From: Victor Julien <victor@inliniac.net>
Date: Thu, 15 Mar 2018 13:17:19 +0000 (+0100)
Subject: smb1: add parsing for RENAME command
X-Git-Tag: suricata-4.1.0-beta1~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8eeda113c8551b510b6e80453a476fd96654cd40;p=thirdparty%2Fsuricata.git

smb1: add parsing for RENAME command
---

diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs
index e3d9aa0cee..fe3f901826 100644
--- a/rust/src/smb/log.rs
+++ b/rust/src/smb/log.rs
@@ -330,14 +330,19 @@ fn smb_common_header(state: &SMBState, tx: &SMBTransaction) -> Json
             js.set_string("fuid", &gs);
         },
         Some(SMBTransactionTypeData::RENAME(ref x)) => {
+            if tx.vercmd.get_version() == 2 {
+                let jsd = Json::object();
+                jsd.set_string("class", "FILE_INFO");
+                jsd.set_string("info_level", "SMB2_FILE_RENAME_INFO");
+                js.set("set_info", jsd);
+            }
+
             let jsd = Json::object();
-            jsd.set_string("class", "FILE_INFO");
-            jsd.set_string("info_level", "SMB2_FILE_RENAME_INFO");
             let file_name = String::from_utf8_lossy(&x.oldname);
             jsd.set_string("from", &file_name);
             let file_name = String::from_utf8_lossy(&x.newname);
             jsd.set_string("to", &file_name);
-            js.set("set_info", jsd);
+            js.set("rename", jsd);
             let gs = fuid_to_string(&x.fuid);
             js.set_string("fuid", &gs);
         },
diff --git a/rust/src/smb/smb1.rs b/rust/src/smb/smb1.rs
index a2044728dd..f39c2e6bad 100644
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@@ -176,6 +176,30 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 {
     let mut no_response_expected = false;
 
     let have_tx = match r.command {
+        SMB1_COMMAND_RENAME => {
+            match parse_smb_rename_request_record(r.data) {
+                IResult::Done(_, rd) => {
+                    SCLogDebug!("RENAME {:?}", rd);
+
+                    let tx_hdr = SMBCommonHdr::from1(r, SMBHDR_TYPE_GENERICTX);
+                    let mut newname = rd.newname;
+                    newname.retain(|&i|i != 0x00);
+                    let mut oldname = rd.oldname;
+                    oldname.retain(|&i|i != 0x00);
+
+                    let tx = state.new_rename_tx(Vec::new(), oldname, newname);
+                    tx.hdr = tx_hdr;
+                    tx.request_done = true;
+                    tx.vercmd.set_smb1_cmd(SMB1_COMMAND_RENAME);
+                    true
+                },
+                _ => {
+                    events.push(SMBEvent::MalformedData);
+                    false
+                },
+            }
+        },
+
         SMB1_COMMAND_READ_ANDX => {
             match parse_smb_read_andx_request_record(r.data) {
                 IResult::Done(_, rr) => {
diff --git a/rust/src/smb/smb1_records.rs b/rust/src/smb/smb1_records.rs
index 6e4def7c3c..ed37ff481c 100644
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@@ -519,6 +519,27 @@ named!(pub parse_smb_read_andx_response_record<SmbResponseReadAndXRecord>,
            }))
 );
 
+#[derive(Debug,PartialEq)]
+pub struct SmbRequestRenameRecord {
+    pub oldname: Vec<u8>,
+    pub newname: Vec<u8>,
+}
+
+named!(pub parse_smb_rename_request_record<SmbRequestRenameRecord>,
+    do_parse!(
+            wct: le_u8
+        >>  search_attr: le_u16
+        >>  bcc: le_u16
+        >>  oldtype: le_u8
+        >>  oldname: smb_get_unicode_string
+        >>  newtype: le_u8
+        >>  newname: apply!(smb_get_unicode_string_with_offset, 1) // HACK if we assume oldname is a series of utf16 chars offset would be 1
+        >> (SmbRequestRenameRecord {
+                oldname: oldname,
+                newname: newname,
+           }))
+);
+
 #[derive(Debug,PartialEq)]
 pub struct SmbRequestCreateAndXRecord<'a> {
     pub disposition: u32,