smb: set event for ntlmssp unusual order

author Philippe Antoine <pantoine@oisf.net>

Wed, 7 Dec 2022 12:51:31 +0000 (13:51 +0100)

committer Victor Julien <vjulien@oisf.net>

Thu, 22 Dec 2022 09:23:18 +0000 (10:23 +0100)
author Philippe Antoine <pantoine@oisf.net>
Wed, 7 Dec 2022 12:51:31 +0000 (13:51 +0100)
committer Victor Julien <vjulien@oisf.net>
Thu, 22 Dec 2022 09:23:18 +0000 (10:23 +0100)
diff --git a/rust/src/smb/auth.rs b/rust/src/smb/auth.rs

index f342a73adac7cfd50b1a9eb8369c889bdf163045..0953dcbf1b37b6f0891443c11795b062167c5585 100644 (file)
--- a/rust/src/smb/auth.rs
+++ b/rust/src/smb/auth.rs
@@ -151,6 +151,7 @@ pub struct NtlmsspData {
      pub user: Vec<u8>,
      pub domain: Vec<u8>,
      pub version: Option<NTLMSSPVersion>,
+    pub warning: bool,
  }
  
  /// take in blob, search for the header and parse it
@@ -179,6 +180,7 @@ fn parse_ntlmssp_blob(blob: &[u8]) -> Option<NtlmsspData>
                          host,
                          user,
                          domain,
+                        warning: ad.warning,
                          version: ad.version,
                      };
                      ntlmssp_data = Some(d);
diff --git a/rust/src/smb/events.rs b/rust/src/smb/events.rs

index 4c621e5d4bda4bcdcd67e46cad84e24a713056f2..94bd06613934b690aab576a2ba38ce77cd1aebbf 100644 (file)
--- a/rust/src/smb/events.rs
+++ b/rust/src/smb/events.rs
@@ -46,6 +46,8 @@ pub enum SMBEvent {
      WriteRequestTooLarge,
      WriteQueueSizeExceeded,
      WriteQueueCntExceeded,
+    /// Unusal NTLMSSP fields order
+    UnusualNtlmsspOrder,
  }
  
  impl SMBTransaction {
diff --git a/rust/src/smb/ntlmssp_records.rs b/rust/src/smb/ntlmssp_records.rs

index e0cda8e3bc413fd5f33c1f6b5e47f30cd7ca3b96..c923421127142524bb89e24063a4986ba47ced5b 100644 (file)
--- a/rust/src/smb/ntlmssp_records.rs
+++ b/rust/src/smb/ntlmssp_records.rs
@@ -65,6 +65,7 @@ pub struct NTLMSSPAuthRecord<'a> {
      pub user: &'a [u8],
      pub host: &'a [u8],
      pub version: Option<NTLMSSPVersion>,
+    pub warning: bool,
  }
  
  fn parse_ntlm_auth_nego_flags(i: &[u8]) -> IResult<&[u8], (u8, u8, u32)> {
@@ -121,10 +122,19 @@ pub fn parse_ntlm_auth_record(i: &[u8]) -> IResult<&[u8], NTLMSSPAuthRecord> {
      let (_, user_blob) = extract_ntlm_substring(orig_i, user_blob_offset, user_blob_len)?;
      let (_, host_blob) = extract_ntlm_substring(orig_i, host_blob_offset, host_blob_len)?;
  
+    let mut warning = false;
+    if (user_blob_offset > 0 && user_blob_offset < domain_blob_offset + domain_blob_len as u32)
+        || (host_blob_offset > 0 && host_blob_offset < user_blob_offset + user_blob_len as u32)
+    {
+        // to set event in transaction
+        warning = true;
+    }
+
      let record = NTLMSSPAuthRecord {
          domain: domain_blob,
          user: user_blob,
          host: host_blob,
+        warning,
  
          version,
      };
diff --git a/rust/src/smb/smb1_session.rs b/rust/src/smb/smb1_session.rs

index 45732dfc3532ce8c9c4831d203ca52de0b9b83a1..c39c7ce98fc9b0c119c7976b038a57554efe53f6 100644 (file)
--- a/rust/src/smb/smb1_session.rs
+++ b/rust/src/smb/smb1_session.rs
@@ -135,11 +135,16 @@ pub fn smb1_session_setup_request(state: &mut SMBState, r: &SmbRecord, andx_offs
              tx.vercmd.set_smb1_cmd(r.command);
  
              if let Some(SMBTransactionTypeData::SESSIONSETUP(ref mut td)) = tx.type_data {
+                td.request_host = Some(smb1_session_setup_request_host_info(r, rem));
                  if let Some(s) = parse_secblob(setup.sec_blob) {
                      td.ntlmssp = s.ntlmssp;
                      td.krb_ticket = s.krb;
+                    if let Some(ntlm) = &td.ntlmssp {
+                        if ntlm.warning {
+                            tx.set_event(SMBEvent::UnusualNtlmsspOrder);
+                        }
+                    }
                  }
-                td.request_host = Some(smb1_session_setup_request_host_info(r, rem));
              }
          },
          _ => {
diff --git a/rust/src/smb/smb2_session.rs b/rust/src/smb/smb2_session.rs

index c8fc7d2de63270339a0a048be93a226f52322da0..93cc99cdd4c65b7a42cbfde004a4f80ed0d127e6 100644 (file)
--- a/rust/src/smb/smb2_session.rs
+++ b/rust/src/smb/smb2_session.rs
@@ -17,7 +17,7 @@
  
  use crate::smb::smb2_records::*;
  use crate::smb::smb::*;
-//use smb::events::*;
+use crate::smb::events::*;
  use crate::smb::auth::*;
  
  pub fn smb2_session_setup_request(state: &mut SMBState, r: &Smb2Record)
@@ -34,6 +34,11 @@ pub fn smb2_session_setup_request(state: &mut SMBState, r: &Smb2Record)
                  if let Some(s) = parse_secblob(setup.data) {
                      td.ntlmssp = s.ntlmssp;
                      td.krb_ticket = s.krb;
+                    if let Some(ntlm) = &td.ntlmssp {
+                        if ntlm.warning {
+                            tx.set_event(SMBEvent::UnusualNtlmsspOrder);
+                        }
+                    }
                  }
              }
          },
author	Philippe Antoine <pantoine@oisf.net>
	Wed, 7 Dec 2022 12:51:31 +0000 (13:51 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Thu, 22 Dec 2022 09:23:18 +0000 (10:23 +0100)
rust/src/smb/auth.rs		patch \| blob \| blame \| history
rust/src/smb/events.rs		patch \| blob \| blame \| history
rust/src/smb/ntlmssp_records.rs		patch \| blob \| blame \| history
rust/src/smb/smb1_session.rs		patch \| blob \| blame \| history
rust/src/smb/smb2_session.rs		patch \| blob \| blame \| history