rust/smb: implement stream-depth, unlimited by default

author Victor Julien <victor@inliniac.net>

Tue, 7 Aug 2018 08:57:49 +0000 (10:57 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 7 Aug 2018 11:49:34 +0000 (13:49 +0200)
author Victor Julien <victor@inliniac.net>
Tue, 7 Aug 2018 08:57:49 +0000 (10:57 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 7 Aug 2018 11:49:34 +0000 (13:49 +0200)
diff --git a/src/app-layer-smb-tcp-rust.c b/src/app-layer-smb-tcp-rust.c

index 8ec3fa279d2f323506b8036194bc28c9d678421a..bd3b5e12c73f040edb0bd70962ef03ee48fad889 100644 (file)
--- a/src/app-layer-smb-tcp-rust.c
+++ b/src/app-layer-smb-tcp-rust.c
@@ -29,6 +29,7 @@
  #include "app-layer-smb-tcp-rust.h"
  #include "rust-smb-smb-gen.h"
  #include "rust-smb-files-gen.h"
+#include "util-misc.h"
  
  #define MIN_REC_SIZE 32+4 // SMB hdr + nbss hdr
  
@@ -205,6 +206,10 @@ static int RustSMBRegisterPatternsForProtocolDetection(void)
  static StreamingBufferConfig sbcfg = STREAMING_BUFFER_CONFIG_INITIALIZER;
  static SuricataFileContext sfc = { &sbcfg };
  
+#define SMB_CONFIG_DEFAULT_STREAM_DEPTH 0
+
+static uint32_t stream_depth = SMB_CONFIG_DEFAULT_STREAM_DEPTH;
+
  void RegisterRustSMBTCPParsers(void)
  {
      const char *proto_name = "smb";
@@ -278,6 +283,18 @@ void RegisterRustSMBTCPParsers(void)
          AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_SMB,
                  APP_LAYER_PARSER_OPT_ACCEPT_GAPS);
  
+        ConfNode *p = ConfGetNode("app-layer.protocols.smb.stream-depth");
+        if (p != NULL) {
+            uint32_t value;
+            if (ParseSizeStringU32(p->val, &value) < 0) {
+                SCLogError(SC_ERR_SMB_CONFIG, "invalid value for stream-depth %s", p->val);
+            } else {
+                stream_depth = value;
+            }
+        }
+        SCLogConfig("SMB stream depth: %u", stream_depth);
+
+        AppLayerParserSetStreamDepth(IPPROTO_TCP, ALPROTO_SMB, stream_depth);
      } else {
          SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
                    "still on.", proto_name);
diff --git a/suricata.yaml.in b/suricata.yaml.in

index 6a8b6ca25037fb996972ea9ff6e9a37e32714a8f..757e4169d6f75fa32760663b729b0e196fdf37e3 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -817,6 +817,10 @@ app-layer:
        enabled: yes
        detection-ports:
          dp: 139, 445
+
+      # Stream reassembly size for SMB streams. By default track it completely.
+      #stream-depth: 0
+
      # Note: NFS parser depends on Rust support: pass --enable-rust
      # to configure.
      nfs:
author	Victor Julien <victor@inliniac.net>
	Tue, 7 Aug 2018 08:57:49 +0000 (10:57 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 7 Aug 2018 11:49:34 +0000 (13:49 +0200)
src/app-layer-smb-tcp-rust.c		patch \| blob \| blame \| history
suricata.yaml.in		patch \| blob \| blame \| history