--- /dev/null
+# Description
+
+Test SMB evasion with write data length lesser than NBSS record length (there is padding)
+
+# PCAP
+
+The pcap comes from running MacOS with a shared SMB directory named public (with user toto and password toto).
+There is a proxy on port 4445 that rewrites the smb2 write command if the file data begins by 'E' to have a lesser field length.
+Then fuzzpcap was used to split the write command in 2 tcp packets with an ACK in between, so that Suricata processes partial data.
--- /dev/null
+import sys
+import binascii
+from threading import Thread
+import time
+import socket
+
+
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.bind(("127.0.0.1", 4445))
+s.listen(1)
+conn, addr = s.accept()
+s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print("accpeted, now connecting")
+s2.connect(("127.0.0.1", 445))
+print("connected")
+ok = True
+while ok:
+ data = conn.recv(32768)
+ print("received", len(data), data[16])
+ if len(data) == 0:
+ break
+ data = bytearray(data)
+ changed = 0
+ if data[16] == 9:
+ # write request
+ print("write", data[116])
+ if data[116] == 69:
+ # if the first letter of payload is E
+ # let's remove 512 to the length
+ data[73] = data[73] - 2
+ print("modified", binascii.hexlify(data))
+ s2.send(data)
+ resp = s2.recv(32768)
+ print("response", len(resp))
+ resp = bytearray(resp)
+ conn.send(resp)
+
+conn.close()
+s.close()
--- /dev/null
+# disables checksum verification
+args:
+- -k none --set app-layer.protocols.smb.max-write-size=200
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.filename: "toto.txt"
+ dest_port: 445
projects / thirdparty / suricata-verify.git / commitdiff
