detect/smb: add smb.ntlmssp_domain keyword

author Eric Leblond <el@stamus-networks.com>

Thu, 13 Jan 2022 10:41:49 +0000 (11:41 +0100)

committer Victor Julien <vjulien@oisf.net>

Mon, 3 Oct 2022 08:51:06 +0000 (10:51 +0200)
author Eric Leblond <el@stamus-networks.com>
Thu, 13 Jan 2022 10:41:49 +0000 (11:41 +0100)
committer Victor Julien <vjulien@oisf.net>
Mon, 3 Oct 2022 08:51:06 +0000 (10:51 +0200)
diff --git a/rust/src/smb/detect.rs b/rust/src/smb/detect.rs

index 526db406c2caf33bf6321ecebb3fd966ceaa5f2d..ee6ccdb7a7601af9edef154520c5748941278588 100644 (file)
--- a/rust/src/smb/detect.rs
+++ b/rust/src/smb/detect.rs
@@ -193,3 +193,26 @@ pub unsafe extern "C" fn rs_smb_tx_get_ntlmssp_user(tx: &mut SMBTransaction,
      *buffer_len = 0;
      return 0;
  }
+
+#[no_mangle]
+pub unsafe extern "C" fn rs_smb_tx_get_ntlmssp_domain(tx: &mut SMBTransaction,
+                                            buffer: *mut *const u8,
+                                            buffer_len: *mut u32)
+                                            -> u8
+{
+    match tx.type_data {
+        Some(SMBTransactionTypeData::SESSIONSETUP(ref x)) => {
+            if let Some(ref ntlmssp) = x.ntlmssp {
+                *buffer = ntlmssp.domain.as_ptr();
+                *buffer_len = ntlmssp.domain.len() as u32;
+                return 1;
+            }
+        }
+        _ => {
+        }
+    }
+
+    *buffer = ptr::null();
+    *buffer_len = 0;
+    return 0;
+}
diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c

index 95ea173faf053f39ecb95641d14e02babe32ed4a..325d3ea326ace41ec85ec9a25c888aecf5d826e0 100644 (file)
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@@ -593,6 +593,7 @@ void SigTableSetup(void)
      DetectSmbNamedPipeRegister();
      DetectSmbShareRegister();
      DetectSmbNtlmsspUserRegister();
+    DetectSmbNtlmsspDomainRegister();
      DetectTlsRegister();
      DetectTlsValidityRegister();
      DetectTlsVersionRegister();
diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h

index cfb892d97ffc07b9a87d32fbb4d27adee05b575e..a4fcc9beafe6ab38fd9b716915d7ff72f265b265 100644 (file)
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -193,6 +193,7 @@ enum DetectKeywordId {
      DETECT_SMB_NAMED_PIPE,
      DETECT_SMB_SHARE,
      DETECT_SMB_NTLMSSP_USER,
+    DETECT_SMB_NTLMSSP_DOMAIN,
  
      DETECT_ASN1,
  
diff --git a/src/detect-smb-ntlmssp.c b/src/detect-smb-ntlmssp.c

index a0afde89ae4520b5234a6a2b250dd755f4d38dfb..c301b0299a4049b86759794ca5f15ec199a108cd 100644 (file)
--- a/src/detect-smb-ntlmssp.c
+++ b/src/detect-smb-ntlmssp.c
@@ -22,6 +22,7 @@
   *
   */
  
+#include "detect-engine-register.h"
  #include "suricata-common.h"
  
  #include "detect.h"
@@ -88,3 +89,61 @@ void DetectSmbNtlmsspUserRegister(void)
  
      g_smb_nltmssp_user_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
  }
+
+#undef BUFFER_NAME
+#undef KEYWORD_NAME
+#undef KEYWORD_ID
+
+#define BUFFER_NAME  "smb_ntlmssp_domain"
+#define KEYWORD_NAME "smb.ntlmssp_domain"
+#define KEYWORD_ID   DETECT_SMB_NTLMSSP_DOMAIN
+
+static int g_smb_nltmssp_domain_buffer_id = 0;
+
+static int DetectSmbNtlmsspDomainSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(s, g_smb_nltmssp_domain_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SMB) < 0)
+        return -1;
+
+    return 0;
+}
+
+static InspectionBuffer *GetNtlmsspDomainData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        uint32_t b_len = 0;
+        const uint8_t *b = NULL;
+
+        if (rs_smb_tx_get_ntlmssp_domain(txv, &b, &b_len) != 1)
+            return NULL;
+        if (b == NULL || b_len == 0)
+            return NULL;
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
+void DetectSmbNtlmsspDomainRegister(void)
+{
+    sigmatch_table[KEYWORD_ID].name = KEYWORD_NAME;
+    sigmatch_table[KEYWORD_ID].Setup = DetectSmbNtlmsspDomainSetup;
+    sigmatch_table[KEYWORD_ID].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+    sigmatch_table[KEYWORD_ID].desc =
+            "sticky buffer to match on SMB ntlmssp domain in session setup";
+
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
+            GetNtlmsspDomainData, ALPROTO_SMB, 1);
+
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
+            DetectEngineInspectBufferGeneric, GetNtlmsspDomainData);
+
+    g_smb_nltmssp_domain_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+}
diff --git a/src/detect-smb-ntlmssp.h b/src/detect-smb-ntlmssp.h

index 054f0ae9be878e562d6e9297d9ff27f04fa5e259..a3eaf212a940994a31fb514710ced0c2a5532fec 100644 (file)
--- a/src/detect-smb-ntlmssp.h
+++ b/src/detect-smb-ntlmssp.h
@@ -25,5 +25,6 @@
  #define __DETECT_SMB_NTLMSSP_H__
  
  void DetectSmbNtlmsspUserRegister(void);
+void DetectSmbNtlmsspDomainRegister(void);
  
  #endif /* __DETECT_SMB_NTLMSSP_H__ */
author	Eric Leblond <el@stamus-networks.com>
	Thu, 13 Jan 2022 10:41:49 +0000 (11:41 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Mon, 3 Oct 2022 08:51:06 +0000 (10:51 +0200)
rust/src/smb/detect.rs		patch \| blob \| blame \| history
src/detect-engine-register.c		patch \| blob \| blame \| history
src/detect-engine-register.h		patch \| blob \| blame \| history
src/detect-smb-ntlmssp.c		patch \| blob \| blame \| history
src/detect-smb-ntlmssp.h		patch \| blob \| blame \| history