From: Victor Julien <victor@inliniac.net>
Date: Tue, 20 Mar 2018 08:36:47 +0000 (+0100)
Subject: nfs4: parse GSSAPI init
X-Git-Tag: suricata-4.1.0-rc1~130
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7cb01b636983139d674e01d85c9a6fa1afed922;p=thirdparty%2Fsuricata.git

nfs4: parse GSSAPI init
---

diff --git a/rust/src/nfs/nfs4.rs b/rust/src/nfs/nfs4.rs
index 480fd36453..521ed34d38 100644
--- a/rust/src/nfs/nfs4.rs
+++ b/rust/src/nfs/nfs4.rs
@@ -19,7 +19,7 @@
 
 extern crate libc;
 
-use nom::IResult;
+use nom::{IResult, be_u32};
 
 use core::*;
 use log::*;
@@ -30,6 +30,15 @@ use nfs::rpc_records::*;
 use nfs::nfs_records::*;
 use nfs::nfs4_records::*;
 
+use kerberos;
+
+named!(parse_req_gssapi<kerberos::Kerberos5Ticket>,
+   do_parse!(
+        len: be_u32
+    >>  ap: flat_map!(take!(len), call!(kerberos::parse_kerberos5_request))
+    >> ( ap )
+));
+
 impl NFSState {
     /* normal write: PUTFH (file handle), WRITE (write opts/data). File handle
      * is not part of the write record itself so we pass it in here. */
@@ -154,7 +163,14 @@ impl NFSState {
 
         let mut xidmap = NFSRequestXidMap::new(r.progver, r.procedure, 0);
 
-        if r.procedure == NFSPROC4_COMPOUND {
+        if r.procedure == NFSPROC4_NULL {
+            if let RpcRequestCreds::GssApi(ref creds) = r.creds {
+                if creds.procedure == 1 {
+                    let _x = parse_req_gssapi(r.prog_data);
+                    SCLogDebug!("RPCSEC_GSS_INIT {:?}", _x);
+                }
+            }
+        } else if r.procedure == NFSPROC4_COMPOUND {
             match parse_nfs4_request_compound(r.prog_data) {
                 IResult::Done(_, rd) => {
                     SCLogDebug!("NFSPROC4_COMPOUND: {:?}", rd);