smb: relax probing parser to handle first NBSS message

cf dcerpc-udp S-V test :
First message is Message Type: Session request (0x81)
Second message is SMB

(cherry picked from commit 83070102557d2755b9ffc67bb14b9b4d48b039e9)

diff --git a/rust/src/smb/nbss_records.rs b/rust/src/smb/nbss_records.rs
index c07b02a05628d7b5a77d260ef57d1594fe49588e..d081684b4589f763fdc5bcdf41edd4050ab98ffa 100644 (file)
--- a/rust/src/smb/nbss_records.rs
+++ b/rust/src/smb/nbss_records.rs
@@ -44,6 +44,9 @@ impl<'a> NbssRecord<'a> {
         };
         valid
     }
+    pub fn needs_more(&self) -> bool {
+        return self.is_valid() && self.length >= 4 && self.data.len() < 4;
+    }
     pub fn is_smb(&self) -> bool {
         let valid = self.is_valid();
         let smb = if self.data.len() >= 4 &&

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index 6b4f5852072c5da6392a5a8b1b555f00d6a3c355..964e74ce09a7be36fe25e4b3713836aadb0d8e0f 100644 (file)
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -1990,9 +1990,28 @@ pub extern "C" fn rs_smb_probe_tcp(direction: u8,
             if hdr.is_smb() {
                 SCLogDebug!("smb found");
                 return 1;
-            } else if hdr.is_valid() {
-                SCLogDebug!("nbss found, assume smb");
-                return 1;
+            } else if hdr.needs_more(){
+                return 0;
+            } else if hdr.is_valid() &&
+                hdr.message_type != NBSS_MSGTYPE_SESSION_MESSAGE {
+                //we accept a first small netbios message before real SMB
+                let hl = hdr.length as usize;
+                if hdr.data.len() >= hl + 8 {
+                    // 8 is 4 bytes NBSS + 4 bytes SMB0xFX magic
+                    match parse_nbss_record_partial(&hdr.data[hl..]) {
+                        Ok((_, ref hdr2)) => {
+                            if hdr2.is_smb() {
+                                SCLogDebug!("smb found");
+                                return 1;
+                            }
+                        }
+                        _ => {}
+                    }
+                } else if hdr.length < 256 {
+                    // we want more data, 256 is some random value
+                    return 0;
+                }
+                // default is failure
             }
         },
         _ => { },