smb: relax probing parser to handle first NBSS message

author Philippe Antoine <contact@catenacyber.fr>

Wed, 17 Feb 2021 14:36:12 +0000 (15:36 +0100)

committer Victor Julien <victor@inliniac.net>

Sat, 27 Feb 2021 17:47:09 +0000 (18:47 +0100)
author Philippe Antoine <contact@catenacyber.fr>
Wed, 17 Feb 2021 14:36:12 +0000 (15:36 +0100)
committer Victor Julien <victor@inliniac.net>
Sat, 27 Feb 2021 17:47:09 +0000 (18:47 +0100)
diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs

index f81be26062df0558e6a72a9933296f2f867d9cd4..7a58016e09fc7b4b6e3d43b7be2629414491589e 100644 (file)
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -1989,6 +1989,26 @@ pub extern "C" fn rs_smb_probe_tcp(flags: u8,
                  return 1;
              } else if hdr.needs_more(){
                  return 0;
+            } else if hdr.is_valid() &&
+                hdr.message_type != NBSS_MSGTYPE_SESSION_MESSAGE {
+                //we accept a first small netbios message before real SMB
+                let hl = hdr.length as usize;
+                if hdr.data.len() >= hl + 8 {
+                    // 8 is 4 bytes NBSS + 4 bytes SMB0xFX magic
+                    match parse_nbss_record_partial(&hdr.data[hl..]) {
+                        Ok((_, ref hdr2)) => {
+                            if hdr2.is_smb() {
+                                SCLogDebug!("smb found");
+                                return 1;
+                            }
+                        }
+                        _ => {}
+                    }
+                } else if hdr.length < 256 {
+                    // we want more data, 256 is some random value
+                    return 0;
+                }
+                // default is failure
              }
          },
          _ => { },
author	Philippe Antoine <contact@catenacyber.fr>
	Wed, 17 Feb 2021 14:36:12 +0000 (15:36 +0100)
committer	Victor Julien <victor@inliniac.net>
	Sat, 27 Feb 2021 17:47:09 +0000 (18:47 +0100)