]>
Commit | Line | Data |
---|---|---|
d41aecce | 1 | /* Copyright (C) 2017-2020 Open Information Security Foundation |
75d7c9d6 VJ |
2 | * |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
18 | /* TODO | |
19 | * - check all parsers for calls on non-SUCCESS status | |
20 | */ | |
21 | ||
22 | /* GAP processing: | |
23 | * - if post-gap we've seen a succesful tx req/res: we consider "re-sync'd" | |
24 | */ | |
25 | ||
26 | // written by Victor Julien | |
3f6624bf | 27 | |
75d7c9d6 | 28 | use std; |
75d7c9d6 | 29 | use std::str; |
b9f10ba2 | 30 | use std::ffi::{self, CString}; |
75d7c9d6 | 31 | |
75d7c9d6 VJ |
32 | use std::collections::HashMap; |
33 | ||
13b73997 PC |
34 | use nom; |
35 | ||
42e5065a | 36 | use crate::core::*; |
42e5065a | 37 | use crate::applayer; |
6420df84 | 38 | use crate::applayer::*; |
e5c948df | 39 | use crate::conf::*; |
5226ba1c | 40 | use crate::filecontainer::*; |
b9f10ba2 | 41 | use crate::applayer::{AppLayerResult, AppLayerTxData, AppLayerEvent}; |
42e5065a JI |
42 | |
43 | use crate::smb::nbss_records::*; | |
44 | use crate::smb::smb1_records::*; | |
45 | use crate::smb::smb2_records::*; | |
46 | ||
47 | use crate::smb::smb1::*; | |
48 | use crate::smb::smb2::*; | |
49 | use crate::smb::smb3::*; | |
50 | use crate::smb::dcerpc::*; | |
51 | use crate::smb::session::*; | |
52 | use crate::smb::events::*; | |
53 | use crate::smb::files::*; | |
54 | use crate::smb::smb2_ioctl::*; | |
75d7c9d6 | 55 | |
4d6b6b5d SB |
56 | pub const MIN_REC_SIZE: u16 = 32 + 4; // SMB hdr + nbss hdr |
57 | pub const SMB_CONFIG_DEFAULT_STREAM_DEPTH: u32 = 0; | |
58 | ||
6420df84 SB |
59 | static mut ALPROTO_SMB: AppProto = ALPROTO_UNKNOWN; |
60 | ||
75d7c9d6 VJ |
61 | pub static mut SURICATA_SMB_FILE_CONFIG: Option<&'static SuricataFileContext> = None; |
62 | ||
63 | #[no_mangle] | |
64 | pub extern "C" fn rs_smb_init(context: &'static mut SuricataFileContext) | |
65 | { | |
66 | unsafe { | |
67 | SURICATA_SMB_FILE_CONFIG = Some(context); | |
68 | } | |
69 | } | |
70 | ||
75d7c9d6 VJ |
71 | pub const SMB_NTSTATUS_SUCCESS: u32 = 0; |
72 | pub const SMB_NTSTATUS_PENDING: u32 = 0x00000103; | |
73 | pub const SMB_NTSTATUS_BUFFER_OVERFLOW: u32 = 0x80000005; | |
74 | pub const SMB_NTSTATUS_NO_MORE_FILES: u32 = 0x80000006; | |
75 | pub const SMB_NTSTATUS_NO_MORE_ENTRIES: u32 = 0x8000001a; | |
76 | pub const SMB_NTSTATUS_INVALID_HANDLE: u32 = 0xc0000008; | |
77 | pub const SMB_NTSTATUS_INVALID_PARAMETER: u32 = 0xc000000d; | |
78 | pub const SMB_NTSTATUS_NO_SUCH_DEVICE: u32 = 0xc000000e; | |
79 | pub const SMB_NTSTATUS_NO_SUCH_FILE: u32 = 0xc000000f; | |
80 | pub const SMB_NTSTATUS_INVALID_DEVICE_REQUEST: u32 = 0xc0000010; | |
81 | pub const SMB_NTSTATUS_END_OF_FILE: u32 = 0xc0000011; | |
82 | pub const SMB_NTSTATUS_MORE_PROCESSING_REQUIRED: u32 = 0xc0000016; | |
83 | pub const SMB_NTSTATUS_ACCESS_DENIED: u32 = 0xc0000022; | |
84 | pub const SMB_NTSTATUS_OBJECT_NAME_INVALID: u32 = 0xc0000033; | |
85 | pub const SMB_NTSTATUS_OBJECT_NAME_NOT_FOUND: u32 = 0xc0000034; | |
86 | pub const SMB_NTSTATUS_OBJECT_NAME_COLLISION: u32 = 0xc0000035; | |
87 | pub const SMB_NTSTATUS_OBJECT_PATH_NOT_FOUND: u32 = 0xc000003a; | |
88 | pub const SMB_NTSTATUS_SHARING_VIOLATION: u32 = 0xc0000043; | |
89 | pub const SMB_NTSTATUS_LOCK_CONFLICT: u32 = 0xc0000054; | |
90 | pub const SMB_NTSTATUS_LOCK_NOT_GRANTED: u32 = 0xc0000055; | |
91 | pub const SMB_NTSTATUS_PRIVILEGE_NOT_HELD: u32 = 0xc0000061; | |
92 | pub const SMB_NTSTATUS_LOGON_FAILURE: u32 = 0xc000006d; | |
93 | pub const SMB_NTSTATUS_PIPE_DISCONNECTED: u32 = 0xc00000b0; | |
94 | pub const SMB_NTSTATUS_FILE_IS_A_DIRECTORY: u32 = 0xc00000ba; | |
95 | pub const SMB_NTSTATUS_NOT_SUPPORTED: u32 = 0xc00000bb; | |
96 | pub const SMB_NTSTATUS_BAD_NETWORK_NAME: u32 = 0xc00000cc; | |
7ceb6713 | 97 | pub const SMB_NTSTATUS_REQUEST_NOT_ACCEPTED: u32 = 0xc00000d0; |
75d7c9d6 VJ |
98 | pub const SMB_NTSTATUS_OPLOCK_NOT_GRANTED: u32 = 0xc00000e2; |
99 | pub const SMB_NTSTATUS_CANCELLED: u32 = 0xc0000120; | |
100 | pub const SMB_NTSTATUS_FILE_CLOSED: u32 = 0xc0000128; | |
101 | pub const SMB_NTSTATUS_FS_DRIVER_REQUIRED: u32 = 0xc000019c; | |
102 | pub const SMB_NTSTATUS_INSUFF_SERVER_RESOURCES: u32 = 0xc0000205; | |
103 | pub const SMB_NTSTATUS_NOT_FOUND: u32 = 0xc0000225; | |
104 | pub const SMB_NTSTATUS_PIPE_BROKEN: u32 = 0xc000014b; | |
105 | pub const SMB_NTSTATUS_TRUSTED_RELATIONSHIP_FAILURE: u32 = 0xc000018d; | |
106 | pub const SMB_NTSTATUS_NOT_A_REPARSE_POINT: u32 = 0xc0000275; | |
107 | pub const SMB_NTSTATUS_NETWORK_SESSION_EXPIRED: u32 = 0xc000035c; | |
108 | ||
109 | pub fn smb_ntstatus_string(c: u32) -> String { | |
110 | match c { | |
111 | SMB_NTSTATUS_SUCCESS => "STATUS_SUCCESS", | |
112 | SMB_NTSTATUS_BUFFER_OVERFLOW => "STATUS_BUFFER_OVERFLOW", | |
113 | SMB_NTSTATUS_PENDING => "STATUS_PENDING", | |
114 | SMB_NTSTATUS_NO_MORE_FILES => "STATUS_NO_MORE_FILES", | |
115 | SMB_NTSTATUS_NO_MORE_ENTRIES => "STATUS_NO_MORE_ENTRIES", | |
116 | SMB_NTSTATUS_INVALID_HANDLE => "STATUS_INVALID_HANDLE", | |
117 | SMB_NTSTATUS_INVALID_PARAMETER => "STATUS_INVALID_PARAMETER", | |
118 | SMB_NTSTATUS_NO_SUCH_DEVICE => "STATUS_NO_SUCH_DEVICE", | |
119 | SMB_NTSTATUS_NO_SUCH_FILE => "STATUS_NO_SUCH_FILE", | |
120 | SMB_NTSTATUS_INVALID_DEVICE_REQUEST => "STATUS_INVALID_DEVICE_REQUEST", | |
121 | SMB_NTSTATUS_END_OF_FILE => "STATUS_END_OF_FILE", | |
122 | SMB_NTSTATUS_MORE_PROCESSING_REQUIRED => "STATUS_MORE_PROCESSING_REQUIRED", | |
123 | SMB_NTSTATUS_ACCESS_DENIED => "STATUS_ACCESS_DENIED", | |
124 | SMB_NTSTATUS_OBJECT_NAME_INVALID => "STATUS_OBJECT_NAME_INVALID", | |
125 | SMB_NTSTATUS_OBJECT_NAME_NOT_FOUND => "STATUS_OBJECT_NAME_NOT_FOUND", | |
126 | SMB_NTSTATUS_OBJECT_NAME_COLLISION => "STATUS_OBJECT_NAME_COLLISION", | |
127 | SMB_NTSTATUS_OBJECT_PATH_NOT_FOUND => "STATUS_OBJECT_PATH_NOT_FOUND", | |
128 | SMB_NTSTATUS_SHARING_VIOLATION => "STATUS_SHARING_VIOLATION", | |
129 | SMB_NTSTATUS_LOCK_CONFLICT => "STATUS_LOCK_CONFLICT", | |
130 | SMB_NTSTATUS_LOCK_NOT_GRANTED => "STATUS_LOCK_NOT_GRANTED", | |
131 | SMB_NTSTATUS_PRIVILEGE_NOT_HELD => "STATUS_PRIVILEGE_NOT_HELD", | |
132 | SMB_NTSTATUS_LOGON_FAILURE => "STATUS_LOGON_FAILURE", | |
133 | SMB_NTSTATUS_PIPE_DISCONNECTED => "STATUS_PIPE_DISCONNECTED", | |
134 | SMB_NTSTATUS_FILE_IS_A_DIRECTORY => "STATUS_FILE_IS_A_DIRECTORY", | |
135 | SMB_NTSTATUS_NOT_SUPPORTED => "STATUS_NOT_SUPPORTED", | |
136 | SMB_NTSTATUS_BAD_NETWORK_NAME => "STATUS_BAD_NETWORK_NAME", | |
7ceb6713 | 137 | SMB_NTSTATUS_REQUEST_NOT_ACCEPTED => "STATUS_REQUEST_NOT_ACCEPTED", |
75d7c9d6 VJ |
138 | SMB_NTSTATUS_OPLOCK_NOT_GRANTED => "STATUS_OPLOCK_NOT_GRANTED", |
139 | SMB_NTSTATUS_CANCELLED => "STATUS_CANCELLED", | |
140 | SMB_NTSTATUS_FILE_CLOSED => "STATUS_FILE_CLOSED", | |
141 | SMB_NTSTATUS_FS_DRIVER_REQUIRED => "STATUS_FS_DRIVER_REQUIRED", | |
142 | SMB_NTSTATUS_INSUFF_SERVER_RESOURCES => "STATUS_INSUFF_SERVER_RESOURCES", | |
143 | SMB_NTSTATUS_NOT_FOUND => "STATUS_NOT_FOUND", | |
144 | SMB_NTSTATUS_PIPE_BROKEN => "STATUS_PIPE_BROKEN", | |
145 | SMB_NTSTATUS_TRUSTED_RELATIONSHIP_FAILURE => "STATUS_TRUSTED_RELATIONSHIP_FAILURE", | |
146 | SMB_NTSTATUS_NOT_A_REPARSE_POINT => "STATUS_NOT_A_REPARSE_POINT", | |
147 | SMB_NTSTATUS_NETWORK_SESSION_EXPIRED => "STATUS_NETWORK_SESSION_EXPIRED", | |
148 | _ => { return (c).to_string(); }, | |
149 | }.to_string() | |
150 | } | |
151 | ||
816bd022 VJ |
152 | pub const SMB_SRV_ERROR: u16 = 1; |
153 | pub const SMB_SRV_BADPW: u16 = 2; | |
154 | pub const SMB_SRV_BADTYPE: u16 = 3; | |
155 | pub const SMB_SRV_ACCESS: u16 = 4; | |
156 | pub const SMB_SRV_BADUID: u16 = 91; | |
157 | ||
158 | pub fn smb_srv_error_string(c: u16) -> String { | |
159 | match c { | |
160 | SMB_SRV_ERROR => "SRV_ERROR", | |
161 | SMB_SRV_BADPW => "SRV_BADPW", | |
162 | SMB_SRV_BADTYPE => "SRV_BADTYPE", | |
163 | SMB_SRV_ACCESS => "SRV_ACCESS", | |
164 | SMB_SRV_BADUID => "SRV_BADUID", | |
165 | _ => { return (c).to_string(); }, | |
166 | }.to_string() | |
167 | } | |
75d7c9d6 VJ |
168 | |
169 | pub const SMB_DOS_SUCCESS: u16 = 0; | |
170 | pub const SMB_DOS_BAD_FUNC: u16 = 1; | |
171 | pub const SMB_DOS_BAD_FILE: u16 = 2; | |
172 | pub const SMB_DOS_BAD_PATH: u16 = 3; | |
173 | pub const SMB_DOS_TOO_MANY_OPEN_FILES: u16 = 4; | |
174 | pub const SMB_DOS_ACCESS_DENIED: u16 = 5; | |
175 | ||
176 | pub fn smb_dos_error_string(c: u16) -> String { | |
177 | match c { | |
178 | SMB_DOS_SUCCESS => "DOS_SUCCESS", | |
179 | SMB_DOS_BAD_FUNC => "DOS_BAD_FUNC", | |
180 | SMB_DOS_BAD_FILE => "DOS_BAD_FILE", | |
181 | SMB_DOS_BAD_PATH => "DOS_BAD_PATH", | |
182 | SMB_DOS_TOO_MANY_OPEN_FILES => "DOS_TOO_MANY_OPEN_FILES", | |
183 | SMB_DOS_ACCESS_DENIED => "DOS_ACCESS_DENIED", | |
184 | _ => { return (c).to_string(); }, | |
185 | }.to_string() | |
186 | } | |
187 | ||
188 | pub const NTLMSSP_NEGOTIATE: u32 = 1; | |
189 | pub const NTLMSSP_CHALLENGE: u32 = 2; | |
190 | pub const NTLMSSP_AUTH: u32 = 3; | |
191 | ||
192 | pub fn ntlmssp_type_string(c: u32) -> String { | |
193 | match c { | |
194 | NTLMSSP_NEGOTIATE => "NTLMSSP_NEGOTIATE", | |
195 | NTLMSSP_CHALLENGE => "NTLMSSP_CHALLENGE", | |
196 | NTLMSSP_AUTH => "NTLMSSP_AUTH", | |
197 | _ => { return (c).to_string(); }, | |
198 | }.to_string() | |
199 | } | |
200 | ||
02dccb15 | 201 | #[derive(Default, Eq, PartialEq, Debug, Clone)] |
75d7c9d6 VJ |
202 | pub struct SMBVerCmdStat { |
203 | smb_ver: u8, | |
204 | smb1_cmd: u8, | |
205 | smb2_cmd: u16, | |
206 | ||
207 | status_set: bool, | |
208 | status_is_dos_error: bool, | |
816bd022 | 209 | status_error_class: u8, |
75d7c9d6 VJ |
210 | status: u32, |
211 | } | |
212 | ||
213 | impl SMBVerCmdStat { | |
02dccb15 JL |
214 | pub fn new() -> Self { |
215 | Default::default() | |
75d7c9d6 | 216 | } |
02dccb15 JL |
217 | pub fn new1(cmd: u8) -> Self { |
218 | return Self { | |
75d7c9d6 VJ |
219 | smb_ver: 1, |
220 | smb1_cmd: cmd, | |
02dccb15 | 221 | ..Default::default() |
75d7c9d6 VJ |
222 | } |
223 | } | |
02dccb15 JL |
224 | pub fn new1_with_ntstatus(cmd: u8, status: u32) -> Self { |
225 | return Self { | |
75d7c9d6 VJ |
226 | smb_ver: 1, |
227 | smb1_cmd: cmd, | |
75d7c9d6 | 228 | status_set: true, |
75d7c9d6 | 229 | status: status, |
02dccb15 | 230 | ..Default::default() |
75d7c9d6 VJ |
231 | } |
232 | } | |
02dccb15 JL |
233 | pub fn new2(cmd: u16) -> Self { |
234 | return Self { | |
75d7c9d6 | 235 | smb_ver: 2, |
75d7c9d6 | 236 | smb2_cmd: cmd, |
02dccb15 | 237 | ..Default::default() |
75d7c9d6 VJ |
238 | } |
239 | } | |
240 | ||
02dccb15 JL |
241 | pub fn new2_with_ntstatus(cmd: u16, status: u32) -> Self { |
242 | return Self { | |
75d7c9d6 | 243 | smb_ver: 2, |
75d7c9d6 VJ |
244 | smb2_cmd: cmd, |
245 | status_set: true, | |
75d7c9d6 | 246 | status: status, |
02dccb15 | 247 | ..Default::default() |
75d7c9d6 VJ |
248 | } |
249 | } | |
250 | ||
251 | pub fn set_smb1_cmd(&mut self, cmd: u8) -> bool { | |
252 | if self.smb_ver != 0 { | |
253 | return false; | |
254 | } | |
255 | self.smb_ver = 1; | |
256 | self.smb1_cmd = cmd; | |
257 | return true; | |
258 | } | |
259 | ||
260 | pub fn set_smb2_cmd(&mut self, cmd: u16) -> bool { | |
261 | if self.smb_ver != 0 { | |
262 | return false; | |
263 | } | |
264 | self.smb_ver = 2; | |
265 | self.smb2_cmd = cmd; | |
266 | return true; | |
267 | } | |
268 | ||
269 | pub fn get_version(&self) -> u8 { | |
270 | self.smb_ver | |
271 | } | |
272 | ||
273 | pub fn get_smb1_cmd(&self) -> (bool, u8) { | |
274 | if self.smb_ver != 1 { | |
275 | return (false, 0); | |
276 | } | |
277 | return (true, self.smb1_cmd); | |
278 | } | |
279 | ||
280 | pub fn get_smb2_cmd(&self) -> (bool, u16) { | |
281 | if self.smb_ver != 2 { | |
282 | return (false, 0); | |
283 | } | |
284 | return (true, self.smb2_cmd); | |
285 | } | |
286 | ||
287 | pub fn get_ntstatus(&self) -> (bool, u32) { | |
288 | (self.status_set && !self.status_is_dos_error, self.status) | |
289 | } | |
290 | ||
816bd022 VJ |
291 | pub fn get_dos_error(&self) -> (bool, u8, u16) { |
292 | (self.status_set && self.status_is_dos_error, self.status_error_class, self.status as u16) | |
75d7c9d6 VJ |
293 | } |
294 | ||
295 | fn set_status(&mut self, status: u32, is_dos_error: bool) | |
296 | { | |
297 | if is_dos_error { | |
298 | self.status_is_dos_error = true; | |
816bd022 | 299 | self.status_error_class = (status & 0x0000_00ff) as u8; |
75d7c9d6 VJ |
300 | self.status = (status & 0xffff_0000) >> 16; |
301 | } else { | |
302 | self.status = status; | |
303 | } | |
304 | self.status_set = true; | |
305 | } | |
306 | ||
307 | pub fn set_ntstatus(&mut self, status: u32) | |
308 | { | |
309 | self.set_status(status, false) | |
310 | } | |
311 | ||
312 | pub fn set_status_dos_error(&mut self, status: u32) | |
313 | { | |
314 | self.set_status(status, true) | |
315 | } | |
316 | } | |
317 | ||
0e05ef73 VJ |
318 | /// "The FILETIME structure is a 64-bit value that represents the number of |
319 | /// 100-nanosecond intervals that have elapsed since January 1, 1601, | |
320 | /// Coordinated Universal Time (UTC)." | |
321 | #[derive(Eq, PartialEq, Debug, Clone)] | |
322 | pub struct SMBFiletime { | |
323 | ts: u64, | |
324 | } | |
325 | ||
326 | impl SMBFiletime { | |
02dccb15 JL |
327 | pub fn new(raw: u64) -> Self { |
328 | Self { | |
0e05ef73 VJ |
329 | ts: raw, |
330 | } | |
331 | } | |
332 | ||
333 | /// inspired by Bro, convert FILETIME to secs since unix epoch | |
334 | pub fn as_unix(&self) -> u32 { | |
335 | if self.ts > 116_444_736_000_000_000_u64 { | |
336 | let ts = self.ts / 10000000 - 11644473600; | |
337 | ts as u32 | |
338 | } else { | |
339 | 0 | |
340 | } | |
341 | } | |
342 | } | |
343 | ||
75d7c9d6 VJ |
344 | #[derive(Debug)] |
345 | pub enum SMBTransactionTypeData { | |
346 | FILE(SMBTransactionFile), | |
347 | TREECONNECT(SMBTransactionTreeConnect), | |
348 | NEGOTIATE(SMBTransactionNegotiate), | |
349 | DCERPC(SMBTransactionDCERPC), | |
350 | CREATE(SMBTransactionCreate), | |
8bef1208 | 351 | SESSIONSETUP(SMBTransactionSessionSetup), |
5c260207 | 352 | IOCTL(SMBTransactionIoctl), |
7b61f2c5 | 353 | RENAME(SMBTransactionRename), |
2b581cd6 VJ |
354 | SETFILEPATHINFO(SMBTransactionSetFilePathInfo), |
355 | } | |
356 | ||
357 | // Used for Trans2 SET_PATH_INFO and SET_FILE_INFO | |
358 | #[derive(Debug)] | |
359 | pub struct SMBTransactionSetFilePathInfo { | |
360 | pub subcmd: u16, | |
361 | pub loi: u16, | |
362 | pub delete_on_close: bool, | |
363 | pub filename: Vec<u8>, | |
364 | pub fid: Vec<u8>, | |
365 | } | |
366 | ||
367 | impl SMBTransactionSetFilePathInfo { | |
368 | pub fn new(filename: Vec<u8>, fid: Vec<u8>, subcmd: u16, loi: u16, delete_on_close: bool) | |
02dccb15 | 369 | -> Self |
2b581cd6 | 370 | { |
02dccb15 | 371 | return Self { |
2b581cd6 VJ |
372 | filename: filename, fid: fid, |
373 | subcmd: subcmd, | |
374 | loi: loi, | |
375 | delete_on_close: delete_on_close, | |
376 | } | |
377 | } | |
378 | } | |
379 | ||
380 | impl SMBState { | |
381 | pub fn new_setfileinfo_tx(&mut self, filename: Vec<u8>, fid: Vec<u8>, | |
382 | subcmd: u16, loi: u16, delete_on_close: bool) | |
5ee83230 | 383 | -> &mut SMBTransaction |
2b581cd6 VJ |
384 | { |
385 | let mut tx = self.new_tx(); | |
386 | ||
387 | tx.type_data = Some(SMBTransactionTypeData::SETFILEPATHINFO( | |
388 | SMBTransactionSetFilePathInfo::new( | |
389 | filename, fid, subcmd, loi, delete_on_close))); | |
390 | tx.request_done = true; | |
391 | tx.response_done = self.tc_trunc; // no response expected if tc is truncated | |
392 | ||
393 | SCLogDebug!("SMB: TX SETFILEPATHINFO created: ID {}", tx.id); | |
394 | self.transactions.push(tx); | |
395 | let tx_ref = self.transactions.last_mut(); | |
396 | return tx_ref.unwrap(); | |
397 | } | |
398 | ||
399 | pub fn new_setpathinfo_tx(&mut self, filename: Vec<u8>, | |
400 | subcmd: u16, loi: u16, delete_on_close: bool) | |
5ee83230 | 401 | -> &mut SMBTransaction |
2b581cd6 VJ |
402 | { |
403 | let mut tx = self.new_tx(); | |
404 | ||
405 | let fid : Vec<u8> = Vec::new(); | |
406 | tx.type_data = Some(SMBTransactionTypeData::SETFILEPATHINFO( | |
407 | SMBTransactionSetFilePathInfo::new(filename, fid, | |
408 | subcmd, loi, delete_on_close))); | |
409 | tx.request_done = true; | |
410 | tx.response_done = self.tc_trunc; // no response expected if tc is truncated | |
411 | ||
412 | SCLogDebug!("SMB: TX SETFILEPATHINFO created: ID {}", tx.id); | |
413 | self.transactions.push(tx); | |
414 | let tx_ref = self.transactions.last_mut(); | |
415 | return tx_ref.unwrap(); | |
416 | } | |
7b61f2c5 VJ |
417 | } |
418 | ||
419 | #[derive(Debug)] | |
420 | pub struct SMBTransactionRename { | |
421 | pub oldname: Vec<u8>, | |
422 | pub newname: Vec<u8>, | |
423 | pub fuid: Vec<u8>, | |
424 | } | |
425 | ||
426 | impl SMBTransactionRename { | |
02dccb15 JL |
427 | pub fn new(fuid: Vec<u8>, oldname: Vec<u8>, newname: Vec<u8>) -> Self { |
428 | return Self { | |
7b61f2c5 VJ |
429 | fuid: fuid, oldname: oldname, newname: newname, |
430 | } | |
431 | } | |
432 | } | |
433 | ||
434 | impl SMBState { | |
435 | pub fn new_rename_tx(&mut self, fuid: Vec<u8>, oldname: Vec<u8>, newname: Vec<u8>) | |
5ee83230 | 436 | -> &mut SMBTransaction |
7b61f2c5 VJ |
437 | { |
438 | let mut tx = self.new_tx(); | |
439 | ||
440 | tx.type_data = Some(SMBTransactionTypeData::RENAME( | |
441 | SMBTransactionRename::new(fuid, oldname, newname))); | |
442 | tx.request_done = true; | |
443 | tx.response_done = self.tc_trunc; // no response expected if tc is truncated | |
444 | ||
ea1e13cb | 445 | SCLogDebug!("SMB: TX RENAME created: ID {}", tx.id); |
7b61f2c5 VJ |
446 | self.transactions.push(tx); |
447 | let tx_ref = self.transactions.last_mut(); | |
448 | return tx_ref.unwrap(); | |
449 | } | |
75d7c9d6 VJ |
450 | } |
451 | ||
02dccb15 | 452 | #[derive(Default, Debug)] |
75d7c9d6 VJ |
453 | pub struct SMBTransactionCreate { |
454 | pub disposition: u32, | |
455 | pub delete_on_close: bool, | |
456 | pub directory: bool, | |
457 | pub filename: Vec<u8>, | |
fb986abe | 458 | pub guid: Vec<u8>, |
0e05ef73 VJ |
459 | |
460 | pub create_ts: u32, | |
461 | pub last_access_ts: u32, | |
462 | pub last_write_ts: u32, | |
463 | pub last_change_ts: u32, | |
464 | ||
465 | pub size: u64, | |
75d7c9d6 VJ |
466 | } |
467 | ||
468 | impl SMBTransactionCreate { | |
02dccb15 JL |
469 | pub fn new(filename: Vec<u8>, disp: u32, del: bool, dir: bool) -> Self { |
470 | return Self { | |
75d7c9d6 VJ |
471 | disposition: disp, |
472 | delete_on_close: del, | |
473 | directory: dir, | |
474 | filename: filename, | |
02dccb15 | 475 | ..Default::default() |
75d7c9d6 VJ |
476 | } |
477 | } | |
478 | } | |
479 | ||
02dccb15 | 480 | #[derive(Default, Debug)] |
75d7c9d6 VJ |
481 | pub struct SMBTransactionNegotiate { |
482 | pub smb_ver: u8, | |
483 | pub dialects: Vec<Vec<u8>>, | |
484 | pub dialects2: Vec<Vec<u8>>, | |
6d56edc3 VJ |
485 | |
486 | // SMB1 doesn't have the client GUID | |
487 | pub client_guid: Option<Vec<u8>>, | |
488 | pub server_guid: Vec<u8>, | |
75d7c9d6 VJ |
489 | } |
490 | ||
491 | impl SMBTransactionNegotiate { | |
02dccb15 JL |
492 | pub fn new(smb_ver: u8) -> Self { |
493 | return Self { | |
75d7c9d6 | 494 | smb_ver: smb_ver, |
6d56edc3 | 495 | server_guid: Vec::with_capacity(16), |
02dccb15 | 496 | ..Default::default() |
75d7c9d6 VJ |
497 | } |
498 | } | |
499 | } | |
500 | ||
02dccb15 | 501 | #[derive(Default, Debug)] |
75d7c9d6 VJ |
502 | pub struct SMBTransactionTreeConnect { |
503 | pub is_pipe: bool, | |
c56f5e11 | 504 | pub share_type: u8, |
75d7c9d6 VJ |
505 | pub tree_id: u32, |
506 | pub share_name: Vec<u8>, | |
fcbeab70 VJ |
507 | |
508 | /// SMB1 service strings | |
509 | pub req_service: Option<Vec<u8>>, | |
510 | pub res_service: Option<Vec<u8>>, | |
75d7c9d6 VJ |
511 | } |
512 | ||
513 | impl SMBTransactionTreeConnect { | |
02dccb15 JL |
514 | pub fn new(share_name: Vec<u8>) -> Self { |
515 | return Self { | |
75d7c9d6 | 516 | share_name:share_name, |
02dccb15 | 517 | ..Default::default() |
75d7c9d6 VJ |
518 | } |
519 | } | |
520 | } | |
521 | ||
522 | #[derive(Debug)] | |
523 | pub struct SMBTransaction { | |
524 | pub id: u64, /// internal id | |
525 | ||
526 | /// version, command and status | |
527 | pub vercmd: SMBVerCmdStat, | |
528 | /// session id, tree id, etc. | |
529 | pub hdr: SMBCommonHdr, | |
530 | ||
531 | /// for state tracking. false means this side is in progress, true | |
532 | /// that it's complete. | |
533 | pub request_done: bool, | |
534 | pub response_done: bool, | |
535 | ||
536 | /// Command specific data | |
537 | pub type_data: Option<SMBTransactionTypeData>, | |
538 | ||
77a95edd | 539 | pub tx_data: AppLayerTxData, |
75d7c9d6 VJ |
540 | } |
541 | ||
fcfc9876 JI |
542 | impl Transaction for SMBTransaction { |
543 | fn id(&self) -> u64 { | |
544 | self.id | |
545 | } | |
546 | } | |
547 | ||
75d7c9d6 | 548 | impl SMBTransaction { |
02dccb15 JL |
549 | pub fn new() -> Self { |
550 | return Self { | |
551 | id: 0, | |
552 | vercmd: SMBVerCmdStat::new(), | |
553 | hdr: SMBCommonHdr::init(), | |
554 | request_done: false, | |
555 | response_done: false, | |
556 | type_data: None, | |
02dccb15 | 557 | tx_data: AppLayerTxData::new(), |
75d7c9d6 VJ |
558 | } |
559 | } | |
560 | ||
561 | pub fn set_status(&mut self, status: u32, is_dos_error: bool) | |
562 | { | |
563 | if is_dos_error { | |
564 | self.vercmd.set_status_dos_error(status); | |
565 | } else { | |
566 | self.vercmd.set_ntstatus(status); | |
567 | } | |
568 | } | |
569 | ||
570 | pub fn free(&mut self) { | |
c9cee7af VJ |
571 | debug_validate_bug_on!(self.tx_data.files_opened > 1); |
572 | debug_validate_bug_on!(self.tx_data.files_logged > 1); | |
75d7c9d6 VJ |
573 | } |
574 | } | |
575 | ||
576 | impl Drop for SMBTransaction { | |
577 | fn drop(&mut self) { | |
578 | self.free(); | |
579 | } | |
580 | } | |
581 | ||
582 | #[derive(Hash, Eq, PartialEq, Debug, Clone)] | |
583 | pub struct SMBFileGUIDOffset { | |
584 | pub guid: Vec<u8>, | |
585 | pub offset: u64, | |
586 | } | |
587 | ||
588 | impl SMBFileGUIDOffset { | |
02dccb15 JL |
589 | pub fn new(guid: Vec<u8>, offset: u64) -> Self { |
590 | Self { | |
75d7c9d6 VJ |
591 | guid:guid, |
592 | offset:offset, | |
593 | } | |
594 | } | |
595 | } | |
596 | ||
597 | /// type values to make sure we're not mixing things | |
598 | /// up in hashmap lookups | |
599 | pub const SMBHDR_TYPE_GUID: u32 = 1; | |
600 | pub const SMBHDR_TYPE_SHARE: u32 = 2; | |
601 | pub const SMBHDR_TYPE_FILENAME: u32 = 3; | |
602 | pub const SMBHDR_TYPE_OFFSET: u32 = 4; | |
603 | pub const SMBHDR_TYPE_GENERICTX: u32 = 5; | |
604 | pub const SMBHDR_TYPE_HEADER: u32 = 6; | |
605 | pub const SMBHDR_TYPE_MAX_SIZE: u32 = 7; // max resp size for SMB1_COMMAND_TRANS | |
1b86d4e1 VJ |
606 | pub const SMBHDR_TYPE_TRANS_FRAG: u32 = 8; |
607 | pub const SMBHDR_TYPE_TREE: u32 = 9; | |
608 | pub const SMBHDR_TYPE_DCERPCTX: u32 = 10; | |
75d7c9d6 | 609 | |
02dccb15 | 610 | #[derive(Default, Hash, Eq, PartialEq, Debug)] |
75d7c9d6 VJ |
611 | pub struct SMBCommonHdr { |
612 | pub ssn_id: u64, | |
613 | pub tree_id: u32, | |
614 | pub rec_type: u32, | |
615 | pub msg_id: u64, | |
616 | } | |
617 | ||
618 | impl SMBCommonHdr { | |
02dccb15 JL |
619 | pub fn init() -> Self { |
620 | Default::default() | |
75d7c9d6 | 621 | } |
02dccb15 JL |
622 | pub fn new(rec_type: u32, ssn_id: u64, tree_id: u32, msg_id: u64) -> Self { |
623 | Self { | |
75d7c9d6 VJ |
624 | rec_type : rec_type, |
625 | ssn_id : ssn_id, | |
626 | tree_id : tree_id, | |
627 | msg_id : msg_id, | |
628 | } | |
629 | } | |
630 | pub fn from2(r: &Smb2Record, rec_type: u32) -> SMBCommonHdr { | |
631 | let tree_id = match rec_type { | |
632 | SMBHDR_TYPE_TREE => { 0 }, | |
633 | _ => r.tree_id, | |
634 | }; | |
635 | let msg_id = match rec_type { | |
be615c9f | 636 | SMBHDR_TYPE_TRANS_FRAG | SMBHDR_TYPE_SHARE => { 0 }, |
75d7c9d6 VJ |
637 | _ => { r.message_id as u64 }, |
638 | }; | |
639 | ||
640 | SMBCommonHdr { | |
641 | rec_type : rec_type, | |
642 | ssn_id : r.session_id, | |
643 | tree_id : tree_id, | |
644 | msg_id : msg_id, | |
645 | } | |
646 | ||
647 | } | |
648 | pub fn from1(r: &SmbRecord, rec_type: u32) -> SMBCommonHdr { | |
649 | let tree_id = match rec_type { | |
650 | SMBHDR_TYPE_TREE => { 0 }, | |
651 | _ => r.tree_id as u32, | |
652 | }; | |
653 | let msg_id = match rec_type { | |
be615c9f | 654 | SMBHDR_TYPE_TRANS_FRAG | SMBHDR_TYPE_SHARE => { 0 }, |
75d7c9d6 VJ |
655 | _ => { r.multiplex_id as u64 }, |
656 | }; | |
657 | ||
658 | SMBCommonHdr { | |
659 | rec_type : rec_type, | |
660 | ssn_id : r.ssn_id as u64, | |
661 | tree_id : tree_id, | |
662 | msg_id : msg_id, | |
663 | } | |
664 | } | |
8b570c02 VJ |
665 | |
666 | // don't include tree id | |
667 | pub fn compare(&self, hdr: &SMBCommonHdr) -> bool { | |
a729d266 VJ |
668 | self.rec_type == hdr.rec_type && self.ssn_id == hdr.ssn_id && |
669 | self.msg_id == hdr.msg_id | |
8b570c02 | 670 | } |
75d7c9d6 VJ |
671 | } |
672 | ||
673 | #[derive(Hash, Eq, PartialEq, Debug)] | |
674 | pub struct SMBHashKeyHdrGuid { | |
675 | hdr: SMBCommonHdr, | |
676 | guid: Vec<u8>, | |
677 | } | |
678 | ||
679 | impl SMBHashKeyHdrGuid { | |
02dccb15 JL |
680 | pub fn new(hdr: SMBCommonHdr, guid: Vec<u8>) -> Self { |
681 | Self { | |
75d7c9d6 VJ |
682 | hdr: hdr, guid: guid, |
683 | } | |
684 | } | |
685 | } | |
686 | ||
687 | #[derive(Hash, Eq, PartialEq, Debug)] | |
688 | pub struct SMBTree { | |
689 | pub name: Vec<u8>, | |
690 | pub is_pipe: bool, | |
691 | } | |
692 | ||
693 | impl SMBTree { | |
02dccb15 JL |
694 | pub fn new(name: Vec<u8>, is_pipe: bool) -> Self { |
695 | Self { | |
75d7c9d6 VJ |
696 | name:name, |
697 | is_pipe:is_pipe, | |
698 | } | |
699 | } | |
700 | } | |
701 | ||
702 | pub fn u32_as_bytes(i: u32) -> [u8;4] { | |
703 | let o1: u8 = ((i >> 24) & 0xff) as u8; | |
704 | let o2: u8 = ((i >> 16) & 0xff) as u8; | |
705 | let o3: u8 = ((i >> 8) & 0xff) as u8; | |
706 | let o4: u8 = (i & 0xff) as u8; | |
707 | return [o1, o2, o3, o4] | |
708 | } | |
709 | ||
710 | pub struct SMBState<> { | |
711 | /// map ssn/tree/msgid to vec (guid/name/share) | |
712 | pub ssn2vec_map: HashMap<SMBCommonHdr, Vec<u8>>, | |
713 | /// map guid to filename | |
714 | pub guid2name_map: HashMap<Vec<u8>, Vec<u8>>, | |
715 | /// map ssn key to read offset | |
716 | pub ssn2vecoffset_map: HashMap<SMBCommonHdr, SMBFileGUIDOffset>, | |
717 | ||
718 | pub ssn2tree_map: HashMap<SMBCommonHdr, SMBTree>, | |
719 | ||
4d502425 VJ |
720 | // store partial data records that are transfered in multiple |
721 | // requests for DCERPC. | |
75d7c9d6 VJ |
722 | pub ssnguid2vec_map: HashMap<SMBHashKeyHdrGuid, Vec<u8>>, |
723 | ||
5226ba1c | 724 | pub files: Files, |
75d7c9d6 | 725 | |
aa8d64c2 VJ |
726 | skip_ts: u32, |
727 | skip_tc: u32, | |
75d7c9d6 VJ |
728 | |
729 | pub file_ts_left : u32, | |
730 | pub file_tc_left : u32, | |
731 | pub file_ts_guid : Vec<u8>, | |
732 | pub file_tc_guid : Vec<u8>, | |
733 | ||
734 | pub ts_ssn_gap: bool, | |
735 | pub tc_ssn_gap: bool, | |
736 | ||
737 | pub ts_gap: bool, // last TS update was gap | |
738 | pub tc_gap: bool, // last TC update was gap | |
739 | ||
8bef1208 VJ |
740 | pub ts_trunc: bool, // no more data for TOSERVER |
741 | pub tc_trunc: bool, // no more data for TOCLIENT | |
75d7c9d6 | 742 | |
d41aecce VJ |
743 | /// true as long as we have file txs that are in a post-gap |
744 | /// state. It means we'll do extra house keeping for those. | |
745 | check_post_gap_file_txs: bool, | |
25f2efe9 | 746 | post_gap_files_checked: bool, |
d41aecce | 747 | |
75d7c9d6 VJ |
748 | /// transactions list |
749 | pub transactions: Vec<SMBTransaction>, | |
750 | ||
751 | /// tx counter for assigning incrementing id's to tx's | |
752 | tx_id: u64, | |
753 | ||
0d69e7b8 | 754 | /// SMB2 dialect or 0 if not set or SMB1 |
75d7c9d6 | 755 | pub dialect: u16, |
0d69e7b8 | 756 | /// contains name of SMB1 dialect |
75d7c9d6 | 757 | pub dialect_vec: Option<Vec<u8>>, // used if dialect == 0 |
75d7c9d6 VJ |
758 | |
759 | /// dcerpc interfaces, stored here to be able to match | |
760 | /// them while inspecting DCERPC REQUEST txs | |
761 | pub dcerpc_ifaces: Option<Vec<DCERPCIface>>, | |
d41aecce VJ |
762 | |
763 | /// Timestamp in seconds of last update. This is packet time, | |
764 | /// potentially coming from pcaps. | |
765 | ts: u64, | |
75d7c9d6 VJ |
766 | } |
767 | ||
fcfc9876 JI |
768 | impl State<SMBTransaction> for SMBState { |
769 | fn get_transactions(&self) -> &[SMBTransaction] { | |
770 | &self.transactions | |
771 | } | |
772 | } | |
773 | ||
75d7c9d6 VJ |
774 | impl SMBState { |
775 | /// Allocation function for a new TLS parser instance | |
02dccb15 JL |
776 | pub fn new() -> Self { |
777 | Self { | |
75d7c9d6 VJ |
778 | ssn2vec_map:HashMap::new(), |
779 | guid2name_map:HashMap::new(), | |
780 | ssn2vecoffset_map:HashMap::new(), | |
781 | ssn2tree_map:HashMap::new(), | |
75d7c9d6 | 782 | ssnguid2vec_map:HashMap::new(), |
3587033d | 783 | files: Files::default(), |
75d7c9d6 VJ |
784 | skip_ts:0, |
785 | skip_tc:0, | |
786 | file_ts_left:0, | |
787 | file_tc_left:0, | |
788 | file_ts_guid:Vec::new(), | |
789 | file_tc_guid:Vec::new(), | |
790 | ts_ssn_gap: false, | |
791 | tc_ssn_gap: false, | |
792 | ts_gap: false, | |
793 | tc_gap: false, | |
794 | ts_trunc: false, | |
795 | tc_trunc: false, | |
d41aecce | 796 | check_post_gap_file_txs: false, |
25f2efe9 | 797 | post_gap_files_checked: false, |
75d7c9d6 VJ |
798 | transactions: Vec::new(), |
799 | tx_id:0, | |
800 | dialect:0, | |
801 | dialect_vec: None, | |
75d7c9d6 | 802 | dcerpc_ifaces: None, |
d41aecce | 803 | ts: 0, |
75d7c9d6 VJ |
804 | } |
805 | } | |
806 | ||
807 | pub fn free(&mut self) { | |
808 | //self._debug_state_stats(); | |
809 | self._debug_tx_stats(); | |
75d7c9d6 VJ |
810 | } |
811 | ||
812 | pub fn new_tx(&mut self) -> SMBTransaction { | |
813 | let mut tx = SMBTransaction::new(); | |
814 | self.tx_id += 1; | |
815 | tx.id = self.tx_id; | |
816 | SCLogDebug!("TX {} created", tx.id); | |
817 | return tx; | |
818 | } | |
819 | ||
820 | pub fn free_tx(&mut self, tx_id: u64) { | |
821 | SCLogDebug!("Freeing TX with ID {} TX.ID {}", tx_id, tx_id+1); | |
822 | let len = self.transactions.len(); | |
823 | let mut found = false; | |
824 | let mut index = 0; | |
825 | for i in 0..len { | |
826 | let tx = &self.transactions[i]; | |
827 | if tx.id == tx_id + 1 { | |
828 | found = true; | |
829 | index = i; | |
830 | SCLogDebug!("tx {} progress {}/{}", tx.id, tx.request_done, tx.response_done); | |
831 | break; | |
832 | } | |
833 | } | |
834 | if found { | |
835 | SCLogDebug!("freeing TX with ID {} TX.ID {} at index {} left: {} max id: {}", | |
836 | tx_id, tx_id+1, index, self.transactions.len(), self.tx_id); | |
837 | self.transactions.remove(index); | |
838 | } | |
839 | } | |
840 | ||
75d7c9d6 VJ |
841 | pub fn get_tx_by_id(&mut self, tx_id: u64) -> Option<&SMBTransaction> { |
842 | /* | |
843 | if self.transactions.len() > 100 { | |
844 | SCLogNotice!("get_tx_by_id: tx_id={} in list={}", tx_id, self.transactions.len()); | |
845 | self._dump_txs(); | |
846 | panic!("txs exploded"); | |
847 | } | |
848 | */ | |
849 | for tx in &mut self.transactions { | |
850 | if tx.id == tx_id + 1 { | |
851 | let ver = tx.vercmd.get_version(); | |
852 | let mut _smbcmd; | |
853 | if ver == 2 { | |
854 | let (_, cmd) = tx.vercmd.get_smb2_cmd(); | |
855 | _smbcmd = cmd; | |
856 | } else { | |
857 | let (_, cmd) = tx.vercmd.get_smb1_cmd(); | |
858 | _smbcmd = cmd as u16; | |
859 | } | |
860 | SCLogDebug!("Found SMB TX: id {} ver:{} cmd:{} progress {}/{} type_data {:?}", | |
861 | tx.id, ver, _smbcmd, tx.request_done, tx.response_done, tx.type_data); | |
862 | return Some(tx); | |
863 | } | |
864 | } | |
865 | SCLogDebug!("Failed to find SMB TX with ID {}", tx_id); | |
866 | return None; | |
867 | } | |
868 | ||
8aa38060 VJ |
869 | fn update_ts(&mut self, ts: u64) { |
870 | if ts != self.ts { | |
871 | self.ts = ts; | |
25f2efe9 | 872 | self.post_gap_files_checked = false; |
8aa38060 VJ |
873 | } |
874 | } | |
875 | ||
75d7c9d6 VJ |
876 | /* generic TX has no type_data and is only used to |
877 | * track a single cmd request/reply pair. */ | |
878 | ||
879 | pub fn new_generic_tx(&mut self, smb_ver: u8, smb_cmd: u16, key: SMBCommonHdr) | |
5ee83230 | 880 | -> &mut SMBTransaction |
75d7c9d6 VJ |
881 | { |
882 | let mut tx = self.new_tx(); | |
883 | if smb_ver == 1 && smb_cmd <= 255 { | |
884 | tx.vercmd.set_smb1_cmd(smb_cmd as u8); | |
885 | } else if smb_ver == 2 { | |
886 | tx.vercmd.set_smb2_cmd(smb_cmd); | |
887 | } | |
888 | ||
889 | tx.type_data = None; | |
890 | tx.request_done = true; | |
891 | tx.response_done = self.tc_trunc; // no response expected if tc is truncated | |
892 | tx.hdr = key; | |
893 | ||
894 | SCLogDebug!("SMB: TX GENERIC created: ID {} tx list {} {:?}", | |
895 | tx.id, self.transactions.len(), &tx); | |
896 | self.transactions.push(tx); | |
897 | let tx_ref = self.transactions.last_mut(); | |
898 | return tx_ref.unwrap(); | |
899 | } | |
900 | ||
901 | pub fn get_last_tx(&mut self, smb_ver: u8, smb_cmd: u16) | |
902 | -> Option<&mut SMBTransaction> | |
903 | { | |
904 | let tx_ref = self.transactions.last_mut(); | |
905 | match tx_ref { | |
906 | Some(tx) => { | |
907 | let found = if tx.vercmd.get_version() == smb_ver { | |
908 | if smb_ver == 1 { | |
909 | let (_, cmd) = tx.vercmd.get_smb1_cmd(); | |
910 | cmd as u16 == smb_cmd | |
911 | } else if smb_ver == 2 { | |
912 | let (_, cmd) = tx.vercmd.get_smb2_cmd(); | |
913 | cmd == smb_cmd | |
914 | } else { | |
915 | false | |
916 | } | |
917 | } else { | |
918 | false | |
919 | }; | |
920 | if found { | |
921 | return Some(tx); | |
922 | } | |
923 | }, | |
924 | None => { }, | |
925 | } | |
926 | return None; | |
927 | } | |
928 | ||
929 | pub fn get_generic_tx(&mut self, smb_ver: u8, smb_cmd: u16, key: &SMBCommonHdr) | |
930 | -> Option<&mut SMBTransaction> | |
931 | { | |
932 | for tx in &mut self.transactions { | |
933 | let found = if tx.vercmd.get_version() == smb_ver { | |
934 | if smb_ver == 1 { | |
935 | let (_, cmd) = tx.vercmd.get_smb1_cmd(); | |
8b570c02 | 936 | cmd as u16 == smb_cmd && tx.hdr.compare(key) |
75d7c9d6 VJ |
937 | } else if smb_ver == 2 { |
938 | let (_, cmd) = tx.vercmd.get_smb2_cmd(); | |
8b570c02 | 939 | cmd == smb_cmd && tx.hdr.compare(key) |
75d7c9d6 VJ |
940 | } else { |
941 | false | |
942 | } | |
943 | } else { | |
944 | false | |
945 | }; | |
946 | if found { | |
947 | return Some(tx); | |
948 | } | |
949 | } | |
950 | return None; | |
951 | } | |
952 | ||
953 | pub fn new_negotiate_tx(&mut self, smb_ver: u8) | |
5ee83230 | 954 | -> &mut SMBTransaction |
75d7c9d6 VJ |
955 | { |
956 | let mut tx = self.new_tx(); | |
957 | if smb_ver == 1 { | |
958 | tx.vercmd.set_smb1_cmd(SMB1_COMMAND_NEGOTIATE_PROTOCOL); | |
959 | } else if smb_ver == 2 { | |
960 | tx.vercmd.set_smb2_cmd(SMB2_COMMAND_NEGOTIATE_PROTOCOL); | |
961 | } | |
962 | ||
963 | tx.type_data = Some(SMBTransactionTypeData::NEGOTIATE( | |
964 | SMBTransactionNegotiate::new(smb_ver))); | |
965 | tx.request_done = true; | |
966 | tx.response_done = self.tc_trunc; // no response expected if tc is truncated | |
967 | ||
968 | SCLogDebug!("SMB: TX NEGOTIATE created: ID {} SMB ver {}", tx.id, smb_ver); | |
969 | self.transactions.push(tx); | |
970 | let tx_ref = self.transactions.last_mut(); | |
971 | return tx_ref.unwrap(); | |
972 | } | |
973 | ||
974 | pub fn get_negotiate_tx(&mut self, smb_ver: u8) | |
975 | -> Option<&mut SMBTransaction> | |
976 | { | |
977 | for tx in &mut self.transactions { | |
978 | let found = match tx.type_data { | |
979 | Some(SMBTransactionTypeData::NEGOTIATE(ref x)) => { | |
980 | if x.smb_ver == smb_ver { | |
981 | true | |
982 | } else { | |
983 | false | |
984 | } | |
985 | }, | |
986 | _ => { false }, | |
987 | }; | |
988 | if found { | |
989 | return Some(tx); | |
990 | } | |
991 | } | |
992 | return None; | |
993 | } | |
994 | ||
995 | pub fn new_treeconnect_tx(&mut self, hdr: SMBCommonHdr, name: Vec<u8>) | |
5ee83230 | 996 | -> &mut SMBTransaction |
75d7c9d6 VJ |
997 | { |
998 | let mut tx = self.new_tx(); | |
999 | ||
1000 | tx.hdr = hdr; | |
1001 | tx.type_data = Some(SMBTransactionTypeData::TREECONNECT( | |
1002 | SMBTransactionTreeConnect::new(name.to_vec()))); | |
1003 | tx.request_done = true; | |
1004 | tx.response_done = self.tc_trunc; // no response expected if tc is truncated | |
1005 | ||
1006 | SCLogDebug!("SMB: TX TREECONNECT created: ID {} NAME {}", | |
1007 | tx.id, String::from_utf8_lossy(&name)); | |
1008 | self.transactions.push(tx); | |
1009 | let tx_ref = self.transactions.last_mut(); | |
1010 | return tx_ref.unwrap(); | |
1011 | } | |
1012 | ||
1013 | pub fn get_treeconnect_tx(&mut self, hdr: SMBCommonHdr) | |
1014 | -> Option<&mut SMBTransaction> | |
1015 | { | |
1016 | for tx in &mut self.transactions { | |
8b570c02 | 1017 | let hit = tx.hdr.compare(&hdr) && match tx.type_data { |
75d7c9d6 VJ |
1018 | Some(SMBTransactionTypeData::TREECONNECT(_)) => { true }, |
1019 | _ => { false }, | |
1020 | }; | |
1021 | if hit { | |
1022 | return Some(tx); | |
1023 | } | |
1024 | } | |
1025 | return None; | |
1026 | } | |
1027 | ||
1028 | pub fn new_create_tx(&mut self, file_name: &Vec<u8>, | |
1029 | disposition: u32, del: bool, dir: bool, | |
1030 | hdr: SMBCommonHdr) | |
1031 | -> &mut SMBTransaction | |
1032 | { | |
1033 | let mut tx = self.new_tx(); | |
1034 | tx.hdr = hdr; | |
1035 | tx.type_data = Some(SMBTransactionTypeData::CREATE( | |
1036 | SMBTransactionCreate::new( | |
1037 | file_name.to_vec(), disposition, | |
1038 | del, dir))); | |
1039 | tx.request_done = true; | |
1040 | tx.response_done = self.tc_trunc; // no response expected if tc is truncated | |
1041 | ||
1042 | self.transactions.push(tx); | |
1043 | let tx_ref = self.transactions.last_mut(); | |
1044 | return tx_ref.unwrap(); | |
1045 | } | |
1046 | ||
1047 | pub fn get_create_tx_by_hdr(&mut self, hdr: &SMBCommonHdr) | |
1048 | -> Option<&mut SMBTransaction> | |
1049 | { | |
1050 | for tx in &mut self.transactions { | |
1051 | let found = match tx.type_data { | |
1052 | Some(SMBTransactionTypeData::CREATE(ref _d)) => { | |
69cf5c9e | 1053 | tx.hdr.compare(hdr) |
75d7c9d6 VJ |
1054 | }, |
1055 | _ => { false }, | |
1056 | }; | |
1057 | ||
1058 | if found { | |
1059 | SCLogDebug!("SMB: Found SMB create TX with ID {}", tx.id); | |
1060 | return Some(tx); | |
1061 | } | |
1062 | } | |
1063 | SCLogDebug!("SMB: Failed to find SMB create TX with key {:?}", hdr); | |
1064 | return None; | |
1065 | } | |
1066 | ||
1067 | pub fn get_service_for_guid(&self, guid: &[u8]) -> (&'static str, bool) | |
1068 | { | |
1069 | let (name, is_dcerpc) = match self.guid2name_map.get(&guid.to_vec()) { | |
1070 | Some(n) => { | |
1b86d4e1 VJ |
1071 | let mut s = n.as_slice(); |
1072 | // skip leading \ if we have it | |
1073 | if s.len() > 1 && s[0] == 0x5c_u8 { | |
1074 | s = &s[1..]; | |
1075 | } | |
1076 | match str::from_utf8(s) { | |
75d7c9d6 VJ |
1077 | Ok("PSEXESVC") => ("PSEXESVC", false), |
1078 | Ok("svcctl") => ("svcctl", true), | |
1079 | Ok("srvsvc") => ("srvsvc", true), | |
1080 | Ok("atsvc") => ("atsvc", true), | |
1081 | Ok("lsarpc") => ("lsarpc", true), | |
1082 | Ok("samr") => ("samr", true), | |
1b86d4e1 | 1083 | Ok("spoolss") => ("spoolss", true), |
a7ee2ffb | 1084 | Ok("winreg") => ("winreg", true), |
ac4e8885 | 1085 | Ok("suricata::dcerpc") => ("unknown", true), |
75d7c9d6 VJ |
1086 | Err(_) => ("MALFORMED", false), |
1087 | Ok(&_) => { | |
ea1e13cb | 1088 | SCLogDebug!("don't know {}", String::from_utf8_lossy(&n)); |
75d7c9d6 VJ |
1089 | ("UNKNOWN", false) |
1090 | }, | |
1091 | } | |
1092 | }, | |
1093 | _ => { ("UNKNOWN", false) }, | |
1094 | }; | |
1095 | SCLogDebug!("service {} is_dcerpc {}", name, is_dcerpc); | |
69cf5c9e | 1096 | (name, is_dcerpc) |
75d7c9d6 VJ |
1097 | } |
1098 | ||
d41aecce VJ |
1099 | fn post_gap_housekeeping_for_files(&mut self) |
1100 | { | |
1101 | let mut post_gap_txs = false; | |
1102 | for tx in &mut self.transactions { | |
65e9a7c3 | 1103 | if let Some(SMBTransactionTypeData::FILE(ref mut f)) = tx.type_data { |
d41aecce VJ |
1104 | if f.post_gap_ts > 0 { |
1105 | if self.ts > f.post_gap_ts { | |
1106 | tx.request_done = true; | |
1107 | tx.response_done = true; | |
89cb3379 | 1108 | let (files, flags) = self.files.get(f.direction); |
65e9a7c3 | 1109 | f.file_tracker.trunc(files, flags); |
d41aecce VJ |
1110 | } else { |
1111 | post_gap_txs = true; | |
1112 | } | |
1113 | } | |
1114 | } | |
1115 | } | |
1116 | self.check_post_gap_file_txs = post_gap_txs; | |
1117 | } | |
1118 | ||
44ac3e30 VJ |
1119 | /* after a gap we will consider all transactions complete for our |
1120 | * direction. File transfer transactions are an exception. Those | |
d41aecce VJ |
1121 | * can handle gaps. For the file transactions we set the current |
1122 | * (flow) time and prune them in 60 seconds if no update for them | |
1123 | * was received. */ | |
89cb3379 | 1124 | fn post_gap_housekeeping(&mut self, dir: Direction) |
75d7c9d6 | 1125 | { |
89cb3379 | 1126 | if self.ts_ssn_gap && dir == Direction::ToServer { |
44ac3e30 VJ |
1127 | for tx in &mut self.transactions { |
1128 | if tx.id >= self.tx_id { | |
1129 | SCLogDebug!("post_gap_housekeeping: done"); | |
1130 | break; | |
1131 | } | |
d41aecce VJ |
1132 | if let Some(SMBTransactionTypeData::FILE(ref mut f)) = tx.type_data { |
1133 | // leaving FILE txs open as they can deal with gaps. We | |
1134 | // remove them after 60 seconds of no activity though. | |
1135 | if f.post_gap_ts == 0 { | |
1136 | f.post_gap_ts = self.ts + 60; | |
1137 | self.check_post_gap_file_txs = true; | |
1138 | } | |
44ac3e30 VJ |
1139 | } else { |
1140 | SCLogDebug!("post_gap_housekeeping: tx {} marked as done TS", tx.id); | |
1141 | tx.request_done = true; | |
1142 | } | |
a44504a1 | 1143 | } |
89cb3379 | 1144 | } else if self.tc_ssn_gap && dir == Direction::ToClient { |
44ac3e30 VJ |
1145 | for tx in &mut self.transactions { |
1146 | if tx.id >= self.tx_id { | |
1147 | SCLogDebug!("post_gap_housekeeping: done"); | |
1148 | break; | |
1149 | } | |
d41aecce VJ |
1150 | if let Some(SMBTransactionTypeData::FILE(ref mut f)) = tx.type_data { |
1151 | // leaving FILE txs open as they can deal with gaps. We | |
1152 | // remove them after 60 seconds of no activity though. | |
1153 | if f.post_gap_ts == 0 { | |
1154 | f.post_gap_ts = self.ts + 60; | |
1155 | self.check_post_gap_file_txs = true; | |
1156 | } | |
44ac3e30 VJ |
1157 | } else { |
1158 | SCLogDebug!("post_gap_housekeeping: tx {} marked as done TC", tx.id); | |
1159 | tx.request_done = true; | |
1160 | tx.response_done = true; | |
1161 | } | |
75d7c9d6 | 1162 | } |
44ac3e30 | 1163 | |
75d7c9d6 VJ |
1164 | } |
1165 | } | |
1166 | ||
89cb3379 | 1167 | pub fn set_file_left(&mut self, direction: Direction, rec_size: u32, data_size: u32, fuid: Vec<u8>) |
4d58aaae | 1168 | { |
f40fc029 | 1169 | let left = rec_size.saturating_sub(data_size); |
89cb3379 | 1170 | if direction == Direction::ToServer { |
4d58aaae VJ |
1171 | self.file_ts_left = left; |
1172 | self.file_ts_guid = fuid; | |
1173 | } else { | |
1174 | self.file_tc_left = left; | |
1175 | self.file_tc_guid = fuid; | |
1176 | } | |
1177 | } | |
1178 | ||
89cb3379 | 1179 | pub fn set_skip(&mut self, direction: Direction, rec_size: u32, data_size: u32) |
aa8d64c2 | 1180 | { |
f40fc029 | 1181 | let skip = rec_size.saturating_sub(data_size); |
89cb3379 | 1182 | if direction == Direction::ToServer { |
aa8d64c2 VJ |
1183 | self.skip_ts = skip; |
1184 | } else { | |
1185 | self.skip_tc = skip; | |
1186 | } | |
1187 | } | |
1188 | ||
75d7c9d6 | 1189 | // return how much data we consumed |
89cb3379 SB |
1190 | fn handle_skip(&mut self, direction: Direction, input_size: u32) -> u32 { |
1191 | let mut skip_left = if direction == Direction::ToServer { | |
75d7c9d6 VJ |
1192 | self.skip_ts |
1193 | } else { | |
1194 | self.skip_tc | |
1195 | }; | |
1196 | if skip_left == 0 { | |
1197 | return 0 | |
1198 | } | |
1199 | SCLogDebug!("skip_left {} input_size {}", skip_left, input_size); | |
1200 | ||
1201 | let consumed = if skip_left >= input_size { | |
1202 | input_size | |
1203 | } else { | |
1204 | skip_left | |
1205 | }; | |
1206 | ||
1207 | if skip_left <= input_size { | |
1208 | skip_left = 0; | |
1209 | } else { | |
1210 | skip_left -= input_size; | |
1211 | } | |
1212 | ||
89cb3379 | 1213 | if direction == Direction::ToServer { |
75d7c9d6 VJ |
1214 | self.skip_ts = skip_left; |
1215 | } else { | |
1216 | self.skip_tc = skip_left; | |
1217 | } | |
1218 | return consumed; | |
1219 | } | |
1220 | ||
1221 | /// return bytes consumed | |
1222 | pub fn parse_tcp_data_ts_partial<'b>(&mut self, input: &'b[u8]) -> usize | |
1223 | { | |
1224 | SCLogDebug!("incomplete of size {}", input.len()); | |
1225 | if input.len() < 512 { | |
7dff9b99 VJ |
1226 | // check for malformed data. Wireshark reports as |
1227 | // 'NBSS continuation data'. If it's invalid we're | |
1228 | // lost so we give up. | |
1229 | if input.len() > 8 { | |
1230 | match parse_nbss_record_partial(input) { | |
13b73997 | 1231 | Ok((_, ref hdr)) => { |
7dff9b99 VJ |
1232 | if !hdr.is_smb() { |
1233 | SCLogDebug!("partial NBSS, not SMB and no known msg type {}", hdr.message_type); | |
1234 | self.trunc_ts(); | |
1235 | return 0; | |
1236 | } | |
1237 | }, | |
1238 | _ => {}, | |
1239 | } | |
1240 | } | |
75d7c9d6 VJ |
1241 | return 0; |
1242 | } | |
1243 | ||
1244 | match parse_nbss_record_partial(input) { | |
13b73997 | 1245 | Ok((output, ref nbss_part_hdr)) => { |
75d7c9d6 VJ |
1246 | SCLogDebug!("parse_nbss_record_partial ok, output len {}", output.len()); |
1247 | if nbss_part_hdr.message_type == NBSS_MSGTYPE_SESSION_MESSAGE { | |
69cf5c9e | 1248 | match parse_smb_version(nbss_part_hdr.data) { |
13b73997 | 1249 | Ok((_, ref smb)) => { |
75d7c9d6 | 1250 | SCLogDebug!("SMB {:?}", smb); |
b3439205 | 1251 | if smb.version == 0xff_u8 { // SMB1 |
75d7c9d6 | 1252 | SCLogDebug!("SMBv1 record"); |
69cf5c9e | 1253 | match parse_smb_record(nbss_part_hdr.data) { |
13b73997 | 1254 | Ok((_, ref r)) => { |
75d7c9d6 VJ |
1255 | if r.command == SMB1_COMMAND_WRITE_ANDX { |
1256 | // see if it's a write to a pipe. We only handle those | |
1257 | // if complete. | |
1258 | let tree_key = SMBCommonHdr::new(SMBHDR_TYPE_SHARE, | |
1259 | r.ssn_id as u64, r.tree_id as u32, 0); | |
1260 | let is_pipe = match self.ssn2tree_map.get(&tree_key) { | |
1261 | Some(n) => n.is_pipe, | |
1262 | None => false, | |
1263 | }; | |
1264 | if is_pipe { | |
1265 | return 0; | |
1266 | } | |
2d146062 | 1267 | smb1_write_request_record(self, r, SMB1_HEADER_SIZE, SMB1_COMMAND_WRITE_ANDX); |
75d7c9d6 VJ |
1268 | let consumed = input.len() - output.len(); |
1269 | return consumed; | |
1270 | } | |
1271 | }, | |
1272 | _ => { }, | |
1273 | ||
1274 | } | |
b3439205 | 1275 | } else if smb.version == 0xfe_u8 { // SMB2 |
4bf87d30 | 1276 | SCLogDebug!("NBSS record {:?}", nbss_part_hdr); |
75d7c9d6 | 1277 | SCLogDebug!("SMBv2 record"); |
69cf5c9e | 1278 | match parse_smb2_request_record(nbss_part_hdr.data) { |
13b73997 | 1279 | Ok((_, ref smb_record)) => { |
75d7c9d6 VJ |
1280 | SCLogDebug!("SMB2: partial record {}", |
1281 | &smb2_command_string(smb_record.command)); | |
1282 | if smb_record.command == SMB2_COMMAND_WRITE { | |
1283 | smb2_write_request_record(self, smb_record); | |
1284 | let consumed = input.len() - output.len(); | |
4bf87d30 | 1285 | SCLogDebug!("consumed {}", consumed); |
75d7c9d6 VJ |
1286 | return consumed; |
1287 | } | |
1288 | }, | |
1289 | _ => { }, | |
1290 | } | |
1291 | } | |
b3439205 | 1292 | // no SMB3 here yet, will buffer full records |
75d7c9d6 VJ |
1293 | }, |
1294 | _ => { }, | |
1295 | } | |
1296 | } | |
1297 | }, | |
1298 | _ => { }, | |
1299 | } | |
1300 | ||
1301 | return 0; | |
1302 | } | |
1303 | ||
1304 | /// Parsing function, handling TCP chunks fragmentation | |
4bf87d30 | 1305 | pub fn parse_tcp_data_ts<'b>(&mut self, i: &'b[u8]) -> AppLayerResult |
75d7c9d6 | 1306 | { |
4bf87d30 | 1307 | let mut cur_i = i; |
89cb3379 | 1308 | let consumed = self.handle_skip(Direction::ToServer, cur_i.len() as u32); |
75d7c9d6 VJ |
1309 | if consumed > 0 { |
1310 | if consumed > cur_i.len() as u32 { | |
1311 | self.set_event(SMBEvent::InternalError); | |
4bf87d30 | 1312 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1313 | } |
1314 | cur_i = &cur_i[consumed as usize..]; | |
1315 | } | |
1316 | // take care of in progress file chunk transfers | |
1317 | // and skip buffer beyond it | |
89cb3379 | 1318 | let consumed = self.filetracker_update(Direction::ToServer, cur_i, 0); |
75d7c9d6 VJ |
1319 | if consumed > 0 { |
1320 | if consumed > cur_i.len() as u32 { | |
1321 | self.set_event(SMBEvent::InternalError); | |
4bf87d30 | 1322 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1323 | } |
1324 | cur_i = &cur_i[consumed as usize..]; | |
1325 | } | |
4bf87d30 VJ |
1326 | if cur_i.len() == 0 { |
1327 | return AppLayerResult::ok(); | |
1328 | } | |
75d7c9d6 VJ |
1329 | // gap |
1330 | if self.ts_gap { | |
a44504a1 | 1331 | SCLogDebug!("TS trying to catch up after GAP (input {})", cur_i.len()); |
4bf87d30 VJ |
1332 | while cur_i.len() > 0 { // min record size |
1333 | match search_smb_record(cur_i) { | |
1334 | Ok((_, pg)) => { | |
1335 | SCLogDebug!("smb record found"); | |
1336 | let smb2_offset = cur_i.len() - pg.len(); | |
1337 | if smb2_offset < 4 { | |
1338 | cur_i = &cur_i[smb2_offset+4..]; | |
1339 | continue; // see if we have another record in our data | |
1340 | } | |
1341 | let nbss_offset = smb2_offset - 4; | |
1342 | cur_i = &cur_i[nbss_offset..]; | |
75d7c9d6 | 1343 | |
4bf87d30 VJ |
1344 | self.ts_gap = false; |
1345 | break; | |
1346 | }, | |
1347 | _ => { | |
1348 | let mut consumed = i.len(); | |
1349 | if consumed < 4 { | |
1350 | consumed = 0; | |
1351 | } else { | |
1352 | consumed = consumed - 3; | |
1353 | } | |
1354 | SCLogDebug!("smb record NOT found"); | |
1355 | return AppLayerResult::incomplete(consumed as u32, 8); | |
1356 | }, | |
1357 | } | |
75d7c9d6 VJ |
1358 | } |
1359 | } | |
1360 | while cur_i.len() > 0 { // min record size | |
1361 | match parse_nbss_record(cur_i) { | |
13b73997 | 1362 | Ok((rem, ref nbss_hdr)) => { |
75d7c9d6 VJ |
1363 | if nbss_hdr.message_type == NBSS_MSGTYPE_SESSION_MESSAGE { |
1364 | // we have the full records size worth of data, | |
1365 | // let's parse it | |
69cf5c9e | 1366 | match parse_smb_version(nbss_hdr.data) { |
13b73997 | 1367 | Ok((_, ref smb)) => { |
75d7c9d6 | 1368 | SCLogDebug!("SMB {:?}", smb); |
b3439205 | 1369 | if smb.version == 0xff_u8 { // SMB1 |
75d7c9d6 | 1370 | SCLogDebug!("SMBv1 record"); |
69cf5c9e | 1371 | match parse_smb_record(nbss_hdr.data) { |
13b73997 | 1372 | Ok((_, ref smb_record)) => { |
75d7c9d6 VJ |
1373 | smb1_request_record(self, smb_record); |
1374 | }, | |
1375 | _ => { | |
1376 | self.set_event(SMBEvent::MalformedData); | |
4bf87d30 | 1377 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1378 | }, |
1379 | } | |
b3439205 | 1380 | } else if smb.version == 0xfe_u8 { // SMB2 |
75d7c9d6 VJ |
1381 | let mut nbss_data = nbss_hdr.data; |
1382 | while nbss_data.len() > 0 { | |
1383 | SCLogDebug!("SMBv2 record"); | |
69cf5c9e | 1384 | match parse_smb2_request_record(nbss_data) { |
13b73997 | 1385 | Ok((nbss_data_rem, ref smb_record)) => { |
75d7c9d6 VJ |
1386 | SCLogDebug!("nbss_data_rem {}", nbss_data_rem.len()); |
1387 | ||
1388 | smb2_request_record(self, smb_record); | |
1389 | nbss_data = nbss_data_rem; | |
1390 | }, | |
1391 | _ => { | |
1392 | self.set_event(SMBEvent::MalformedData); | |
4bf87d30 | 1393 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1394 | }, |
1395 | } | |
1396 | } | |
b3439205 VJ |
1397 | } else if smb.version == 0xfd_u8 { // SMB3 transform |
1398 | let mut nbss_data = nbss_hdr.data; | |
1399 | while nbss_data.len() > 0 { | |
1400 | SCLogDebug!("SMBv3 transform record"); | |
69cf5c9e | 1401 | match parse_smb3_transform_record(nbss_data) { |
13b73997 | 1402 | Ok((nbss_data_rem, ref _smb3_record)) => { |
b3439205 VJ |
1403 | nbss_data = nbss_data_rem; |
1404 | }, | |
1405 | _ => { | |
1406 | self.set_event(SMBEvent::MalformedData); | |
4bf87d30 | 1407 | return AppLayerResult::err(); |
b3439205 VJ |
1408 | }, |
1409 | } | |
1410 | } | |
75d7c9d6 VJ |
1411 | } |
1412 | }, | |
1413 | _ => { | |
1414 | self.set_event(SMBEvent::MalformedData); | |
4bf87d30 | 1415 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1416 | }, |
1417 | } | |
1418 | } else { | |
1419 | SCLogDebug!("NBSS message {:X}", nbss_hdr.message_type); | |
1420 | } | |
1421 | cur_i = rem; | |
1422 | }, | |
4bf87d30 VJ |
1423 | Err(nom::Err::Incomplete(needed)) => { |
1424 | if let nom::Needed::Size(n) = needed { | |
1425 | // 512 is the minimum for parse_tcp_data_ts_partial | |
1426 | if n >= 512 && cur_i.len() < 512 { | |
1427 | let total_consumed = i.len() - cur_i.len(); | |
1428 | return AppLayerResult::incomplete(total_consumed as u32, 512); | |
1429 | } | |
1430 | let consumed = self.parse_tcp_data_ts_partial(cur_i); | |
1431 | if consumed == 0 { | |
1432 | // if we consumed none we will buffer the entire record | |
1433 | let total_consumed = i.len() - cur_i.len(); | |
1434 | SCLogDebug!("setting consumed {} need {} needed {:?} total input {}", | |
1435 | total_consumed, n, needed, i.len()); | |
1436 | let need = n + 4; // Incomplete returns size of data minus NBSS header | |
1437 | return AppLayerResult::incomplete(total_consumed as u32, need as u32); | |
1438 | } | |
1439 | // tracking a write record, which we don't need to | |
1440 | // queue up at the stream level, but can feed to us | |
1441 | // in small chunks | |
1442 | return AppLayerResult::ok(); | |
1443 | } else { | |
1444 | self.set_event(SMBEvent::InternalError); | |
1445 | return AppLayerResult::err(); | |
1446 | } | |
75d7c9d6 | 1447 | }, |
13b73997 | 1448 | Err(_) => { |
75d7c9d6 | 1449 | self.set_event(SMBEvent::MalformedData); |
4bf87d30 | 1450 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1451 | }, |
1452 | } | |
1453 | }; | |
1454 | ||
89cb3379 | 1455 | self.post_gap_housekeeping(Direction::ToServer); |
25f2efe9 | 1456 | if self.check_post_gap_file_txs && !self.post_gap_files_checked { |
d41aecce | 1457 | self.post_gap_housekeeping_for_files(); |
25f2efe9 | 1458 | self.post_gap_files_checked = true; |
d41aecce | 1459 | } |
4bf87d30 | 1460 | AppLayerResult::ok() |
75d7c9d6 VJ |
1461 | } |
1462 | ||
1463 | /// return bytes consumed | |
1464 | pub fn parse_tcp_data_tc_partial<'b>(&mut self, input: &'b[u8]) -> usize | |
1465 | { | |
1466 | SCLogDebug!("incomplete of size {}", input.len()); | |
1467 | if input.len() < 512 { | |
7dff9b99 VJ |
1468 | // check for malformed data. Wireshark reports as |
1469 | // 'NBSS continuation data'. If it's invalid we're | |
1470 | // lost so we give up. | |
1471 | if input.len() > 8 { | |
1472 | match parse_nbss_record_partial(input) { | |
13b73997 | 1473 | Ok((_, ref hdr)) => { |
7dff9b99 VJ |
1474 | if !hdr.is_smb() { |
1475 | SCLogDebug!("partial NBSS, not SMB and no known msg type {}", hdr.message_type); | |
1476 | self.trunc_tc(); | |
1477 | return 0; | |
1478 | } | |
1479 | }, | |
1480 | _ => {}, | |
1481 | } | |
1482 | } | |
75d7c9d6 VJ |
1483 | return 0; |
1484 | } | |
1485 | ||
1486 | match parse_nbss_record_partial(input) { | |
13b73997 | 1487 | Ok((output, ref nbss_part_hdr)) => { |
75d7c9d6 VJ |
1488 | SCLogDebug!("parse_nbss_record_partial ok, output len {}", output.len()); |
1489 | if nbss_part_hdr.message_type == NBSS_MSGTYPE_SESSION_MESSAGE { | |
69cf5c9e | 1490 | match parse_smb_version(nbss_part_hdr.data) { |
13b73997 | 1491 | Ok((_, ref smb)) => { |
75d7c9d6 VJ |
1492 | SCLogDebug!("SMB {:?}", smb); |
1493 | if smb.version == 255u8 { // SMB1 | |
1494 | SCLogDebug!("SMBv1 record"); | |
69cf5c9e | 1495 | match parse_smb_record(nbss_part_hdr.data) { |
13b73997 | 1496 | Ok((_, ref r)) => { |
75d7c9d6 VJ |
1497 | SCLogDebug!("SMB1: partial record {}", |
1498 | r.command); | |
1499 | if r.command == SMB1_COMMAND_READ_ANDX { | |
1500 | let tree_key = SMBCommonHdr::new(SMBHDR_TYPE_SHARE, | |
1501 | r.ssn_id as u64, r.tree_id as u32, 0); | |
1502 | let is_pipe = match self.ssn2tree_map.get(&tree_key) { | |
1503 | Some(n) => n.is_pipe, | |
1504 | None => false, | |
1505 | }; | |
1506 | if is_pipe { | |
1507 | return 0; | |
1508 | } | |
2d146062 | 1509 | smb1_read_response_record(self, r, SMB1_HEADER_SIZE); |
75d7c9d6 VJ |
1510 | let consumed = input.len() - output.len(); |
1511 | return consumed; | |
1512 | } | |
1513 | }, | |
1514 | _ => { }, | |
1515 | } | |
1516 | } else if smb.version == 254u8 { // SMB2 | |
1517 | SCLogDebug!("SMBv2 record"); | |
69cf5c9e | 1518 | match parse_smb2_response_record(nbss_part_hdr.data) { |
13b73997 | 1519 | Ok((_, ref smb_record)) => { |
75d7c9d6 VJ |
1520 | SCLogDebug!("SMB2: partial record {}", |
1521 | &smb2_command_string(smb_record.command)); | |
1522 | if smb_record.command == SMB2_COMMAND_READ { | |
1523 | smb2_read_response_record(self, smb_record); | |
1524 | let consumed = input.len() - output.len(); | |
1525 | return consumed; | |
1526 | } | |
1527 | }, | |
1528 | _ => { }, | |
1529 | } | |
1530 | } | |
b3439205 | 1531 | // no SMB3 here yet, will buffer full records |
75d7c9d6 VJ |
1532 | }, |
1533 | _ => { }, | |
1534 | } | |
1535 | } | |
1536 | }, | |
1537 | _ => { }, | |
1538 | } | |
1539 | ||
1540 | return 0; | |
1541 | } | |
1542 | ||
1543 | /// Parsing function, handling TCP chunks fragmentation | |
4bf87d30 | 1544 | pub fn parse_tcp_data_tc<'b>(&mut self, i: &'b[u8]) -> AppLayerResult |
75d7c9d6 | 1545 | { |
4bf87d30 | 1546 | let mut cur_i = i; |
89cb3379 | 1547 | let consumed = self.handle_skip(Direction::ToClient, cur_i.len() as u32); |
75d7c9d6 VJ |
1548 | if consumed > 0 { |
1549 | if consumed > cur_i.len() as u32 { | |
1550 | self.set_event(SMBEvent::InternalError); | |
4bf87d30 | 1551 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1552 | } |
1553 | cur_i = &cur_i[consumed as usize..]; | |
1554 | } | |
1555 | // take care of in progress file chunk transfers | |
1556 | // and skip buffer beyond it | |
89cb3379 | 1557 | let consumed = self.filetracker_update(Direction::ToClient, cur_i, 0); |
75d7c9d6 VJ |
1558 | if consumed > 0 { |
1559 | if consumed > cur_i.len() as u32 { | |
1560 | self.set_event(SMBEvent::InternalError); | |
4bf87d30 | 1561 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1562 | } |
1563 | cur_i = &cur_i[consumed as usize..]; | |
1564 | } | |
4bf87d30 VJ |
1565 | if cur_i.len() == 0 { |
1566 | return AppLayerResult::ok(); | |
1567 | } | |
75d7c9d6 VJ |
1568 | // gap |
1569 | if self.tc_gap { | |
b3439205 | 1570 | SCLogDebug!("TC trying to catch up after GAP (input {})", cur_i.len()); |
4bf87d30 VJ |
1571 | while cur_i.len() > 0 { // min record size |
1572 | match search_smb_record(cur_i) { | |
1573 | Ok((_, pg)) => { | |
1574 | SCLogDebug!("smb record found"); | |
1575 | let smb2_offset = cur_i.len() - pg.len(); | |
1576 | if smb2_offset < 4 { | |
1577 | cur_i = &cur_i[smb2_offset+4..]; | |
1578 | continue; // see if we have another record in our data | |
1579 | } | |
1580 | let nbss_offset = smb2_offset - 4; | |
1581 | cur_i = &cur_i[nbss_offset..]; | |
75d7c9d6 | 1582 | |
4bf87d30 VJ |
1583 | self.tc_gap = false; |
1584 | break; | |
1585 | }, | |
1586 | _ => { | |
1587 | let mut consumed = i.len(); | |
1588 | if consumed < 4 { | |
1589 | consumed = 0; | |
1590 | } else { | |
1591 | consumed = consumed - 3; | |
1592 | } | |
1593 | SCLogDebug!("smb record NOT found"); | |
1594 | return AppLayerResult::incomplete(consumed as u32, 8); | |
1595 | }, | |
1596 | } | |
75d7c9d6 VJ |
1597 | } |
1598 | } | |
1599 | while cur_i.len() > 0 { // min record size | |
1600 | match parse_nbss_record(cur_i) { | |
13b73997 | 1601 | Ok((rem, ref nbss_hdr)) => { |
75d7c9d6 VJ |
1602 | if nbss_hdr.message_type == NBSS_MSGTYPE_SESSION_MESSAGE { |
1603 | // we have the full records size worth of data, | |
1604 | // let's parse it | |
69cf5c9e | 1605 | match parse_smb_version(nbss_hdr.data) { |
13b73997 | 1606 | Ok((_, ref smb)) => { |
75d7c9d6 | 1607 | SCLogDebug!("SMB {:?}", smb); |
b3439205 | 1608 | if smb.version == 0xff_u8 { // SMB1 |
75d7c9d6 | 1609 | SCLogDebug!("SMBv1 record"); |
69cf5c9e | 1610 | match parse_smb_record(nbss_hdr.data) { |
13b73997 | 1611 | Ok((_, ref smb_record)) => { |
75d7c9d6 VJ |
1612 | smb1_response_record(self, smb_record); |
1613 | }, | |
1614 | _ => { | |
1615 | self.set_event(SMBEvent::MalformedData); | |
4bf87d30 | 1616 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1617 | }, |
1618 | } | |
b3439205 | 1619 | } else if smb.version == 0xfe_u8 { // SMB2 |
75d7c9d6 VJ |
1620 | let mut nbss_data = nbss_hdr.data; |
1621 | while nbss_data.len() > 0 { | |
1622 | SCLogDebug!("SMBv2 record"); | |
69cf5c9e | 1623 | match parse_smb2_response_record(nbss_data) { |
13b73997 | 1624 | Ok((nbss_data_rem, ref smb_record)) => { |
75d7c9d6 VJ |
1625 | smb2_response_record(self, smb_record); |
1626 | nbss_data = nbss_data_rem; | |
b3439205 VJ |
1627 | }, |
1628 | _ => { | |
1629 | self.set_event(SMBEvent::MalformedData); | |
4bf87d30 | 1630 | return AppLayerResult::err(); |
b3439205 VJ |
1631 | }, |
1632 | } | |
1633 | } | |
1634 | } else if smb.version == 0xfd_u8 { // SMB3 transform | |
1635 | let mut nbss_data = nbss_hdr.data; | |
1636 | while nbss_data.len() > 0 { | |
1637 | SCLogDebug!("SMBv3 transform record"); | |
69cf5c9e | 1638 | match parse_smb3_transform_record(nbss_data) { |
13b73997 | 1639 | Ok((nbss_data_rem, ref _smb3_record)) => { |
b3439205 | 1640 | nbss_data = nbss_data_rem; |
75d7c9d6 VJ |
1641 | }, |
1642 | _ => { | |
1643 | self.set_event(SMBEvent::MalformedData); | |
4bf87d30 | 1644 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1645 | }, |
1646 | } | |
1647 | } | |
1648 | } | |
1649 | }, | |
13b73997 | 1650 | Err(nom::Err::Incomplete(_)) => { |
75d7c9d6 VJ |
1651 | // not enough data to contain basic SMB hdr |
1652 | // TODO event: empty NBSS_MSGTYPE_SESSION_MESSAGE | |
1653 | }, | |
13b73997 | 1654 | Err(_) => { |
75d7c9d6 | 1655 | self.set_event(SMBEvent::MalformedData); |
4bf87d30 | 1656 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1657 | }, |
1658 | } | |
1659 | } else { | |
1660 | SCLogDebug!("NBSS message {:X}", nbss_hdr.message_type); | |
1661 | } | |
1662 | cur_i = rem; | |
1663 | }, | |
13b73997 | 1664 | Err(nom::Err::Incomplete(needed)) => { |
7dff9b99 | 1665 | SCLogDebug!("INCOMPLETE have {} needed {:?}", cur_i.len(), needed); |
4bf87d30 VJ |
1666 | if let nom::Needed::Size(n) = needed { |
1667 | // 512 is the minimum for parse_tcp_data_tc_partial | |
1668 | if n >= 512 && cur_i.len() < 512 { | |
1669 | let total_consumed = i.len() - cur_i.len(); | |
1670 | return AppLayerResult::incomplete(total_consumed as u32, 512); | |
1671 | } | |
1672 | let consumed = self.parse_tcp_data_tc_partial(cur_i); | |
1673 | if consumed == 0 { | |
1674 | // if we consumed none we will buffer the entire record | |
1675 | let total_consumed = i.len() - cur_i.len(); | |
1676 | SCLogDebug!("setting consumed {} need {} needed {:?} total input {}", | |
1677 | total_consumed, n, needed, i.len()); | |
1678 | let need = n + 4; // Incomplete returns size of data minus NBSS header | |
1679 | return AppLayerResult::incomplete(total_consumed as u32, need as u32); | |
1680 | } | |
1681 | // tracking a read record, which we don't need to | |
1682 | // queue up at the stream level, but can feed to us | |
1683 | // in small chunks | |
1684 | return AppLayerResult::ok(); | |
1685 | } else { | |
1686 | self.set_event(SMBEvent::InternalError); | |
1687 | return AppLayerResult::err(); | |
1688 | } | |
75d7c9d6 | 1689 | }, |
13b73997 | 1690 | Err(_) => { |
75d7c9d6 | 1691 | self.set_event(SMBEvent::MalformedData); |
4bf87d30 | 1692 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1693 | }, |
1694 | } | |
1695 | }; | |
89cb3379 | 1696 | self.post_gap_housekeeping(Direction::ToClient); |
25f2efe9 | 1697 | if self.check_post_gap_file_txs && !self.post_gap_files_checked { |
d41aecce | 1698 | self.post_gap_housekeeping_for_files(); |
25f2efe9 | 1699 | self.post_gap_files_checked = true; |
d41aecce | 1700 | } |
28f16e38 | 1701 | self._debug_tx_stats(); |
4bf87d30 | 1702 | AppLayerResult::ok() |
75d7c9d6 VJ |
1703 | } |
1704 | ||
1705 | /// handle a gap in the TOSERVER direction | |
1706 | /// returns: 0 ok, 1 unrecoverable error | |
5cd9cfb5 | 1707 | pub fn parse_tcp_data_ts_gap(&mut self, gap_size: u32) -> AppLayerResult { |
89cb3379 | 1708 | let consumed = self.handle_skip(Direction::ToServer, gap_size); |
75d7c9d6 VJ |
1709 | if consumed < gap_size { |
1710 | let new_gap_size = gap_size - consumed; | |
1711 | let gap = vec![0; new_gap_size as usize]; | |
1712 | ||
89cb3379 | 1713 | let consumed2 = self.filetracker_update(Direction::ToServer, &gap, new_gap_size); |
75d7c9d6 VJ |
1714 | if consumed2 > new_gap_size { |
1715 | SCLogDebug!("consumed more than GAP size: {} > {}", consumed2, new_gap_size); | |
1716 | self.set_event(SMBEvent::InternalError); | |
5cd9cfb5 | 1717 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1718 | } |
1719 | } | |
1720 | SCLogDebug!("GAP of size {} in toserver direction", gap_size); | |
1721 | self.ts_ssn_gap = true; | |
1722 | self.ts_gap = true; | |
5cd9cfb5 | 1723 | return AppLayerResult::ok(); |
75d7c9d6 VJ |
1724 | } |
1725 | ||
1726 | /// handle a gap in the TOCLIENT direction | |
1727 | /// returns: 0 ok, 1 unrecoverable error | |
5cd9cfb5 | 1728 | pub fn parse_tcp_data_tc_gap(&mut self, gap_size: u32) -> AppLayerResult { |
89cb3379 | 1729 | let consumed = self.handle_skip(Direction::ToClient, gap_size); |
75d7c9d6 VJ |
1730 | if consumed < gap_size { |
1731 | let new_gap_size = gap_size - consumed; | |
1732 | let gap = vec![0; new_gap_size as usize]; | |
1733 | ||
89cb3379 | 1734 | let consumed2 = self.filetracker_update(Direction::ToClient, &gap, new_gap_size); |
75d7c9d6 VJ |
1735 | if consumed2 > new_gap_size { |
1736 | SCLogDebug!("consumed more than GAP size: {} > {}", consumed2, new_gap_size); | |
1737 | self.set_event(SMBEvent::InternalError); | |
5cd9cfb5 | 1738 | return AppLayerResult::err(); |
75d7c9d6 VJ |
1739 | } |
1740 | } | |
1741 | SCLogDebug!("GAP of size {} in toclient direction", gap_size); | |
1742 | self.tc_ssn_gap = true; | |
1743 | self.tc_gap = true; | |
5cd9cfb5 | 1744 | return AppLayerResult::ok(); |
75d7c9d6 VJ |
1745 | } |
1746 | ||
1747 | pub fn trunc_ts(&mut self) { | |
1748 | SCLogDebug!("TRUNC TS"); | |
1749 | self.ts_trunc = true; | |
1750 | ||
1751 | for tx in &mut self.transactions { | |
1752 | if !tx.request_done { | |
1753 | SCLogDebug!("TRUNCING TX {} in TOSERVER direction", tx.id); | |
1754 | tx.request_done = true; | |
1755 | } | |
1756 | } | |
1757 | } | |
1758 | pub fn trunc_tc(&mut self) { | |
1759 | SCLogDebug!("TRUNC TC"); | |
1760 | self.tc_trunc = true; | |
1761 | ||
1762 | for tx in &mut self.transactions { | |
1763 | if !tx.response_done { | |
1764 | SCLogDebug!("TRUNCING TX {} in TOCLIENT direction", tx.id); | |
1765 | tx.response_done = true; | |
1766 | } | |
1767 | } | |
1768 | } | |
1769 | } | |
1770 | ||
1771 | /// Returns *mut SMBState | |
1772 | #[no_mangle] | |
547d6c2d | 1773 | pub extern "C" fn rs_smb_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void { |
75d7c9d6 VJ |
1774 | let state = SMBState::new(); |
1775 | let boxed = Box::new(state); | |
1776 | SCLogDebug!("allocating state"); | |
53413f2d | 1777 | return Box::into_raw(boxed) as *mut _; |
75d7c9d6 VJ |
1778 | } |
1779 | ||
1780 | /// Params: | |
1781 | /// - state: *mut SMBState as void pointer | |
1782 | #[no_mangle] | |
3f6624bf | 1783 | pub extern "C" fn rs_smb_state_free(state: *mut std::os::raw::c_void) { |
75d7c9d6 | 1784 | SCLogDebug!("freeing state"); |
53413f2d | 1785 | let mut smb_state = unsafe { Box::from_raw(state as *mut SMBState) }; |
75d7c9d6 VJ |
1786 | smb_state.free(); |
1787 | } | |
1788 | ||
1789 | /// C binding parse a SMB request. Returns 1 on success, -1 on failure. | |
1790 | #[no_mangle] | |
363b5f99 | 1791 | pub unsafe extern "C" fn rs_smb_parse_request_tcp(flow: *const Flow, |
6420df84 | 1792 | state: *mut ffi::c_void, |
3f6624bf | 1793 | _pstate: *mut std::os::raw::c_void, |
579cc9f0 | 1794 | input: *const u8, |
bf1bd407 | 1795 | input_len: u32, |
6420df84 | 1796 | _data: *const std::os::raw::c_void, |
2e6014b1 | 1797 | flags: u8) |
4bf87d30 | 1798 | -> AppLayerResult |
75d7c9d6 | 1799 | { |
363b5f99 | 1800 | let buf = std::slice::from_raw_parts(input, input_len as usize); |
6420df84 SB |
1801 | let mut state = cast_pointer!(state, SMBState); |
1802 | let flow = cast_pointer!(flow, Flow); | |
89cb3379 SB |
1803 | let file_flags = FileFlowToFlags(flow, Direction::ToServer as u8); |
1804 | rs_smb_setfileflags(Direction::ToServer as u8, state, file_flags|FILE_USE_DETECT); | |
75d7c9d6 VJ |
1805 | SCLogDebug!("parsing {} bytes of request data", input_len); |
1806 | ||
27af4bb0 SB |
1807 | if input.is_null() && input_len > 0 { |
1808 | return rs_smb_parse_request_tcp_gap(state, input_len); | |
1809 | } | |
2e6014b1 VJ |
1810 | /* START with MISTREAM set: record might be starting the middle. */ |
1811 | if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) { | |
1812 | state.ts_gap = true; | |
1813 | } | |
1814 | ||
8aa38060 | 1815 | state.update_ts(flow.get_last_time().as_secs()); |
4bf87d30 | 1816 | state.parse_tcp_data_ts(buf) |
75d7c9d6 VJ |
1817 | } |
1818 | ||
1819 | #[no_mangle] | |
1820 | pub extern "C" fn rs_smb_parse_request_tcp_gap( | |
1821 | state: &mut SMBState, | |
bf1bd407 | 1822 | input_len: u32) |
5cd9cfb5 | 1823 | -> AppLayerResult |
75d7c9d6 | 1824 | { |
5cd9cfb5 | 1825 | state.parse_tcp_data_ts_gap(input_len as u32) |
75d7c9d6 VJ |
1826 | } |
1827 | ||
1828 | ||
1829 | #[no_mangle] | |
363b5f99 | 1830 | pub unsafe extern "C" fn rs_smb_parse_response_tcp(flow: *const Flow, |
6420df84 | 1831 | state: *mut ffi::c_void, |
3f6624bf | 1832 | _pstate: *mut std::os::raw::c_void, |
579cc9f0 | 1833 | input: *const u8, |
bf1bd407 | 1834 | input_len: u32, |
6420df84 | 1835 | _data: *const ffi::c_void, |
2e6014b1 | 1836 | flags: u8) |
4bf87d30 | 1837 | -> AppLayerResult |
75d7c9d6 | 1838 | { |
6420df84 SB |
1839 | let mut state = cast_pointer!(state, SMBState); |
1840 | let flow = cast_pointer!(flow, Flow); | |
89cb3379 SB |
1841 | let file_flags = FileFlowToFlags(flow, Direction::ToClient as u8); |
1842 | rs_smb_setfileflags(Direction::ToClient as u8, state, file_flags|FILE_USE_DETECT); | |
27af4bb0 SB |
1843 | |
1844 | if input.is_null() && input_len > 0 { | |
1845 | return rs_smb_parse_response_tcp_gap(state, input_len); | |
1846 | } | |
75d7c9d6 | 1847 | SCLogDebug!("parsing {} bytes of response data", input_len); |
363b5f99 | 1848 | let buf = std::slice::from_raw_parts(input, input_len as usize); |
75d7c9d6 | 1849 | |
2e6014b1 VJ |
1850 | /* START with MISTREAM set: record might be starting the middle. */ |
1851 | if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) { | |
1852 | state.tc_gap = true; | |
1853 | } | |
1854 | ||
8aa38060 | 1855 | state.update_ts(flow.get_last_time().as_secs()); |
4bf87d30 | 1856 | state.parse_tcp_data_tc(buf) |
75d7c9d6 VJ |
1857 | } |
1858 | ||
1859 | #[no_mangle] | |
1860 | pub extern "C" fn rs_smb_parse_response_tcp_gap( | |
1861 | state: &mut SMBState, | |
bf1bd407 | 1862 | input_len: u32) |
5cd9cfb5 | 1863 | -> AppLayerResult |
75d7c9d6 | 1864 | { |
5cd9cfb5 | 1865 | state.parse_tcp_data_tc_gap(input_len as u32) |
75d7c9d6 VJ |
1866 | } |
1867 | ||
89cb3379 | 1868 | fn smb_probe_tcp_midstream(direction: Direction, slice: &[u8], rdir: *mut u8) -> i8 |
75d7c9d6 | 1869 | { |
17796697 | 1870 | match search_smb_record(slice) { |
69cf5c9e | 1871 | Ok((_, data)) => { |
17796697 | 1872 | SCLogDebug!("smb found"); |
422e4892 VJ |
1873 | match parse_smb_version(data) { |
1874 | Ok((_, ref smb)) => { | |
1875 | SCLogDebug!("SMB {:?}", smb); | |
1876 | if smb.version == 0xff_u8 { // SMB1 | |
1877 | SCLogDebug!("SMBv1 record"); | |
1878 | match parse_smb_record(data) { | |
1879 | Ok((_, ref smb_record)) => { | |
1880 | if smb_record.flags & 0x80 != 0 { | |
1881 | SCLogDebug!("RESPONSE {:02x}", smb_record.flags); | |
89cb3379 SB |
1882 | if direction == Direction::ToServer { |
1883 | unsafe { *rdir = Direction::ToClient as u8; } | |
422e4892 VJ |
1884 | } |
1885 | } else { | |
1886 | SCLogDebug!("REQUEST {:02x}", smb_record.flags); | |
89cb3379 SB |
1887 | if direction == Direction::ToClient { |
1888 | unsafe { *rdir = Direction::ToServer as u8; } | |
422e4892 VJ |
1889 | } |
1890 | } | |
1891 | return 1; | |
1892 | }, | |
1893 | _ => { }, | |
1894 | } | |
1895 | } else if smb.version == 0xfe_u8 { // SMB2 | |
1896 | SCLogDebug!("SMB2 record"); | |
1897 | match parse_smb2_record_direction(data) { | |
1898 | Ok((_, ref smb_record)) => { | |
89cb3379 SB |
1899 | if direction == Direction::ToServer { |
1900 | SCLogDebug!("direction Direction::ToServer smb_record {:?}", smb_record); | |
422e4892 | 1901 | if !smb_record.request { |
89cb3379 | 1902 | unsafe { *rdir = Direction::ToClient as u8; } |
422e4892 VJ |
1903 | } |
1904 | } else { | |
89cb3379 | 1905 | SCLogDebug!("direction Direction::ToClient smb_record {:?}", smb_record); |
422e4892 | 1906 | if smb_record.request { |
89cb3379 | 1907 | unsafe { *rdir = Direction::ToServer as u8; } |
422e4892 VJ |
1908 | } |
1909 | } | |
1910 | }, | |
1911 | _ => {}, | |
1912 | } | |
1913 | } | |
1914 | else if smb.version == 0xfd_u8 { // SMB3 transform | |
1915 | SCLogDebug!("SMB3 record"); | |
1916 | } | |
1917 | return 1; | |
1918 | }, | |
1919 | _ => { | |
1920 | SCLogDebug!("smb not found in {:?}", slice); | |
1921 | }, | |
1922 | } | |
17796697 VJ |
1923 | }, |
1924 | _ => { | |
422e4892 | 1925 | SCLogDebug!("no dice"); |
17796697 VJ |
1926 | }, |
1927 | } | |
9dc5258a PA |
1928 | return 0; |
1929 | } | |
1930 | ||
1931 | // probing parser | |
1932 | // return 1 if found, 0 is not found | |
1933 | #[no_mangle] | |
363b5f99 | 1934 | pub unsafe extern "C" fn rs_smb_probe_tcp(_f: *const Flow, |
6420df84 SB |
1935 | flags: u8, input: *const u8, len: u32, rdir: *mut u8) |
1936 | -> AppProto | |
9dc5258a | 1937 | { |
27af4bb0 SB |
1938 | if len < MIN_REC_SIZE as u32 { |
1939 | return ALPROTO_UNKNOWN; | |
1940 | } | |
9dc5258a | 1941 | let slice = build_slice!(input, len as usize); |
1b6e81cd | 1942 | if flags & STREAM_MIDSTREAM == STREAM_MIDSTREAM { |
89cb3379 | 1943 | if smb_probe_tcp_midstream(flags.into(), slice, rdir) == 1 { |
363b5f99 | 1944 | return ALPROTO_SMB; |
1b6e81cd | 1945 | } |
9dc5258a | 1946 | } |
7ab071a5 | 1947 | match parse_nbss_record_partial(slice) { |
13b73997 | 1948 | Ok((_, ref hdr)) => { |
7ab071a5 | 1949 | if hdr.is_smb() { |
17796697 | 1950 | SCLogDebug!("smb found"); |
363b5f99 | 1951 | return ALPROTO_SMB; |
61814590 PA |
1952 | } else if hdr.needs_more(){ |
1953 | return 0; | |
83070102 PA |
1954 | } else if hdr.is_valid() && |
1955 | hdr.message_type != NBSS_MSGTYPE_SESSION_MESSAGE { | |
1956 | //we accept a first small netbios message before real SMB | |
1957 | let hl = hdr.length as usize; | |
1958 | if hdr.data.len() >= hl + 8 { | |
1959 | // 8 is 4 bytes NBSS + 4 bytes SMB0xFX magic | |
1960 | match parse_nbss_record_partial(&hdr.data[hl..]) { | |
1961 | Ok((_, ref hdr2)) => { | |
1962 | if hdr2.is_smb() { | |
1963 | SCLogDebug!("smb found"); | |
363b5f99 | 1964 | return ALPROTO_SMB; |
83070102 PA |
1965 | } |
1966 | } | |
1967 | _ => {} | |
1968 | } | |
1969 | } else if hdr.length < 256 { | |
1970 | // we want more data, 256 is some random value | |
1971 | return 0; | |
1972 | } | |
1973 | // default is failure | |
7ab071a5 VJ |
1974 | } |
1975 | }, | |
1976 | _ => { }, | |
1977 | } | |
17796697 | 1978 | SCLogDebug!("no smb"); |
363b5f99 | 1979 | return ALPROTO_FAILED; |
75d7c9d6 VJ |
1980 | } |
1981 | ||
1982 | #[no_mangle] | |
363b5f99 | 1983 | pub unsafe extern "C" fn rs_smb_state_get_tx_count(state: *mut ffi::c_void) |
bf1bd407 | 1984 | -> u64 |
75d7c9d6 | 1985 | { |
6420df84 | 1986 | let state = cast_pointer!(state, SMBState); |
75d7c9d6 VJ |
1987 | SCLogDebug!("rs_smb_state_get_tx_count: returning {}", state.tx_id); |
1988 | return state.tx_id; | |
1989 | } | |
1990 | ||
1991 | #[no_mangle] | |
363b5f99 | 1992 | pub unsafe extern "C" fn rs_smb_state_get_tx(state: *mut ffi::c_void, |
bf1bd407 | 1993 | tx_id: u64) |
6420df84 | 1994 | -> *mut ffi::c_void |
75d7c9d6 | 1995 | { |
6420df84 | 1996 | let state = cast_pointer!(state, SMBState); |
75d7c9d6 VJ |
1997 | match state.get_tx_by_id(tx_id) { |
1998 | Some(tx) => { | |
53413f2d | 1999 | return tx as *const _ as *mut _; |
75d7c9d6 VJ |
2000 | } |
2001 | None => { | |
2002 | return std::ptr::null_mut(); | |
2003 | } | |
2004 | } | |
2005 | } | |
2006 | ||
75d7c9d6 | 2007 | #[no_mangle] |
363b5f99 | 2008 | pub unsafe extern "C" fn rs_smb_state_tx_free(state: *mut ffi::c_void, |
bf1bd407 | 2009 | tx_id: u64) |
75d7c9d6 | 2010 | { |
6420df84 | 2011 | let state = cast_pointer!(state, SMBState); |
75d7c9d6 VJ |
2012 | SCLogDebug!("freeing tx {}", tx_id as u64); |
2013 | state.free_tx(tx_id); | |
2014 | } | |
2015 | ||
75d7c9d6 | 2016 | #[no_mangle] |
363b5f99 | 2017 | pub unsafe extern "C" fn rs_smb_tx_get_alstate_progress(tx: *mut ffi::c_void, |
bf1bd407 | 2018 | direction: u8) |
6420df84 | 2019 | -> i32 |
75d7c9d6 | 2020 | { |
6420df84 SB |
2021 | let tx = cast_pointer!(tx, SMBTransaction); |
2022 | ||
89cb3379 | 2023 | if direction == Direction::ToServer as u8 && tx.request_done { |
75d7c9d6 VJ |
2024 | SCLogDebug!("tx {} TOSERVER progress 1 => {:?}", tx.id, tx); |
2025 | return 1; | |
89cb3379 | 2026 | } else if direction == Direction::ToClient as u8 && tx.response_done { |
75d7c9d6 VJ |
2027 | SCLogDebug!("tx {} TOCLIENT progress 1 => {:?}", tx.id, tx); |
2028 | return 1; | |
2029 | } else { | |
89cb3379 | 2030 | SCLogDebug!("tx {} direction {:?} progress 0", tx.id, direction); |
75d7c9d6 VJ |
2031 | return 0; |
2032 | } | |
2033 | } | |
2034 | ||
6420df84 | 2035 | |
75d7c9d6 | 2036 | #[no_mangle] |
363b5f99 | 2037 | pub unsafe extern "C" fn rs_smb_get_tx_data( |
77a95edd VJ |
2038 | tx: *mut std::os::raw::c_void) |
2039 | -> *mut AppLayerTxData | |
75d7c9d6 | 2040 | { |
77a95edd VJ |
2041 | let tx = cast_pointer!(tx, SMBTransaction); |
2042 | return &mut tx.tx_data; | |
75d7c9d6 VJ |
2043 | } |
2044 | ||
6420df84 | 2045 | |
75d7c9d6 | 2046 | #[no_mangle] |
363b5f99 | 2047 | pub unsafe extern "C" fn rs_smb_state_truncate( |
6420df84 | 2048 | state: *mut std::ffi::c_void, |
bf1bd407 | 2049 | direction: u8) |
75d7c9d6 | 2050 | { |
6420df84 | 2051 | let state = cast_pointer!(state, SMBState); |
89cb3379 SB |
2052 | match direction.into() { |
2053 | Direction::ToServer => { | |
2054 | state.trunc_ts(); | |
2055 | } | |
2056 | Direction::ToClient => { | |
2057 | state.trunc_tc(); | |
2058 | } | |
75d7c9d6 VJ |
2059 | } |
2060 | } | |
2061 | ||
9ccc28ba | 2062 | #[no_mangle] |
b9f10ba2 JI |
2063 | pub unsafe extern "C" fn rs_smb_state_get_event_info_by_id( |
2064 | event_id: std::os::raw::c_int, | |
2065 | event_name: *mut *const std::os::raw::c_char, | |
2066 | event_type: *mut AppLayerEventType, | |
2067 | ) -> i8 { | |
2068 | SMBEvent::get_event_info_by_id(event_id, event_name, event_type) | |
9ccc28ba JL |
2069 | } |
2070 | ||
75d7c9d6 | 2071 | #[no_mangle] |
b9f10ba2 JI |
2072 | pub unsafe extern "C" fn rs_smb_state_get_event_info( |
2073 | event_name: *const std::os::raw::c_char, | |
2074 | event_id: *mut std::os::raw::c_int, | |
2075 | event_type: *mut AppLayerEventType, | |
2076 | ) -> std::os::raw::c_int { | |
2077 | SMBEvent::get_event_info(event_name, event_id, event_type) | |
75d7c9d6 | 2078 | } |
e5c948df | 2079 | |
363b5f99 | 2080 | pub unsafe extern "C" fn smb3_probe_tcp(f: *const Flow, dir: u8, input: *const u8, len: u32, rdir: *mut u8) -> u16 { |
e5c948df SB |
2081 | let retval = rs_smb_probe_tcp(f, dir, input, len, rdir); |
2082 | let f = cast_pointer!(f, Flow); | |
363b5f99 | 2083 | if retval != ALPROTO_SMB { |
aa9d8658 VJ |
2084 | return retval; |
2085 | } | |
2086 | let (sp, dp) = f.get_ports(); | |
2087 | let flags = f.get_flags(); | |
2088 | let fsp = if (flags & FLOW_DIR_REVERSED) != 0 { dp } else { sp }; | |
2089 | let fdp = if (flags & FLOW_DIR_REVERSED) != 0 { sp } else { dp }; | |
2090 | if fsp == 445 && fdp != 445 { | |
89cb3379 SB |
2091 | match dir.into() { |
2092 | Direction::ToServer => { | |
2093 | *rdir = Direction::ToClient as u8; | |
2094 | } | |
2095 | Direction::ToClient => { | |
2096 | *rdir = Direction::ToServer as u8; | |
2097 | } | |
e5c948df | 2098 | } |
aa9d8658 | 2099 | } |
363b5f99 | 2100 | return ALPROTO_SMB; |
e5c948df SB |
2101 | } |
2102 | ||
2103 | fn register_pattern_probe() -> i8 { | |
2104 | let mut r = 0; | |
2105 | unsafe { | |
2106 | // SMB1 | |
2107 | r |= AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP as u8, ALPROTO_SMB, | |
2108 | b"|ff|SMB\0".as_ptr() as *const std::os::raw::c_char, 8, 4, | |
89cb3379 | 2109 | Direction::ToServer as u8, rs_smb_probe_tcp, MIN_REC_SIZE, MIN_REC_SIZE); |
e5c948df SB |
2110 | r |= AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP as u8, ALPROTO_SMB, |
2111 | b"|ff|SMB\0".as_ptr() as *const std::os::raw::c_char, 8, 4, | |
89cb3379 | 2112 | Direction::ToClient as u8, rs_smb_probe_tcp, MIN_REC_SIZE, MIN_REC_SIZE); |
e5c948df SB |
2113 | // SMB2/3 |
2114 | r |= AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP as u8, ALPROTO_SMB, | |
2115 | b"|fe|SMB\0".as_ptr() as *const std::os::raw::c_char, 8, 4, | |
89cb3379 | 2116 | Direction::ToServer as u8, rs_smb_probe_tcp, MIN_REC_SIZE, MIN_REC_SIZE); |
e5c948df SB |
2117 | r |= AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP as u8, ALPROTO_SMB, |
2118 | b"|fe|SMB\0".as_ptr() as *const std::os::raw::c_char, 8, 4, | |
89cb3379 | 2119 | Direction::ToClient as u8, rs_smb_probe_tcp, MIN_REC_SIZE, MIN_REC_SIZE); |
e5c948df SB |
2120 | // SMB3 encrypted records |
2121 | r |= AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP as u8, ALPROTO_SMB, | |
2122 | b"|fd|SMB\0".as_ptr() as *const std::os::raw::c_char, 8, 4, | |
89cb3379 | 2123 | Direction::ToServer as u8, smb3_probe_tcp, MIN_REC_SIZE, MIN_REC_SIZE); |
e5c948df SB |
2124 | r |= AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP as u8, ALPROTO_SMB, |
2125 | b"|fd|SMB\0".as_ptr() as *const std::os::raw::c_char, 8, 4, | |
89cb3379 | 2126 | Direction::ToClient as u8, smb3_probe_tcp, MIN_REC_SIZE, MIN_REC_SIZE); |
e5c948df SB |
2127 | } |
2128 | ||
2129 | if r == 0 { | |
2130 | return 0; | |
2131 | } else { | |
2132 | return -1; | |
2133 | } | |
2134 | } | |
2135 | ||
2136 | // Parser name as a C style string. | |
2137 | const PARSER_NAME: &'static [u8] = b"smb\0"; | |
2138 | ||
2139 | #[no_mangle] | |
2140 | pub unsafe extern "C" fn rs_smb_register_parser() { | |
2141 | let default_port = CString::new("445").unwrap(); | |
2142 | let mut stream_depth = SMB_CONFIG_DEFAULT_STREAM_DEPTH; | |
2143 | let parser = RustParser { | |
2144 | name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char, | |
1f48714e | 2145 | default_port: std::ptr::null(), |
e5c948df SB |
2146 | ipproto: IPPROTO_TCP, |
2147 | probe_ts: None, | |
2148 | probe_tc: None, | |
2149 | min_depth: 0, | |
2150 | max_depth: 16, | |
2151 | state_new: rs_smb_state_new, | |
2152 | state_free: rs_smb_state_free, | |
2153 | tx_free: rs_smb_state_tx_free, | |
2154 | parse_ts: rs_smb_parse_request_tcp, | |
2155 | parse_tc: rs_smb_parse_response_tcp, | |
2156 | get_tx_count: rs_smb_state_get_tx_count, | |
2157 | get_tx: rs_smb_state_get_tx, | |
2158 | tx_comp_st_ts: 1, | |
2159 | tx_comp_st_tc: 1, | |
2160 | tx_get_progress: rs_smb_tx_get_alstate_progress, | |
e5c948df SB |
2161 | get_eventinfo: Some(rs_smb_state_get_event_info), |
2162 | get_eventinfo_byid : Some(rs_smb_state_get_event_info_by_id), | |
2163 | localstorage_new: None, | |
2164 | localstorage_free: None, | |
2165 | get_files: Some(rs_smb_getfiles), | |
fcfc9876 | 2166 | get_tx_iterator: Some(applayer::state_get_tx_iterator::<SMBState, SMBTransaction>), |
e5c948df SB |
2167 | get_tx_data: rs_smb_get_tx_data, |
2168 | apply_tx_config: None, | |
2169 | flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS, | |
2170 | truncate: Some(rs_smb_state_truncate), | |
2171 | }; | |
2172 | ||
2173 | let ip_proto_str = CString::new("tcp").unwrap(); | |
2174 | ||
2175 | if AppLayerProtoDetectConfProtoDetectionEnabled( | |
2176 | ip_proto_str.as_ptr(), | |
2177 | parser.name, | |
2178 | ) != 0 | |
2179 | { | |
2180 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
2181 | ALPROTO_SMB = alproto; | |
2182 | if register_pattern_probe() < 0 { | |
2183 | return; | |
2184 | } | |
2185 | ||
2186 | let have_cfg = AppLayerProtoDetectPPParseConfPorts(ip_proto_str.as_ptr(), | |
2187 | IPPROTO_TCP as u8, parser.name, ALPROTO_SMB, 0, | |
2188 | MIN_REC_SIZE, rs_smb_probe_tcp, rs_smb_probe_tcp); | |
2189 | ||
2190 | if have_cfg == 0 { | |
1f48714e | 2191 | AppLayerProtoDetectPPRegister(IPPROTO_TCP as u8, default_port.as_ptr(), ALPROTO_SMB, |
89cb3379 | 2192 | 0, MIN_REC_SIZE, Direction::ToServer as u8, rs_smb_probe_tcp, rs_smb_probe_tcp); |
e5c948df SB |
2193 | } |
2194 | ||
2195 | if AppLayerParserConfParserEnabled( | |
2196 | ip_proto_str.as_ptr(), | |
2197 | parser.name, | |
2198 | ) != 0 | |
2199 | { | |
2200 | let _ = AppLayerRegisterParser(&parser, alproto); | |
2201 | } | |
2202 | SCLogDebug!("Rust SMB parser registered."); | |
2203 | let retval = conf_get("app-layer.protocols.smb.stream-depth"); | |
2204 | if let Some(val) = retval { | |
42da0fb5 SB |
2205 | match get_memval(val) { |
2206 | Ok(retval) => { stream_depth = retval as u32; } | |
2207 | Err(_) => { SCLogError!("Invalid depth value"); } | |
e5c948df SB |
2208 | } |
2209 | AppLayerParserSetStreamDepth(IPPROTO_TCP as u8, ALPROTO_SMB, stream_depth); | |
2210 | } | |
2211 | } else { | |
2212 | SCLogDebug!("Protocol detector and parser disabled for SMB."); | |
2213 | } | |
2214 | } |