From: Victor Julien <victor@inliniac.net>
Date: Mon, 12 Mar 2018 20:04:54 +0000 (+0100)
Subject: smb2: add ioctl transactions to log the funcs
X-Git-Tag: suricata-4.1.0-beta1~69
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c260207147de4aa4cea27ab8552fdec635fd307;p=thirdparty%2Fsuricata.git

smb2: add ioctl transactions to log the funcs
---

diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs
index 99dcf30a1b..330550e1ed 100644
--- a/rust/src/smb/log.rs
+++ b/rust/src/smb/log.rs
@@ -24,6 +24,7 @@ use smb::smb::*;
 use smb::smb1::*;
 use smb::smb2::*;
 use smb::dcerpc::*;
+use smb::funcs::*;
 use nom;
 
 #[cfg(not(feature = "debug"))]
@@ -356,6 +357,9 @@ fn smb_common_header(state: &SMBState, tx: &SMBTransaction) -> Json
             jsd.set_integer("call_id", x.call_id as u64);
             js.set("dcerpc", jsd);
         }
+        Some(SMBTransactionTypeData::IOCTL(ref x)) => {
+            js.set_string("function", &fsctl_func_to_string(x.func));
+        },
         _ => {  },
     }
     return js;
diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index 929a4c4ce8..8540926c44 100644
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -338,6 +338,7 @@ pub enum SMBTransactionTypeData {
     DCERPC(SMBTransactionDCERPC),
     CREATE(SMBTransactionCreate),
     SESSIONSETUP(SMBTransactionSessionSetup),
+    IOCTL(SMBTransactionIoctl),
 }
 
 #[derive(Debug)]
diff --git a/rust/src/smb/smb2.rs b/rust/src/smb/smb2.rs
index 3a582b2204..951ff722bc 100644
--- a/rust/src/smb/smb2.rs
+++ b/rust/src/smb/smb2.rs
@@ -26,6 +26,8 @@ use smb::dcerpc::*;
 use smb::events::*;
 use smb::files::*;
 
+use smb::funcs::*;
+
 pub const SMB2_COMMAND_NEGOTIATE_PROTOCOL:      u16 = 0;
 pub const SMB2_COMMAND_SESSION_SETUP:           u16 = 1;
 pub const SMB2_COMMAND_SESSION_LOGOFF:          u16 = 2;
@@ -273,9 +275,6 @@ pub fn smb2_request_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
 
     let have_tx = match r.command {
         SMB2_COMMAND_IOCTL => {
-            // some IOCTL responses don't set the tree id
-            key_tree_id = 0;
-
             let have_ioctl_tx = match parse_smb2_request_ioctl(r.data) {
                 IResult::Done(_, rd) => {
                     SCLogDebug!("IOCTL request data: {:?}", rd);
@@ -283,13 +282,20 @@ pub fn smb2_request_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                         (_, x) => x,
                     };
                     if is_dcerpc {
+                        // some IOCTL responses don't set the tree id
+                        key_tree_id = 0;
+
                         SCLogDebug!("IOCTL request data is_pipe. Calling smb_write_dcerpc_record");
                         let hdr = SMBCommonHdr::new(SMBHDR_TYPE_HEADER,
                                 key_session_id, key_tree_id, key_message_id);
                         let vercmd = SMBVerCmdStat::new2(SMB2_COMMAND_IOCTL);
                         smb_write_dcerpc_record(state, vercmd, hdr, rd.data)
                     } else {
-                        false
+                        SCLogDebug!("IOCTL {:08x} {}", rd.function, &fsctl_func_to_string(rd.function));
+                        let hdr = SMBCommonHdr::from2(r, SMBHDR_TYPE_GENERICTX);
+                        let tx = state.new_ioctl_tx(hdr, rd.function);
+                        tx.vercmd.set_smb2_cmd(SMB2_COMMAND_IOCTL);
+                        true
                     }
                 },
                 _ => { false },
@@ -475,9 +481,6 @@ pub fn smb2_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
 
     let have_tx = match r.command {
         SMB2_COMMAND_IOCTL => {
-            // some IOCTL responses don't set the tree id
-            key_tree_id = 0;
-
             let have_ioctl_tx = match parse_smb2_response_ioctl(r.data) {
                 IResult::Done(_, rd) => {
                     SCLogDebug!("IOCTL response data: {:?}", rd);
@@ -486,6 +489,9 @@ pub fn smb2_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                         (_, x) => x,
                     };
                     if is_dcerpc {
+                        // some IOCTL responses don't set the tree id
+                        key_tree_id = 0;
+
                         SCLogDebug!("IOCTL response data is_pipe. Calling smb_read_dcerpc_record");
                         let hdr = SMBCommonHdr::new(SMBHDR_TYPE_HEADER,
                                 key_session_id, key_tree_id, key_message_id);
@@ -756,3 +762,35 @@ pub fn smb2_response_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
         };
     }
 }
+
+#[derive(Debug)]
+pub struct SMBTransactionIoctl {
+    pub func: u32,
+}
+
+impl SMBTransactionIoctl {
+    pub fn new(func: u32) -> SMBTransactionIoctl {
+        return SMBTransactionIoctl {
+            func: func,
+        }
+    }
+}
+
+impl SMBState {
+    pub fn new_ioctl_tx(&mut self, hdr: SMBCommonHdr, func: u32)
+        -> (&mut SMBTransaction)
+    {
+        let mut tx = self.new_tx();
+        tx.hdr = hdr;
+        tx.type_data = Some(SMBTransactionTypeData::IOCTL(
+                    SMBTransactionIoctl::new(func)));
+        tx.request_done = true;
+        tx.response_done = self.tc_trunc; // no response expected if tc is truncated
+
+        SCLogDebug!("SMB: TX IOCTL created: ID {} FUNC {:08x}: {}",
+                tx.id, func, &fsctl_func_to_string(func));
+        self.transactions.push(tx);
+        let tx_ref = self.transactions.last_mut();
+        return tx_ref.unwrap();
+    }
+}