Merge pull request #2751 in SNORT/snort3 from ~DIPANDIT/snort3:smb1_file_api to master

Squashed commit of the following:

commit 2c8805d21d2106d95ea496a320bcf4898bb4e4fe
Author: Dipto Pandit (dipandit) <dipandit@cisco.com>
Date:   Mon Feb 15 04:20:50 2021 -0500

    dce_rpc: pass proper file id in file api from smb1

diff --git a/src/service_inspectors/dce_rpc/dce_smb.h b/src/service_inspectors/dce_rpc/dce_smb.h
index aeb0a32ed2a4c57c19afb46d5910a9339b22c226..51899c7a5a857ab697f2ac0e04dd508d51c0fc09 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb.h
+++ b/src/service_inspectors/dce_rpc/dce_smb.h
@@ -321,6 +321,7 @@ struct DCE2_SmbFileTracker
     bool is_smb2;
     char* file_name;
     uint16_t file_name_size;
+    uint64_t file_name_hash;
 
     union
     {

diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc
index 8062c6d65d37ce7f4c7dfb046758889f87b1f0b6..d253ee4b56ea9378d718b3360d11647385de1260 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc
@@ -28,6 +28,7 @@
 #include "detection/detection_engine.h"
 #include "detection/detection_util.h"
 #include "file_api/file_api.h"
+#include "hash/hash_key_operations.h"
 #include "main/snort.h"
 #include "main/snort_debug.h"
 #include "network_inspectors/packet_tracer/packet_tracer.h"
@@ -51,13 +52,6 @@ static void DCE2_SmbFinishFileBlockVerdict(DCE2_SmbSsnData* ssd);
 /********************************************************************
  * Inline functions
  ********************************************************************/
-static inline bool DCE2_SmbIsVerdictSuspend(bool upload, FilePosition position)
-{
-    if (upload &&
-        ((position == SNORT_FILE_FULL) || (position == SNORT_FILE_END)))
-        return true;
-    return false;
-}
 
 static inline bool DCE2_SmbFileUpload(DCE2_SmbFileDirection dir)
 {
@@ -409,6 +403,7 @@ DCE2_Ret DCE2_SmbInitFileTracker(DCE2_SmbSsnData* ssd,
     ftracker->is_smb2 = false;
     ftracker->file_name = nullptr;
     ftracker->file_name_size = 0;
+    ftracker->file_name_hash = 0;
     if (is_ipc)
     {
         DCE2_CoTracker* co_tracker = (DCE2_CoTracker*)snort_calloc(sizeof(DCE2_CoTracker));
@@ -567,6 +562,7 @@ void DCE2_SmbCleanFileTracker(DCE2_SmbFileTracker* ftracker)
         snort_free((void*)ftracker->file_name);
         ftracker->file_name = nullptr;
         ftracker->file_name_size = 0;
+        ftracker->file_name_hash = 0;
     }
 
     if (ftracker->is_ipc)
@@ -1473,7 +1469,8 @@ static void DCE2_SmbFinishFileAPI(DCE2_SmbSsnData* ssd)
         if ((ftracker->ff_file_size == 0)
             && (ftracker->ff_bytes_processed != 0))
         {
-            if (file_flows->file_process(p, nullptr, 0, SNORT_FILE_END, upload))
+            if (file_flows->file_process(p, nullptr, 0, SNORT_FILE_END, upload,
+                ftracker->file_name_hash))
             {
                 if (upload)
                 {
@@ -1546,7 +1543,7 @@ static DCE2_Ret DCE2_SmbFileAPIProcess(DCE2_SmbSsnData* ssd,
         return DCE2_RET__ERROR;
 
     if (!file_flows->file_process(p, data_ptr, (int)data_len, position, upload,
-        DCE2_SmbIsVerdictSuspend(upload, position)))
+        ftracker->file_name_hash))
     {
         debug_logf(dce_smb_trace, p, "File API returned FAILURE for (0x%02X) %s\n",
             ftracker->fid_v1, upload ? "UPLOAD" : "DOWNLOAD");
@@ -1884,6 +1881,8 @@ void DCE2_Update_Ftracker_from_ReqTracker(DCE2_SmbFileTracker* ftracker,
 {
     ftracker->file_name = cur_rtracker->file_name;
     ftracker->file_name_size = cur_rtracker->file_name_size;
+    ftracker->file_name_hash = str_to_hash(
+        (const uint8_t*)cur_rtracker->file_name, cur_rtracker->file_name_size);
     cur_rtracker->file_name = nullptr;
     cur_rtracker->file_name_size = 0;
 }