ssd.sd = sd;
ssd.policy = policy;
SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, p, "smb1 session created\n");
+ dce2_smb_stats.total_smb1_sessions++;
}
Dce2Smb1SessionData::~Dce2Smb1SessionData()
tcp_file_tracker = nullptr;
flow_key = get_smb2_flow_key(tcp_flow->key);
SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, p, "smb2 session created\n");
+ dce2_smb_stats.total_smb2_sessions++;
}
Dce2Smb2SessionData::~Dce2Smb2SessionData()
const Smb2NegotiateResponseHdr* neg_resp_hdr = (const Smb2NegotiateResponseHdr*)smb_data;
if (neg_resp_hdr->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)
{
+ //total multichannel sessions
+ dce2_smb_stats.total_mc_sessions++;
Packet* p = DetectionEngine::get_current_packet();
Dce2SmbFlowData* fd = create_expected_smb_flow_data(p);
if (fd)
return;
}
const Smb2Hdr* smb_hdr = (const Smb2Hdr*)(data_ptr + sizeof(NbssHdr));
+ const Smb2TransformHdr* smb_trans_hdr = (const Smb2TransformHdr*)(data_ptr + sizeof(NbssHdr));
+ uint32_t smb_proto_id = SmbTransformId(smb_trans_hdr);
+ uint64_t sid = smb_trans_hdr->session_id;
+ if (smb_proto_id == DCE2_SMB2_TRANS_ID)
+ {
+ SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL,
+ p, "Encrypted header is received \n");
+ Dce2Smb2SessionTrackerPtr session = find_session(sid);
+ if (session)
+ {
+ bool flag = session->get_encryption_flag();
+ if (!flag)
+ session->set_encryption_flag(true);
+ }
+ }
uint32_t next_command_offset;
uint8_t compound_request_index = 0;
// SMB protocol allows multiple smb commands to be grouped in a single packet.
reload_prune = false;
do_not_delete = false;
command_prev = SMB2_COM_MAX;
- SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, GET_CURRENT_PACKET,
+ encryption_flag = false;
+ SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, GET_CURRENT_PACKET,
"session tracker %" PRIu64 "created\n", session_id);
}
bool get_do_not_delete() { return do_not_delete; }
void set_prev_comand(uint16_t cmd) { command_prev = cmd; }
uint16_t get_prev_command() { return command_prev; }
-
+ void set_encryption_flag(bool flag)
+ {
+ encryption_flag = flag;
+ if (flag)
+ dce2_smb_stats.total_encrypted_sessions++;
+ }
+ bool get_encryption_flag() { return encryption_flag; }
private:
// do_not_delete is to make sure when we are in processing we should not delete the context
// which is being processed
Dce2Smb2SessionDataMap attached_flows;
Dce2Smb2TreeTrackerMap connected_trees;
std::atomic<bool> reload_prune;
+ std::atomic<bool> encryption_flag;
std::mutex connected_trees_mutex;
std::mutex attached_flows_mutex;
// fcfs_mutex is to make sure the mutex is taken at first come first basis if code
PegCount v2_ioctl_resp_hdr_err;
PegCount concurrent_sessions;
PegCount max_concurrent_sessions;
+ PegCount total_smb1_sessions;
+ PegCount total_smb2_sessions;
+ PegCount total_encrypted_sessions;
+ PegCount total_mc_sessions;
};
enum DCE2_SmbVersion
"total number of ioctl response header errors" },
{ CountType::NOW, "concurrent_sessions", "total concurrent sessions" },
{ CountType::MAX, "max_concurrent_sessions", "maximum concurrent sessions" },
+ { CountType::SUM, "total_smb1_sessions", "total smb1 sessions" },
+ { CountType::SUM, "total_smb2_sessions", "total smb2 sessions" },
+ { CountType::SUM, "total_encrypted_sessions", "total encrypted sessions" },
+ { CountType::SUM, "total_mc_sessions", "total multichannel sessions" },
{ CountType::END, nullptr, nullptr }
};
#define DCE2_SMB_ID 0xff534d42 /* \xffSMB */
#define DCE2_SMB2_ID 0xfe534d42 /* \xfeSMB */
+#define DCE2_SMB2_TRANS_ID 0xfd534d42
#define DCE2_SMB_ID_SIZE 4
// MS-FSCC Section 2.1.5 - Pathname
uint16_t smb_off2; /* offset (from SMB hdr start) to next cmd (@smb_wct) */
};
+struct Smb2TransformHdr
+{
+ uint8_t protocolid[4];
+ uint8_t signature[16];
+ uint8_t nonce[16];
+ uint32_t orig_msg_size;
+ uint16_t reserved;
+ uint16_t flags;
+ uint64_t session_id;
+};
+
//NbssLen should be used by SMB1
inline uint32_t NbssLen(const NbssHdr* nb)
{
return nb->type;
}
+inline uint32_t SmbTransformId(const Smb2TransformHdr* hdr)
+{
+ const uint8_t* id = (const uint8_t*)hdr->protocolid;
+ return *id << 24 | *(id + 1) << 16 | *(id + 2) << 8 | *(id + 3);
+}
+
inline uint32_t SmbId(const SmbNtHdr* hdr)
{
const uint8_t* idf = (const uint8_t*)hdr->smb_idf;
projects / thirdparty / snort3.git / commitdiff
