Merge pull request #2730 in SNORT/snort3 from ~DIPANDIT/snort3:handle_async to master

Squashed commit of the following:

commit 904c98bc58f715b3369622c07fe727e2492d904f
Author: Dipto Pandit (dipandit) <dipandit@cisco.com>
Date:   Fri Jan 29 05:52:41 2021 -0500

    dce_rpc: handle async responses in smbv2

diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc
index a53565f4de8e3008be7f8bd5da7a86c95273fe6c..99b0698b8160d7bc99284c1f7f4491f587b9c3fb 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb2.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2.cc
@@ -189,14 +189,18 @@ void DCE2_Smb2SessionTracker::removeSessionFromAllConnection()
 }
 
 static inline bool DCE2_Smb2FindSidTid(DCE2_Smb2SsnData* ssd, const uint64_t sid,
-    const uint32_t tid, DCE2_Smb2SessionTracker** str, DCE2_Smb2TreeTracker** ttr)
+    const uint32_t tid, const uint32_t mid, DCE2_Smb2SessionTracker** str, DCE2_Smb2TreeTracker** ttr)
 {
     *str = DCE2_Smb2FindSidInSsd(ssd, sid);
     if (!*str)
         return false;
-
-    *ttr = (*str)->findTtracker(tid);
-    if (!*ttr)
+    
+    if(!tid)
+        *ttr = find_tree_for_message(*str, mid);
+    else
+        *ttr = (*str)->findTtracker(tid);
+        
+    if(!*ttr)
         return false;
 
     return true;
@@ -229,7 +233,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_READ:
         dce2_smb_stats.v2_read++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_read_ignored++;
@@ -240,7 +244,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_WRITE:
         dce2_smb_stats.v2_wrt++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_wrt_ignored++;
@@ -251,7 +255,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_SET_INFO:
         dce2_smb_stats.v2_stinf++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_stinf_ignored++;
@@ -262,7 +266,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_CLOSE:
         dce2_smb_stats.v2_cls++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_cls_ignored++;
@@ -282,7 +286,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_TREE_DISCONNECT:
         dce2_smb_stats.v2_tree_discn++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr))
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr))
         {
             dce2_smb_stats.v2_tree_discn_ignored++;
             return;

diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
index 6645c41ff11b1e1efb78bdb3cf2fe13619a2b26d..50b60d17b49553a20df0428180841a5892b82ad4 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
@@ -78,6 +78,17 @@ static void DCE2_Smb2CleanFtrackerTcpRef(DCE2_Smb2SessionTracker* str, uint64_t
     }
 }
 
+DCE2_Smb2TreeTracker *find_tree_for_message(DCE2_Smb2SessionTracker *str, const uint64_t mid)
+{
+    auto all_tree_trackers = str->tree_trackers.get_all_entry();
+    for ( auto& h : all_tree_trackers )
+    {
+        if(h.second->findRtracker(mid))
+            return h.second;
+    }
+    return nullptr;
+}
+
 bool DCE2_Smb2ProcessFileData(DCE2_Smb2SsnData* ssd, const uint8_t* file_data,
     uint32_t data_size)
 {
@@ -401,6 +412,8 @@ void DCE2_Smb2Create(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
             smb_data, end, SMB2_CREATE_RESPONSE_STRUC_SIZE - 1,
             dce2_smb_stats.v2_crt_resp_hdr_err, SMB2_COM_CREATE)
 
+        if(!tid)
+            ttr = find_tree_for_message(str, mid);
         if (!ttr)
         {
             debug_logf(dce_smb_trace, DetectionEngine::get_current_packet(),

diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.h b/src/service_inspectors/dce_rpc/dce_smb2_commands.h
index 97a86d9bc00abe23b2a8b74aede3d0b605834b5d..22c93a97338ec85e4595009a001d6f16fc5c81bf 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb2_commands.h
+++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.h
@@ -62,5 +62,7 @@ void DCE2_Smb2CloseCmd(DCE2_Smb2SsnData*, const Smb2Hdr*,
 void DCE2_Smb2Logoff(DCE2_Smb2SsnData*, const uint8_t* smb_data,
     const uint64_t sid);
 
+DCE2_Smb2TreeTracker *find_tree_for_message(DCE2_Smb2SessionTracker*, const uint64_t);
+
 #endif