From: Victor Julien Date: Wed, 20 Apr 2022 19:58:59 +0000 (+0200) Subject: smb: fix read queue exceeded event and rules X-Git-Tag: suricata-6.0.5~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20b379d92a4448257e96bca9f9aea9a76c5a1ee5;p=thirdparty%2Fsuricata.git smb: fix read queue exceeded event and rules --- diff --git a/rules/smb-events.rules b/rules/smb-events.rules index 4c15558660..159033f898 100644 --- a/rules/smb-events.rules +++ b/rules/smb-events.rules @@ -32,13 +32,13 @@ alert smb any any -> any any (msg:"SURICATA SMB supported READ size exceeded"; f alert smb any any -> any any (msg:"SURICATA SMB supported WRITE size exceeded"; flow:to_server; app-layer-event:smb.negotiate_max_write_size_too_large; classtype:protocol-command-decode; sid:2225013; rev:1;) # checks 'app-layer.protocols.smb.max-write-queue-size` against out of order chunks -alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue size exceeded"; flow:to_server; app-layer-event:smb.write_queue_size_too_large; classtype:protocol-command-decode; sid:2225014; rev:1;) +alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue size exceeded"; flow:to_server; app-layer-event:smb.write_queue_size_exceeded; classtype:protocol-command-decode; sid:2225014; rev:1;) # checks 'app-layer.protocols.smb.max-write-queue-cnt` against out of order chunks -alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue cnt exceeded"; flow:to_server; app-layer-event:smb.write_queue_cnt_too_large; classtype:protocol-command-decode; sid:2225015; rev:1;) +alert smb any any -> any any (msg:"SURICATA SMB max WRITE queue cnt exceeded"; flow:to_server; app-layer-event:smb.write_queue_cnt_exceeded; classtype:protocol-command-decode; sid:2225015; rev:1;) # checks 'app-layer.protocols.smb.max-read-queue-size` against out of order chunks -alert smb any any -> any any (msg:"SURICATA SMB max READ queue size exceeded"; flow:to_client; app-layer-event:smb.read_queue_size_too_large; classtype:protocol-command-decode; sid:2225016; rev:1;) +alert smb any any -> any any (msg:"SURICATA SMB max READ queue size exceeded"; flow:to_client; app-layer-event:smb.read_queue_size_exceeded; classtype:protocol-command-decode; sid:2225016; rev:1;) # checks 'app-layer.protocols.smb.max-read-queue-cnt` against out of order chunks -alert smb any any -> any any (msg:"SURICATA SMB max READ queue cnt exceeded"; flow:to_client; app-layer-event:smb.read_queue_cnt_too_large; classtype:protocol-command-decode; sid:2225017; rev:1;) +alert smb any any -> any any (msg:"SURICATA SMB max READ queue cnt exceeded"; flow:to_client; app-layer-event:smb.read_queue_cnt_exceeded; classtype:protocol-command-decode; sid:2225017; rev:1;) # next sid 2225018 diff --git a/rust/src/smb/events.rs b/rust/src/smb/events.rs index 504e302698..9a032fd178 100644 --- a/rust/src/smb/events.rs +++ b/rust/src/smb/events.rs @@ -39,8 +39,8 @@ pub enum SMBEvent { ReadRequestTooLarge = 12, /// READ response bigger than `max_read_size` ReadResponseTooLarge = 13, - ReadResponseQueueSizeExceeded = 14, - ReadResponseQueueCntExceeded = 15, + ReadQueueSizeExceeded = 14, + ReadQueueCntExceeded = 15, /// WRITE request for more than `max_write_size` WriteRequestTooLarge = 16, WriteQueueSizeExceeded = 17, @@ -64,8 +64,8 @@ impl SMBEvent { 11 => Some(SMBEvent::NegotiateMaxWriteSizeTooLarge), 12 => Some(SMBEvent::ReadRequestTooLarge), 13 => Some(SMBEvent::ReadResponseTooLarge), - 14 => Some(SMBEvent::ReadResponseQueueSizeExceeded), - 15 => Some(SMBEvent::ReadResponseQueueCntExceeded), + 14 => Some(SMBEvent::ReadQueueSizeExceeded), + 15 => Some(SMBEvent::ReadQueueCntExceeded), 16 => Some(SMBEvent::WriteRequestTooLarge), 17 => Some(SMBEvent::WriteQueueSizeExceeded), 18 => Some(SMBEvent::WriteQueueCntExceeded), @@ -91,8 +91,8 @@ pub fn smb_str_to_event(instr: &str) -> i32 { "negotiate_max_write_size_too_large" => SMBEvent::NegotiateMaxWriteSizeTooLarge as i32, "read_request_too_large" => SMBEvent::ReadRequestTooLarge as i32, "read_response_too_large" => SMBEvent::ReadResponseTooLarge as i32, - "read_response_queue_size_exceeded" => SMBEvent::ReadResponseQueueSizeExceeded as i32, - "read_response_queue_cnt_exceeded" => SMBEvent::ReadResponseQueueCntExceeded as i32, + "read_queue_size_exceeded" => SMBEvent::ReadQueueSizeExceeded as i32, + "read_queue_cnt_exceeded" => SMBEvent::ReadQueueCntExceeded as i32, "write_request_too_large" => SMBEvent::WriteRequestTooLarge as i32, "write_queue_size_exceeded" => SMBEvent::WriteQueueSizeExceeded as i32, "write_queue_cnt_exceeded" => SMBEvent::WriteQueueCntExceeded as i32, diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs index abfda7fbba..8e094c9d58 100644 --- a/rust/src/smb/smb.rs +++ b/rust/src/smb/smb.rs @@ -2202,8 +2202,8 @@ pub extern "C" fn rs_smb_state_get_event_info_by_id(event_id: std::os::raw::c_in SMBEvent::NegotiateMaxWriteSizeTooLarge => { "negotiate_max_write_size_too_large\0" }, SMBEvent::ReadRequestTooLarge => { "read_request_too_large\0" }, SMBEvent::ReadResponseTooLarge => { "read_response_too_large\0" }, - SMBEvent::ReadResponseQueueSizeExceeded => { "read_response_queue_size_exceeded\0" }, - SMBEvent::ReadResponseQueueCntExceeded => { "read_response_queue_cnt_exceeded\0" }, + SMBEvent::ReadQueueSizeExceeded => { "read_queue_size_exceeded\0" }, + SMBEvent::ReadQueueCntExceeded => { "read_queue_cnt_exceeded\0" }, SMBEvent::WriteRequestTooLarge => { "write_request_too_large\0" }, SMBEvent::WriteQueueSizeExceeded => { "write_queue_size_exceeded\0" }, SMBEvent::WriteQueueCntExceeded => { "write_queue_cnt_exceeded\0" }, diff --git a/rust/src/smb/smb2.rs b/rust/src/smb/smb2.rs index d4ad1bb95a..7aeacfbb50 100644 --- a/rust/src/smb/smb2.rs +++ b/rust/src/smb/smb2.rs @@ -164,10 +164,10 @@ pub fn smb2_read_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>) set_event_fileoverlap = true; } if max_queue_size != 0 && tdf.file_tracker.get_inflight_size() + rd.len as u64 > max_queue_size.into() { - state.set_event(SMBEvent::ReadResponseQueueSizeExceeded); + state.set_event(SMBEvent::ReadQueueSizeExceeded); state.set_skip(STREAM_TOCLIENT, rd.len, rd.data.len() as u32); } else if max_queue_cnt != 0 && tdf.file_tracker.get_inflight_cnt() >= max_queue_cnt as usize { - state.set_event(SMBEvent::ReadResponseQueueCntExceeded); + state.set_event(SMBEvent::ReadQueueCntExceeded); state.set_skip(STREAM_TOCLIENT, rd.len, rd.data.len() as u32); } else { filetracker_newchunk(&mut tdf.file_tracker, files, flags, @@ -240,10 +240,10 @@ pub fn smb2_read_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>) set_event_fileoverlap = true; } if max_queue_size != 0 && tdf.file_tracker.get_inflight_size() + rd.len as u64 > max_queue_size.into() { - state.set_event(SMBEvent::ReadResponseQueueSizeExceeded); + state.set_event(SMBEvent::ReadQueueSizeExceeded); state.set_skip(STREAM_TOCLIENT, rd.len, rd.data.len() as u32); } else if max_queue_cnt != 0 && tdf.file_tracker.get_inflight_cnt() >= max_queue_cnt as usize { - state.set_event(SMBEvent::ReadResponseQueueCntExceeded); + state.set_event(SMBEvent::ReadQueueCntExceeded); state.set_skip(STREAM_TOCLIENT, rd.len, rd.data.len() as u32); } else { filetracker_newchunk(&mut tdf.file_tracker, files, flags,