00, 0x10, + 0x00, 0x50, 0xb5, 0xc3, 0x62, 0x59, 0x02, 0xd1, + 0x4d, 0x99, 0x6d, 0x85, 0x7d, 0xfa, 0x93, 0x2d, + 0xbb + }; + uint32_t smblen1 = sizeof(smbbuf1); + uint32_t smblen2 = sizeof(smbbuf2); + TcpSession ssn; + int r = 0; + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + r = AppLayerParse(&f, ALPROTO_SMB, STREAM_TOCLIENT | STREAM_START, smbbuf1, smblen1); + if (r != 0) { + printf("smb header check returned %" PRId32 ", expected 0: ", r); + goto end; + } + + SMBState *smb_state = f.aldata[AlpGetStateIdx(ALPROTO_SMB)]; + if (smb_state == NULL) { + printf("no smb state: "); + goto end; + } + + if (smb_state->smb.command != 0) { + printf("we shouldn't have any smb state as yet\n"); + goto end; + } + + if (smb_state->nbss.length != 0 || + smb_state->nbss.type != NBSS_POSITIVE_SESSION_RESPONSE) { + printf("something wrong with nbss parsing\n"); + goto end; + } + + if (smb_state->bytesprocessed != 0) { + printf("smb parser bytesprocessed should be 0, but it is not\n"); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_SMB, STREAM_TOCLIENT, smbbuf2, smblen2); + if (r != 0) { + printf("smb header check returned %" PRId32 ", expected 0: ", r); + goto end; + } + + if (smb_state->smb.command != SMB_COM_NEGOTIATE) { + printf("we should expect SMB command 0x%02x , got 0x%02x : ", + SMB_COM_NEGOTIATE, smb_state->smb.command); + goto end; + } + + if (smb_state->nbss.length != 85 || + smb_state->nbss.type != NBSS_SESSION_MESSAGE) { + printf("something wrong with nbss parsing\n"); + goto end; + } + + if (smb_state->bytesprocessed != 0) { + printf("smb parser bytesprocessed should be 0, but it is not\n"); + goto end; + } + + result = 1; +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +int SMBParserTest09(void) { + int result = 0; + Flow f; + uint8_t smbbuf1[] = { + /* session request */ + 0x81, 0x00, 0x00, 0x44, 0x20, 0x45, 0x44, 0x45, + 0x4a, 0x46, 0x44, 0x45, 0x44, 0x45, 0x50, 0x43, + 0x4e, 0x46, 0x48, 0x44, 0x43, 0x45, 0x4c, 0x43, + 0x4e, 0x46, 0x43, 0x46, 0x45, 0x45, 0x4e, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, 0x45, + 0x44, 0x45, 0x4a, 0x46, 0x44, 0x45, 0x44, 0x45, + 0x50, 0x43, 0x4e, 0x46, 0x49, 0x46, 0x41, 0x43, + 0x4e, 0x46, 0x43, 0x46, 0x45, 0x45, 0x4e, 0x43, + 0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00 + }; + uint8_t smbbuf2[] = { + /* session service - negotiate protocol */ + 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42, + 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, + 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, + 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, + 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, + 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, + 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, + 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57, + 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, + 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02, + 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, + 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, + 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, + 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, + 0x00 + }; + uint32_t smblen1 = sizeof(smbbuf1); + uint32_t smblen2 = sizeof(smbbuf2); + TcpSession ssn; + int r = 0; + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + r = AppLayerParse(&f, ALPROTO_SMB, STREAM_TOSERVER | STREAM_START, smbbuf1, smblen1); + if (r != 0) { + printf("smb header check returned %" PRId32 ", expected 0: ", r); + goto end; + } + + SMBState *smb_state = f.aldata[AlpGetStateIdx(ALPROTO_SMB)]; + if (smb_state == NULL) { + printf("no smb state: "); + goto end; + } + + if (smb_state->smb.command != 0) { + printf("we shouldn't have any smb state as yet\n"); + goto end; + } + + if (smb_state->nbss.length != 68 || + smb_state->nbss.type != NBSS_SESSION_REQUEST) { + printf("something wrong with nbss parsing\n"); + goto end; + } + + if (smb_state->bytesprocessed != 0) { + printf("smb parser bytesprocessed should be 0, but it is not\n"); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_SMB, STREAM_TOSERVER, smbbuf2, smblen2); + if (r != 0) { + printf("smb header check returned %" PRId32 ", expected 0: ", r); + goto end; + } + + if (smb_state->smb.command != SMB_COM_NEGOTIATE) { + printf("we should expect SMB command 0x%02x , got 0x%02x : ", + SMB_COM_NEGOTIATE, smb_state->smb.command); + goto end; + } + + if (smb_state->nbss.length != 133 || + smb_state->nbss.type != NBSS_SESSION_MESSAGE) { + printf("something wrong with nbss parsing\n"); + goto end; + } + + if (smb_state->bytesprocessed != 0) { + printf("smb parser bytesprocessed should be 0, but it is not\n"); + goto end; + } + + result = 1; +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + #endif void SMBParserRegisterTests(void) { @@ -1847,6 +2368,11 @@ void SMBParserRegisterTests(void) { UtRegisterTest("SMBParserTest02", SMBParserTest02, 1); UtRegisterTest("SMBParserTest03", SMBParserTest03, 1); UtRegisterTest("SMBParserTest04", SMBParserTest04, 1); + UtRegisterTest("SMBParserTest05", SMBParserTest05, 1); + UtRegisterTest("SMBParserTest06", SMBParserTest06, 1); + UtRegisterTest("SMBParserTest07", SMBParserTest07, 1); + UtRegisterTest("SMBParserTest08", SMBParserTest08, 1); + UtRegisterTest("SMBParserTest09", SMBParserTest09, 1); #endif }