smtp/mime: Set event when name exceeds limit

author Jeff Lucovsky <jeff@lucovsky.org>

Wed, 5 Feb 2020 14:20:29 +0000 (09:20 -0500)

committer Victor Julien <victor@inliniac.net>

Tue, 3 Mar 2020 08:58:32 +0000 (09:58 +0100)
author Jeff Lucovsky <jeff@lucovsky.org>
Wed, 5 Feb 2020 14:20:29 +0000 (09:20 -0500)
committer Victor Julien <victor@inliniac.net>
Tue, 3 Mar 2020 08:58:32 +0000 (09:58 +0100)
diff --git a/rules/smtp-events.rules b/rules/smtp-events.rules

index 89c25acbc73550de7ce7f21272179c656e7e50be..cc7eedcbbf665133eb39c873266d92a9f355ce78 100644 (file)
--- a/rules/smtp-events.rules
+++ b/rules/smtp-events.rules
@@ -29,4 +29,5 @@ alert smtp any any -> any any (msg:"SURICATA SMTP Mime boundary length exceeded"
  
  alert smtp any any -> any any (msg:"SURICATA SMTP duplicate fields"; flow:established,to_server; app-layer-event:smtp.duplicate_fields; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220018; rev:1;)
  alert smtp any any -> any any (msg:"SURICATA SMTP unparsable content"; flow:established,to_server; app-layer-event:smtp.unparsable_content; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220019; rev:1;)
-# next sid 2220020
+alert smtp any any -> any any (msg:"SURICATA SMTP filename truncated"; flow:established,to_server; app-layer-event:smtp.mime_long_filename; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220020; rev:1;)
+# next sid 2220021
diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c

index 347467b510c789519a2ae8e01e80f8002ef5bd45..874b0b5d61235c689a3e836652d4729e5cda5065 100644 (file)
--- a/src/app-layer-smtp.c
+++ b/src/app-layer-smtp.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2012 Open Information Security Foundation
+/* Copyright (C) 2007-2020 Open Information Security Foundation
   *
   * You can copy, redistribute or modify this Program under the terms of
   * the GNU General Public License version 2 as published by the Free
@@ -147,6 +147,8 @@ SCEnumCharMap smtp_decoder_event_table[ ] = {
        SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE },
      { "MIME_LONG_BOUNDARY",
        SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG },
+    { "MIME_LONG_FILENAME",
+      SMTP_DECODER_EVENT_MIME_LONG_FILENAME },
  
      /* Invalid behavior or content */
      { "DUPLICATE_FIELDS",
@@ -873,6 +875,9 @@ static void SetMimeEvents(SMTPState *state)
      if (msg->anomaly_flags & ANOM_LONG_BOUNDARY) {
          SMTPSetEvent(state, SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG);
      }
+    if (msg->anomaly_flags & ANOM_LONG_FILENAME) {
+        SMTPSetEvent(state, SMTP_DECODER_EVENT_MIME_LONG_FILENAME);
+    }
  }
  
  /**
diff --git a/src/app-layer-smtp.h b/src/app-layer-smtp.h

index 59c9d5b9f07b8cbb61008a2f7dd308ab0aa9f36f..66b28b5e834f2f31238502d5b5aa63b0ee0f8691 100644 (file)
--- a/src/app-layer-smtp.h
+++ b/src/app-layer-smtp.h
@@ -50,6 +50,7 @@ enum {
      SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME,
      SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE,
      SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG,
+    SMTP_DECODER_EVENT_MIME_LONG_FILENAME,
  
      /* Invalid behavior or content */
      SMTP_DECODER_EVENT_DUPLICATE_FIELDS,
diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c

index 24dee93debe2663ce02b360163623d94de3f903c..a176eb84a3537eae51d7a0259c3343975a8d1fd0 100644 (file)
--- a/src/util-decode-mime.c
+++ b/src/util-decode-mime.c
@@ -1832,6 +1832,7 @@ static int FindMimeHeader(const uint8_t *buf, uint32_t blen,
   * \param search_end The end of the search (ie. \")
   * \param tlen The output length of the token (if found)
   * \param max_len The maximum offset in which to search
+ * \param toolong Set if the field value was truncated to max_len.
   *
   * \return A pointer to the token if found, otherwise NULL if not found
   */
@@ -1884,7 +1885,7 @@ static uint8_t * FindMimeHeaderTokenRestrict(MimeDecField *field, const char *se
  static uint8_t * FindMimeHeaderToken(MimeDecField *field, const char *search_start,
          const char *search_end, uint32_t *tlen)
  {
-    return FindMimeHeaderTokenRestrict(field, search_start, search_end, tlen, 0);
+    return FindMimeHeaderTokenRestrict(field, search_start, search_end, tlen, 0, NULL);
  }
  
  /**
@@ -1932,7 +1933,8 @@ static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
          /* Check for file attachment in content disposition */
          field = MimeDecFindField(entity, CTNT_DISP_STR);
          if (field != NULL) {
-            bptr = FindMimeHeaderTokenRestrict(field, "filename=", TOK_END_STR, &blen, NAME_MAX);
+            bool truncated_name = false;
+            bptr = FindMimeHeaderTokenRestrict(field, "filename=", TOK_END_STR, &blen, NAME_MAX, &truncated_name);
              if (bptr != NULL) {
                  SCLogDebug("File attachment found in disposition");
                  entity->ctnt_flags |= CTNT_IS_ATTACHMENT;
@@ -1945,6 +1947,11 @@ static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
                  }
                  memcpy(entity->filename, bptr, blen);
                  entity->filename_len = blen;
+
+                if (truncated_name) {
+                    state->stack->top->data->anomaly_flags |= ANOM_LONG_FILENAME;
+                    state->msg->anomaly_flags |= ANOM_LONG_FILENAME;
+                }
              }
          }
  
@@ -1974,7 +1981,8 @@ static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
  
              /* Look for file name (if not already found) */
              if (!(entity->ctnt_flags & CTNT_IS_ATTACHMENT)) {
-                bptr = FindMimeHeaderTokenRestrict(field, "name=", TOK_END_STR, &blen, NAME_MAX);
+                bool truncated_name = false;
+                bptr = FindMimeHeaderTokenRestrict(field, "name=", TOK_END_STR, &blen, NAME_MAX, &truncated_name);
                  if (bptr != NULL) {
                      SCLogDebug("File attachment found");
                      entity->ctnt_flags |= CTNT_IS_ATTACHMENT;
@@ -1987,6 +1995,11 @@ static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
                      }
                      memcpy(entity->filename, bptr, blen);
                      entity->filename_len = blen;
+
+                    if (truncated_name) {
+                        state->stack->top->data->anomaly_flags |= ANOM_LONG_FILENAME;
+                        state->msg->anomaly_flags |= ANOM_LONG_FILENAME;
+                    }
                  }
              }
  
diff --git a/src/util-decode-mime.h b/src/util-decode-mime.h

index 1922264bee387516c2eedb29cd62f51687d45139..5ee347c45c1438fe24174a3c2daa1b08ab8b7d74 100644 (file)
--- a/src/util-decode-mime.h
+++ b/src/util-decode-mime.h
@@ -60,6 +60,7 @@
  #define ANOM_LONG_ENC_LINE      32  /* Lines that exceed 76 octets */
  #define ANOM_MALFORMED_MSG      64  /* Misc msg format errors found */
  #define ANOM_LONG_BOUNDARY     128  /* Boundary too long */
+#define ANOM_LONG_FILENAME     256  /* filename truncated */
  
  /* Publicly exposed size constants */
  #define DATA_CHUNK_SIZE  3072  /* Should be divisible by 3 */
author	Jeff Lucovsky <jeff@lucovsky.org>
	Wed, 5 Feb 2020 14:20:29 +0000 (09:20 -0500)
committer	Victor Julien <victor@inliniac.net>
	Tue, 3 Mar 2020 08:58:32 +0000 (09:58 +0100)
rules/smtp-events.rules		patch \| blob \| blame \| history
src/app-layer-smtp.c		patch \| blob \| blame \| history
src/app-layer-smtp.h		patch \| blob \| blame \| history
src/util-decode-mime.c		patch \| blob \| blame \| history
src/util-decode-mime.h		patch \| blob \| blame \| history