From: Lokesh Bevinamarad (lbevinam) <lbevinam@cisco.com>
Date: Thu, 2 Dec 2021 14:08:26 +0000 (+0000)
Subject: Pull request #3159: dce_smb: Added new smb counters
X-Git-Tag: 3.1.19.0~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5afa565851b0e8ec0e1bd2f06b2e0de9ab7aa952;p=thirdparty%2Fsnort3.git

Pull request #3159: dce_smb: Added new smb counters

Merge in SNORT/snort3 from ~BSACHDEV/snort3:telemetry_stats to master

Squashed commit of the following:

commit c6103f3edb46ae51386a067aaf3261ebc826bead
Author: bsachdev <bsachdev@cisco.com>
Date:   Fri Aug 27 11:16:42 2021 -0400

    dce_smb: Added new smb counters

    Signed-off-by: bsachdev <bsachdev@cisco.com>
---

diff --git a/src/service_inspectors/dce_rpc/dce_smb1.cc b/src/service_inspectors/dce_rpc/dce_smb1.cc
index 623405f95..dbc45bcef 100644
--- a/src/service_inspectors/dce_rpc/dce_smb1.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb1.cc
@@ -314,6 +314,7 @@ Dce2Smb1SessionData::Dce2Smb1SessionData(const Packet* p,
     ssd.sd = sd;
     ssd.policy = policy;
     SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, p, "smb1 session created\n");
+    dce2_smb_stats.total_smb1_sessions++;
 }
 
 Dce2Smb1SessionData::~Dce2Smb1SessionData()
diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc
index 3306bf8db..82a716899 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2.cc
@@ -106,6 +106,7 @@ Dce2Smb2SessionData::Dce2Smb2SessionData(const Packet* p,
     tcp_file_tracker = nullptr;
     flow_key = get_smb2_flow_key(tcp_flow->key);
     SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, p, "smb2 session created\n");
+    dce2_smb_stats.total_smb2_sessions++;
 }
 
 Dce2Smb2SessionData::~Dce2Smb2SessionData()
@@ -275,6 +276,8 @@ void Dce2Smb2SessionData::process_command(const Smb2Hdr* smb_hdr,
             const Smb2NegotiateResponseHdr* neg_resp_hdr = (const Smb2NegotiateResponseHdr*)smb_data;
             if (neg_resp_hdr->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)
             {
+                //total multichannel sessions
+                dce2_smb_stats.total_mc_sessions++;
                 Packet* p = DetectionEngine::get_current_packet();
                 Dce2SmbFlowData* fd = create_expected_smb_flow_data(p);
                 if (fd)
@@ -512,6 +515,21 @@ void Dce2Smb2SessionData::process()
             return;
         }
         const Smb2Hdr* smb_hdr = (const Smb2Hdr*)(data_ptr + sizeof(NbssHdr));
+        const Smb2TransformHdr* smb_trans_hdr = (const Smb2TransformHdr*)(data_ptr + sizeof(NbssHdr));
+        uint32_t smb_proto_id = SmbTransformId(smb_trans_hdr);
+        uint64_t sid = smb_trans_hdr->session_id;
+        if (smb_proto_id == DCE2_SMB2_TRANS_ID)
+        {
+            SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL,
+                p, "Encrypted header is received \n");
+            Dce2Smb2SessionTrackerPtr session = find_session(sid);
+            if (session) 
+            {
+               bool flag = session->get_encryption_flag();
+               if (!flag) 
+                   session->set_encryption_flag(true); 
+            }
+        }
         uint32_t next_command_offset;
         uint8_t compound_request_index = 0;
         // SMB protocol allows multiple smb commands to be grouped in a single packet.
diff --git a/src/service_inspectors/dce_rpc/dce_smb2_session.h b/src/service_inspectors/dce_rpc/dce_smb2_session.h
index bf6a21d62..23e4dd965 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2_session.h
+++ b/src/service_inspectors/dce_rpc/dce_smb2_session.h
@@ -38,7 +38,8 @@ public:
         reload_prune = false;
         do_not_delete = false;
         command_prev = SMB2_COM_MAX;
-        SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, GET_CURRENT_PACKET,
+        encryption_flag = false;
+        SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL, GET_CURRENT_PACKET, 
             "session tracker %" PRIu64 "created\n", session_id);
     }
 
@@ -78,7 +79,13 @@ public:
     bool get_do_not_delete() { return do_not_delete; }
     void set_prev_comand(uint16_t cmd) { command_prev = cmd; }
     uint16_t get_prev_command() { return command_prev; }
-
+    void set_encryption_flag(bool flag) 
+    { 
+        encryption_flag = flag; 
+        if (flag) 
+            dce2_smb_stats.total_encrypted_sessions++; 
+    }
+    bool get_encryption_flag() { return encryption_flag; }
 private:
     // do_not_delete is to make sure when we are in processing we should not delete the context
     // which is being processed
@@ -91,6 +98,7 @@ private:
     Dce2Smb2SessionDataMap attached_flows;
     Dce2Smb2TreeTrackerMap connected_trees;
     std::atomic<bool> reload_prune;
+    std::atomic<bool> encryption_flag;
     std::mutex connected_trees_mutex;
     std::mutex attached_flows_mutex;
     // fcfs_mutex is to make sure the mutex is taken at first come first basis if code 
diff --git a/src/service_inspectors/dce_rpc/dce_smb_common.h b/src/service_inspectors/dce_rpc/dce_smb_common.h
index 905c9df78..8a4b33b33 100644
--- a/src/service_inspectors/dce_rpc/dce_smb_common.h
+++ b/src/service_inspectors/dce_rpc/dce_smb_common.h
@@ -201,6 +201,10 @@ struct dce2SmbStats
     PegCount v2_ioctl_resp_hdr_err;
     PegCount concurrent_sessions;
     PegCount max_concurrent_sessions;
+    PegCount total_smb1_sessions;
+    PegCount total_smb2_sessions;
+    PegCount total_encrypted_sessions;
+    PegCount total_mc_sessions;
 };
 
 enum DCE2_SmbVersion
diff --git a/src/service_inspectors/dce_rpc/dce_smb_module.cc b/src/service_inspectors/dce_rpc/dce_smb_module.cc
index 33cc952ba..1593b064f 100644
--- a/src/service_inspectors/dce_rpc/dce_smb_module.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb_module.cc
@@ -190,6 +190,10 @@ static const PegInfo dce2_smb_pegs[] =
         "total number of ioctl response header errors" },
     { CountType::NOW, "concurrent_sessions", "total concurrent sessions" },
     { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sessions" },
+    { CountType::SUM, "total_smb1_sessions", "total smb1 sessions" },
+    { CountType::SUM, "total_smb2_sessions", "total smb2 sessions" },
+    { CountType::SUM, "total_encrypted_sessions", "total encrypted sessions" },
+    { CountType::SUM, "total_mc_sessions", "total multichannel sessions" },
     { CountType::END, nullptr, nullptr }
 };
 
diff --git a/src/service_inspectors/dce_rpc/smb_common.h b/src/service_inspectors/dce_rpc/smb_common.h
index d308793e0..81b9cf370 100644
--- a/src/service_inspectors/dce_rpc/smb_common.h
+++ b/src/service_inspectors/dce_rpc/smb_common.h
@@ -72,6 +72,7 @@
 
 #define DCE2_SMB_ID   0xff534d42  /* \xffSMB */
 #define DCE2_SMB2_ID  0xfe534d42  /* \xfeSMB */
+#define DCE2_SMB2_TRANS_ID 0xfd534d42
 #define DCE2_SMB_ID_SIZE 4
 
 // MS-FSCC Section 2.1.5 - Pathname
@@ -375,6 +376,17 @@ struct SmbAndXCommon
     uint16_t smb_off2;     /* offset (from SMB hdr start) to next cmd (@smb_wct) */
 };
 
+struct Smb2TransformHdr
+{
+    uint8_t protocolid[4];
+    uint8_t signature[16];
+    uint8_t nonce[16];
+    uint32_t orig_msg_size;
+    uint16_t reserved;
+    uint16_t flags;
+    uint64_t session_id;
+};
+
 //NbssLen should be used by SMB1
 inline uint32_t NbssLen(const NbssHdr* nb)
 {
@@ -397,6 +409,12 @@ inline uint8_t NbssType(const NbssHdr* nb)
     return nb->type;
 }
 
+inline uint32_t SmbTransformId(const Smb2TransformHdr* hdr)
+{
+    const uint8_t* id = (const uint8_t*)hdr->protocolid;
+    return *id << 24 | *(id + 1) << 16 | *(id + 2) << 8 | *(id + 3);
+}
+
 inline uint32_t SmbId(const SmbNtHdr* hdr)
 {
     const uint8_t* idf = (const uint8_t*)hdr->smb_idf;