smb2: add ioctl transactions to log the funcs

diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs
index 99dcf30a1b2c7d543077e55476b8b790b2b882ac..330550e1ed7c13b393b1f05c5bb4e8ce27be056f 100644 (file)
--- a/rust/src/smb/log.rs
+++ b/rust/src/smb/log.rs
@@ -24,6 +24,7 @@ use smb::smb::*;
 use smb::smb1::*;
 use smb::smb2::*;
 use smb::dcerpc::*;
+use smb::funcs::*;
 use nom;
 
 #[cfg(not(feature = "debug"))]
@@ -356,6 +357,9 @@ fn smb_common_header(state: &SMBState, tx: &SMBTransaction) -> Json
             jsd.set_integer("call_id", x.call_id as u64);
             js.set("dcerpc", jsd);
         }
+        Some(SMBTransactionTypeData::IOCTL(ref x)) => {
+            js.set_string("function", &fsctl_func_to_string(x.func));
+        },
         _ => {  },
     }
     return js;

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index 929a4c4ce8750838c37053607197f4bda28f9743..8540926c44bef621c66427e984ed095d40d1f437 100644 (file)
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -338,6 +338,7 @@ pub enum SMBTransactionTypeData {
     DCERPC(SMBTransactionDCERPC),
     CREATE(SMBTransactionCreate),
     SESSIONSETUP(SMBTransactionSessionSetup),
+    IOCTL(SMBTransactionIoctl),
 }
 
 #[derive(Debug)]

diff --git a/rust/src/smb/smb2.rs b/rust/src/smb/smb2.rs
index 3a582b22046621cbdb4bb91cc70d2f9759a35ea5..951ff722bc67e6c2757c5009bd7427827ce9a76b 100644 (file)
--- a/rust/src/smb/smb2.rs
+++ b/rust/src/smb/smb2.rs
@@ -26,6 +26,8 @@ use smb::dcerpc::*;
 use smb::events::*;
 use smb::files::*;
 
+use smb::funcs::*;
+
 pub const SMB2_COMMAND_NEGOTIATE_PROTOCOL:      u16 = 0;
 pub const SMB2_COMMAND_SESSION_SETUP:           u16 = 1;
 pub const SMB2_COMMAND_SESSION_LOGOFF:          u16 = 2;
@@ -273,9 +275,6 @@ pub fn smb2_request_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
 
     let have_tx = match r.command {
         SMB2_COMMAND_IOCTL => {
-            // some IOCTL responses don't set the tree id
-            key_tree_id = 0;
-
             let have_ioctl_tx = match parse_smb2_request_ioctl(r.data) {
                 IResult::Done(_, rd) => {
                     SCLogDebug!("IOCTL request data: {:?}", rd);
@@ -283,13 +282,20 @@ pub fn smb2_request_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                         (_, x) => x,
                     };
                     if is_dcerpc {
+                        // some IOCTL responses don't set the tree id
+                        key_tree_id = 0;
+
                         SCLogDebug!("IOCTL request data is_pipe. Calling smb_write_dcerpc_record");
                         let hdr = SMBCommonHdr::new(SMBHDR_TYPE_HEADER,
                                 key_session_id, key_tree_id, key_message_id);
                         let vercmd = SMBVerCmdStat::new2(SMB2_COMMAND_IOCTL);
                         smb_write_dcerpc_record(state, vercmd, hdr, rd.data)
                     } else {
-                        false
+                        SCLogDebug!("IOCTL {:08x} {}", rd.function, &fsctl_func_to_string(rd.function));
+                        let hdr = SMBCommonHdr::from2(r, SMBHDR_TYPE_GENERICTX);
+                        let tx = state.new_ioctl_tx(hdr, rd.function);
+                        tx.vercmd.set_smb2_cmd(SMB2_COMMAND_IOCTL);
+                        true
                     }
                 },
                 _ => { false },
@@ -475,9 +481,6 @@ pub fn smb2_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
 
     let have_tx = match r.command {
         SMB2_COMMAND_IOCTL => {
-            // some IOCTL responses don't set the tree id
-            key_tree_id = 0;
-
             let have_ioctl_tx = match parse_smb2_response_ioctl(r.data) {
                 IResult::Done(_, rd) => {
                     SCLogDebug!("IOCTL response data: {:?}", rd);
@@ -486,6 +489,9 @@ pub fn smb2_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                         (_, x) => x,
                     };
                     if is_dcerpc {
+                        // some IOCTL responses don't set the tree id
+                        key_tree_id = 0;
+
                         SCLogDebug!("IOCTL response data is_pipe. Calling smb_read_dcerpc_record");
                         let hdr = SMBCommonHdr::new(SMBHDR_TYPE_HEADER,
                                 key_session_id, key_tree_id, key_message_id);
@@ -756,3 +762,35 @@ pub fn smb2_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
         };
     }
 }
+
+#[derive(Debug)]
+pub struct SMBTransactionIoctl {
+    pub func: u32,
+}
+
+impl SMBTransactionIoctl {
+    pub fn new(func: u32) -> SMBTransactionIoctl {
+        return SMBTransactionIoctl {
+            func: func,
+        }
+    }
+}
+
+impl SMBState {
+    pub fn new_ioctl_tx(&mut self, hdr: SMBCommonHdr, func: u32)
+        -> (&mut SMBTransaction)
+    {
+        let mut tx = self.new_tx();
+        tx.hdr = hdr;
+        tx.type_data = Some(SMBTransactionTypeData::IOCTL(
+                    SMBTransactionIoctl::new(func)));
+        tx.request_done = true;
+        tx.response_done = self.tc_trunc; // no response expected if tc is truncated
+
+        SCLogDebug!("SMB: TX IOCTL created: ID {} FUNC {:08x}: {}",
+                tx.id, func, &fsctl_func_to_string(func));
+        self.transactions.push(tx);
+        let tx_ref = self.transactions.last_mut();
+        return tx_ref.unwrap();
+    }
+}