alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;)
alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)
+
+alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)
MalformedNtlmsspRequest = 3,
MalformedNtlmsspResponse = 4,
DuplicateNegotiate = 5,
+ NegotiateMalformedDialects = 6,
}
pub fn smb_str_to_event(instr: &str) -> i32 {
"malformed_ntlmssp_request" => SMBEvent::MalformedNtlmsspRequest as i32,
"malformed_ntlmssp_response" => SMBEvent::MalformedNtlmsspResponse as i32,
"duplicate_negotiate" => SMBEvent::DuplicateNegotiate as i32,
+ "negotiate_malformed_dialects" => SMBEvent::NegotiateMalformedDialects as i32,
_ => -1,
}
}
IResult::Done(_, pr) => {
SCLogDebug!("SMB_COMMAND_NEGOTIATE_PROTOCOL {:?}", pr);
+ let mut bad_dialects = false;
let mut dialects : Vec<Vec<u8>> = Vec::new();
for d in &pr.dialects {
+ if d.len() == 0 {
+ bad_dialects = true;
+ continue;
+ } else if d.len() == 1 {
+ bad_dialects = true;
+ }
let x = &d[1..d.len()];
let dvec = x.to_vec();
dialects.push(dvec);
tdn.dialects = dialects;
}
tx.request_done = true;
+ if bad_dialects {
+ tx.set_event(SMBEvent::NegotiateMalformedDialects);
+ }
}
true
},
_ => { None },
};
if d == None {
- tx.set_event(SMBEvent::MalformedData);
+ tx.set_event(SMBEvent::NegotiateMalformedDialects);
}
(true, d)
},
None => { (false, None) },
};
- match dialect {
- Some(d) => {
- SCLogDebug!("dialect {:?}", d);
- state.dialect_vec = Some(d);
- },
- _ => { },
+ if let Some(d) = dialect {
+ SCLogDebug!("dialect {:?}", d);
+ state.dialect_vec = Some(d);
}
have_ntx
},
projects / thirdparty / suricata.git / commitdiff
