aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rust/smb: convert parser to nom7 functions (SMB1)

Browse Source
pull/6705/head
Pierre Chifflier 4 years ago committed by Victor Julien
parent 895a54cea4
commit d67f8f9196
6 changed files with 566 additions and 565 deletions
Show Stats Download Patch File Download Diff File

38
rust/src/smb/dcerpc_records.rs
Unescape Escape View File

@ -24,7 +24,7 @@ use nom7::multi::count;
use nom7::number::Endianness;
use nom7::number::streaming::{be_u16, le_u8, le_u16, le_u32, u16, u32};
use nom7::sequence::tuple;
use nom7::IResult;
use nom7::{Err, IResult};
#[derive(Debug,PartialEq)]
pub struct DceRpcResponseRecord<'a> {
@ -34,18 +34,15 @@ pub struct DceRpcResponseRecord<'a> {
/// parse a packet type 'response' DCERPC record. Implemented
/// as function to be able to pass the fraglen in.
pub fn parse_dcerpc_response_record(i:&[u8], frag_len: u16 )
-> nom::IResult<&[u8], DceRpcResponseRecord, SmbError>
-> IResult<&[u8], DceRpcResponseRecord, SmbError>
{
if frag_len < 24 {
return Err(nom::Err::Error(SmbError::RecordTooSmall));
return Err(Err::Error(SmbError::RecordTooSmall));
}
do_parse!(i,
take!(8)
>> data:take!(frag_len - 24)
>> (DceRpcResponseRecord {
data:data,
})
)
let (i, _) = take(8_usize)(i)?;
let (i, data) = take(frag_len - 24)(i)?;
let record = DceRpcResponseRecord { data };
Ok((i, record))
}
#[derive(Debug,PartialEq)]
@ -57,22 +54,17 @@ pub struct DceRpcRequestRecord<'a> {
/// parse a packet type 'request' DCERPC record. Implemented
/// as function to be able to pass the fraglen in.
pub fn parse_dcerpc_request_record(i:&[u8], frag_len: u16, little: bool)
-> nom::IResult<&[u8], DceRpcRequestRecord, SmbError>
-> IResult<&[u8], DceRpcRequestRecord, SmbError>
{
use nom::number::Endianness;
if frag_len < 24 {
return Err(nom::Err::Error(SmbError::RecordTooSmall));
return Err(Err::Error(SmbError::RecordTooSmall));
}
do_parse!(i,
take!(6)
>> endian: value!(if little { Endianness::Little } else { Endianness::Big })
>> opnum: u16!(endian)
>> data:take!(frag_len - 24)
>> (DceRpcRequestRecord {
opnum:opnum,
data:data,
})
)
let (i, _) = take(6_usize)(i)?;
let endian = if little { Endianness::Little } else { Endianness::Big };
let (i, opnum) = u16(endian)(i)?;
let (i, data) = take(frag_len - 24)(i)?;
let record = DceRpcRequestRecord { opnum, data };
Ok((i, record))
}
#[derive(Debug,PartialEq)]

2
rust/src/smb/error.rs
Unescape Escape View File

@ -16,7 +16,7 @@
*/
// Author: Pierre Chifflier <chifflier@wzdftpd.net>
use nom::error::{ErrorKind, ParseError};
use nom7::error::{ErrorKind, ParseError};
#[derive(Debug)]
pub enum SmbError {

3
rust/src/smb/smb.rs
Unescape Escape View File

@ -31,7 +31,6 @@ use std::ffi::{self, CString};
use std::collections::HashMap;
use nom;
use nom7::{Err, Needed};
use crate::core::*;
@ -1649,7 +1648,7 @@ impl SMBState {
}
}
},
Err(nom::Err::Incomplete(_)) => {
Err(Err::Incomplete(_)) => {
// not enough data to contain basic SMB hdr
// TODO event: empty NBSS_MSGTYPE_SESSION_MESSAGE
},

46
rust/src/smb/smb1.rs
Unescape Escape View File

@ -19,8 +19,6 @@
* - check all parsers for calls on non-SUCCESS status
*/
use nom;
use crate::core::*;
use crate::smb::smb::*;
@ -31,6 +29,8 @@ use crate::smb::files::*;
use crate::smb::smb1_records::*;
use crate::smb::smb1_session::*;
use nom7::Err;
// https://msdn.microsoft.com/en-us/library/ee441741.aspx
pub const SMB1_COMMAND_CREATE_DIRECTORY: u8 = 0x00;
pub const SMB1_COMMAND_DELETE_DIRECTORY: u8 = 0x01;
@ -251,13 +251,13 @@ fn smb1_request_record_one<'b>(state: &mut SMBState, r: &SmbRecord<'b>, command:
true
},
Err(nom::Err::Incomplete(_n)) => {
Err(Err::Incomplete(_n)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO DATA DISPOSITION INCOMPLETE {:?}", _n);
events.push(SMBEvent::MalformedData);
false
},
Err(nom::Err::Error(_e)) |
Err(nom::Err::Failure(_e)) => {
Err(Err::Error(_e)) |
Err(Err::Failure(_e)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO DATA DISPOSITION ERROR {:?}", _e);
events.push(SMBEvent::MalformedData);
false
@ -279,13 +279,13 @@ fn smb1_request_record_one<'b>(state: &mut SMBState, r: &SmbRecord<'b>, command:
tx.vercmd.set_smb1_cmd(SMB1_COMMAND_TRANS2);
true
},
Err(nom::Err::Incomplete(_n)) => {
Err(Err::Incomplete(_n)) => {
SCLogDebug!("TRANS2 SET_PATH_INFO DATA RENAME INCOMPLETE {:?}", _n);
events.push(SMBEvent::MalformedData);
false
},
Err(nom::Err::Error(_e)) |
Err(nom::Err::Failure(_e)) => {
Err(Err::Error(_e)) |
Err(Err::Failure(_e)) => {
SCLogDebug!("TRANS2 SET_PATH_INFO DATA RENAME ERROR {:?}", _e);
events.push(SMBEvent::MalformedData);
false
@ -295,13 +295,13 @@ fn smb1_request_record_one<'b>(state: &mut SMBState, r: &SmbRecord<'b>, command:
false
}
},
Err(nom::Err::Incomplete(_n)) => {
Err(Err::Incomplete(_n)) => {
SCLogDebug!("TRANS2 SET_PATH_INFO PARAMS INCOMPLETE {:?}", _n);
events.push(SMBEvent::MalformedData);
false
},
Err(nom::Err::Error(_e)) |
Err(nom::Err::Failure(_e)) => {
Err(Err::Error(_e)) |
Err(Err::Failure(_e)) => {
SCLogDebug!("TRANS2 SET_PATH_INFO PARAMS ERROR {:?}", _e);
events.push(SMBEvent::MalformedData);
false
@ -334,13 +334,13 @@ fn smb1_request_record_one<'b>(state: &mut SMBState, r: &SmbRecord<'b>, command:
true
},
Err(nom::Err::Incomplete(_n)) => {
Err(Err::Incomplete(_n)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO DATA DISPOSITION INCOMPLETE {:?}", _n);
events.push(SMBEvent::MalformedData);
false
},
Err(nom::Err::Error(_e)) |
Err(nom::Err::Failure(_e)) => {
Err(Err::Error(_e)) |
Err(Err::Failure(_e)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO DATA DISPOSITION ERROR {:?}", _e);
events.push(SMBEvent::MalformedData);
false
@ -367,13 +367,13 @@ fn smb1_request_record_one<'b>(state: &mut SMBState, r: &SmbRecord<'b>, command:
tx.vercmd.set_smb1_cmd(SMB1_COMMAND_TRANS2);
true
},
Err(nom::Err::Incomplete(_n)) => {
Err(Err::Incomplete(_n)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO DATA RENAME INCOMPLETE {:?}", _n);
events.push(SMBEvent::MalformedData);
false
},
Err(nom::Err::Error(_e)) |
Err(nom::Err::Failure(_e)) => {
Err(Err::Error(_e)) |
Err(Err::Failure(_e)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO DATA RENAME ERROR {:?}", _e);
events.push(SMBEvent::MalformedData);
false
@ -383,13 +383,13 @@ fn smb1_request_record_one<'b>(state: &mut SMBState, r: &SmbRecord<'b>, command:
false
}
},
Err(nom::Err::Incomplete(_n)) => {
Err(Err::Incomplete(_n)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO PARAMS INCOMPLETE {:?}", _n);
events.push(SMBEvent::MalformedData);
false
},
Err(nom::Err::Error(_e)) |
Err(nom::Err::Failure(_e)) => {
Err(Err::Error(_e)) |
Err(Err::Failure(_e)) => {
SCLogDebug!("TRANS2 SET_FILE_INFO PARAMS ERROR {:?}", _e);
events.push(SMBEvent::MalformedData);
false
@ -399,13 +399,13 @@ fn smb1_request_record_one<'b>(state: &mut SMBState, r: &SmbRecord<'b>, command:
false
}
},
Err(nom::Err::Incomplete(_n)) => {
Err(Err::Incomplete(_n)) => {
SCLogDebug!("TRANS2 INCOMPLETE {:?}", _n);
events.push(SMBEvent::MalformedData);
false
},
Err(nom::Err::Error(_e)) |
Err(nom::Err::Failure(_e)) => {
Err(Err::Error(_e)) |
Err(Err::Failure(_e)) => {
SCLogDebug!("TRANS2 ERROR {:?}", _e);
events.push(SMBEvent::MalformedData);
false

1027
rust/src/smb/smb1_records.rs
View File

File diff suppressed because it is too large Load Diff

15
rust/src/smb/smb_records.rs
Unescape Escape View File

@ -15,9 +15,9 @@
* 02110-1301, USA.
*/
use crate::common::nom7::take_until_and_consume;
use crate::smb::error::SmbError;
use nom;
use nom::IResult;
use nom7::{Err, IResult};
/// parse a UTF16 string that is null terminated. Normally by 2 null
/// bytes, but at the end of the data it can also be a single null.
@ -42,13 +42,12 @@ pub fn smb_get_unicode_string(blob: &[u8]) -> IResult<&[u8], Vec<u8>, SmbError>
name.push(c[0]);
c = &c[2..];
}
Err(nom::Err::Error(SmbError::BadEncoding))
Err(Err::Error(SmbError::BadEncoding))
}
// parse an ASCII string that is null terminated
named!(pub smb_get_ascii_string<&[u8], Vec<u8>, SmbError>,
do_parse!(
s: take_until_and_consume!("\x00")
>> ( s.to_vec() )
));
pub fn smb_get_ascii_string(i: &[u8]) -> IResult<&[u8], Vec<u8>, SmbError> {
let (i, s) = take_until_and_consume(b"\x00")(i)?;
Ok((i, s.to_vec()))
}

Write Preview
Loading…
Cancel
Save