alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)
alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)
+
+alert smb any any -> any any (msg:"SURICATA SMB file overlap"; app-layer-event:smb.file_overlap; classtype:protocol-command-decode; sid:2225006; rev:1;)
#[derive(Debug)]
pub struct FileTransferTracker {
file_size: u64,
- tracked: u64,
+ pub tracked: u64,
cur_ooo: u64, // how many bytes do we have queued from ooo chunks
track_id: u32,
chunk_left: u32,
MalformedNtlmsspResponse = 4,
DuplicateNegotiate = 5,
NegotiateMalformedDialects = 6,
+ FileOverlap = 7,
}
impl SMBEvent {
4 => Some(SMBEvent::MalformedNtlmsspResponse),
5 => Some(SMBEvent::DuplicateNegotiate),
6 => Some(SMBEvent::NegotiateMalformedDialects),
+ 7 => Some(SMBEvent::FileOverlap),
_ => None,
}
}
"malformed_ntlmssp_response" => SMBEvent::MalformedNtlmsspResponse as i32,
"duplicate_negotiate" => SMBEvent::DuplicateNegotiate as i32,
"negotiate_malformed_dialects" => SMBEvent::NegotiateMalformedDialects as i32,
+ "file_overlap" => SMBEvent::FileOverlap as i32,
_ => -1,
}
}
SMBEvent::MalformedNtlmsspResponse => { "malformed_ntlmssp_response\0" },
SMBEvent::DuplicateNegotiate => { "duplicate_negotiate\0" },
SMBEvent::NegotiateMalformedDialects => { "netogiate_malformed_dialects\0" },
+ SMBEvent::FileOverlap => { "file_overlap\0" },
};
unsafe{
*event_name = estr.as_ptr() as *const std::os::raw::c_char;
Some(n) => n.to_vec(),
None => b"<unknown>".to_vec(),
};
+ let mut set_event_fileoverlap = false;
let found = match state.get_file_tx_by_fuid(&file_fid, STREAM_TOSERVER) {
Some((tx, files, flags)) => {
let file_id : u32 = tx.id as u32;
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
+ if rd.offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&file_name, rd.data, rd.offset,
rd.len, 0, false, &file_id);
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
let file_id : u32 = tx.id as u32;
SCLogDebug!("FID {:?} found at tx {}", file_fid, tx.id);
+ if rd.offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&file_name, rd.data, rd.offset,
rd.len, 0, false, &file_id);
tx.vercmd.set_smb1_cmd(SMB1_COMMAND_WRITE_ANDX);
}
}
+ if set_event_fileoverlap {
+ state.set_event(SMBEvent::FileOverlap);
+ }
state.set_file_left(STREAM_TOSERVER, rd.len, rd.data.len() as u32, file_fid.to_vec());
Some(n) => n.to_vec(),
None => Vec::new(),
};
+ let mut set_event_fileoverlap = false;
let found = match state.get_file_tx_by_fuid(&file_fid, STREAM_TOCLIENT) {
Some((tx, files, flags)) => {
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
let file_id : u32 = tx.id as u32;
SCLogDebug!("FID {:?} found at tx {}", file_fid, tx.id);
+ if offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&file_name, rd.data, offset,
rd.len, 0, false, &file_id);
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
let file_id : u32 = tx.id as u32;
SCLogDebug!("FID {:?} found at tx {}", file_fid, tx.id);
+ if offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&file_name, rd.data, offset,
rd.len, 0, false, &file_id);
}
tx.vercmd.set_smb1_cmd(SMB1_COMMAND_READ_ANDX);
}
+ if set_event_fileoverlap {
+ state.set_event(SMBEvent::FileOverlap);
+ }
} else {
SCLogDebug!("SMBv1 READ response from PIPE");
let hdr = SMBCommonHdr::from1(r, SMBHDR_TYPE_HEADER);
};
SCLogDebug!("SMBv2 READ: GUID {:?} offset {}", file_guid, offset);
+ let mut set_event_fileoverlap = false;
// look up existing tracker and if we have it update it
let found = match state.get_file_tx_by_fuid(&file_guid, STREAM_TOCLIENT) {
Some((tx, files, flags)) => {
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
let file_id : u32 = tx.id as u32;
+ if offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&tdf.file_name, rd.data, offset,
rd.len, 0, false, &file_id);
let (tx, files, flags) = state.new_file_tx(&file_guid, &file_name, STREAM_TOCLIENT);
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
let file_id : u32 = tx.id as u32;
+ if offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&file_name, rd.data, offset,
rd.len, 0, false, &file_id);
}
}
+ if set_event_fileoverlap {
+ state.set_event(SMBEvent::FileOverlap);
+ }
state.set_file_left(STREAM_TOCLIENT, rd.len, rd.data.len() as u32, file_guid.to_vec());
}
_ => {
None => Vec::new(),
};
+ let mut set_event_fileoverlap = false;
let found = match state.get_file_tx_by_fuid(&file_guid, STREAM_TOSERVER) {
Some((tx, files, flags)) => {
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
let file_id : u32 = tx.id as u32;
+ if wr.wr_offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&file_name, wr.data, wr.wr_offset,
wr.wr_len, 0, false, &file_id);
let (tx, files, flags) = state.new_file_tx(&file_guid, &file_name, STREAM_TOSERVER);
if let Some(SMBTransactionTypeData::FILE(ref mut tdf)) = tx.type_data {
let file_id : u32 = tx.id as u32;
+ if wr.wr_offset < tdf.file_tracker.tracked {
+ set_event_fileoverlap = true;
+ }
filetracker_newchunk(&mut tdf.file_tracker, files, flags,
&file_name, wr.data, wr.wr_offset,
wr.wr_len, 0, false, &file_id);
r.session_id, r.tree_id, 0); // TODO move into new_file_tx
}
}
+
+ if set_event_fileoverlap {
+ state.set_event(SMBEvent::FileOverlap);
+ }
state.set_file_left(STREAM_TOSERVER, wr.wr_len, wr.data.len() as u32, file_guid.to_vec());
},
_ => {
projects / thirdparty / suricata.git / commitdiff
