From: Philippe Antoine Date: Wed, 17 Feb 2021 14:36:12 +0000 (+0100) Subject: smb: relax probing parser to handle first NBSS message X-Git-Tag: suricata-5.0.6~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03749d9bcca79fb07f4739af284a02a90e12fe1f;p=thirdparty%2Fsuricata.git smb: relax probing parser to handle first NBSS message cf dcerpc-udp S-V test : First message is Message Type: Session request (0x81) Second message is SMB (cherry picked from commit 83070102557d2755b9ffc67bb14b9b4d48b039e9) --- diff --git a/rust/src/smb/nbss_records.rs b/rust/src/smb/nbss_records.rs index c07b02a056..d081684b45 100644 --- a/rust/src/smb/nbss_records.rs +++ b/rust/src/smb/nbss_records.rs @@ -44,6 +44,9 @@ impl<'a> NbssRecord<'a> { }; valid } + pub fn needs_more(&self) -> bool { + return self.is_valid() && self.length >= 4 && self.data.len() < 4; + } pub fn is_smb(&self) -> bool { let valid = self.is_valid(); let smb = if self.data.len() >= 4 && diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs index 6b4f585207..964e74ce09 100644 --- a/rust/src/smb/smb.rs +++ b/rust/src/smb/smb.rs @@ -1990,9 +1990,28 @@ pub extern "C" fn rs_smb_probe_tcp(direction: u8, if hdr.is_smb() { SCLogDebug!("smb found"); return 1; - } else if hdr.is_valid() { - SCLogDebug!("nbss found, assume smb"); - return 1; + } else if hdr.needs_more(){ + return 0; + } else if hdr.is_valid() && + hdr.message_type != NBSS_MSGTYPE_SESSION_MESSAGE { + //we accept a first small netbios message before real SMB + let hl = hdr.length as usize; + if hdr.data.len() >= hl + 8 { + // 8 is 4 bytes NBSS + 4 bytes SMB0xFX magic + match parse_nbss_record_partial(&hdr.data[hl..]) { + Ok((_, ref hdr2)) => { + if hdr2.is_smb() { + SCLogDebug!("smb found"); + return 1; + } + } + _ => {} + } + } else if hdr.length < 256 { + // we want more data, 256 is some random value + return 0; + } + // default is failure } }, _ => { },