From: Victor Julien Date: Sat, 10 Jun 2017 20:31:40 +0000 (+0200) Subject: nfs3: probing parsers in both directions X-Git-Tag: suricata-4.0.0-rc1~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9f87cec3d3dce6a3471ab69c7a441de962aa70f;p=thirdparty%2Fsuricata.git nfs3: probing parsers in both directions --- diff --git a/rust/src/nfs/nfs3.rs b/rust/src/nfs/nfs3.rs index 4eddbbeadd..0eb0249db4 100644 --- a/rust/src/nfs/nfs3.rs +++ b/rust/src/nfs/nfs3.rs @@ -1645,31 +1645,25 @@ pub fn nfs3_probe(i: &[u8], direction: u8) -> i8 { /// TOSERVER probe function #[no_mangle] -pub extern "C" fn rs_nfs_probe(input: *const libc::uint8_t, len: libc::uint32_t) +pub extern "C" fn rs_nfs_probe_ts(input: *const libc::uint8_t, len: libc::uint32_t) -> libc::int8_t { let slice: &[u8] = unsafe { std::slice::from_raw_parts(input as *mut u8, len as usize) }; return nfs3_probe(slice, STREAM_TOSERVER); -/* - match parse_rpc(slice) { - IResult::Done(_, ref rpc_hdr) => { - if rpc_hdr.progver == 3 && rpc_hdr.program == 100003 { - return 1; - } else { - return -1; - } - }, - IResult::Incomplete(_) => { - return 0; - }, - IResult::Error(_) => { - return -1; - }, - } -*/ } +/// TOCLIENT probe function +#[no_mangle] +pub extern "C" fn rs_nfs_probe_tc(input: *const libc::uint8_t, len: libc::uint32_t) + -> libc::int8_t +{ + let slice: &[u8] = unsafe { + std::slice::from_raw_parts(input as *mut u8, len as usize) + }; + return nfs3_probe(slice, STREAM_TOCLIENT); +} + #[no_mangle] pub extern "C" fn rs_nfs3_getfiles(direction: u8, ptr: *mut NFS3State) -> * mut FileContainer { diff --git a/src/app-layer-nfs3.c b/src/app-layer-nfs3.c index 7ebb52e112..060e85efa7 100644 --- a/src/app-layer-nfs3.c +++ b/src/app-layer-nfs3.c @@ -140,14 +140,32 @@ static int NFS3HasEvents(void *state) * \retval ALPROTO_NFS3 if it looks like echo, otherwise * ALPROTO_UNKNOWN. */ -static AppProto NFS3ProbingParser(uint8_t *input, uint32_t input_len, +static AppProto NFS3ProbingParserTS(uint8_t *input, uint32_t input_len, uint32_t *offset) { if (input_len < NFS3_MIN_FRAME_LEN) { return ALPROTO_UNKNOWN; } - int8_t r = rs_nfs_probe(input, input_len); + int8_t r = rs_nfs_probe_ts(input, input_len); + if (r == 1) { + return ALPROTO_NFS3; + } else if (r == -1) { + return ALPROTO_FAILED; + } + + SCLogDebug("Protocol not detected as ALPROTO_NFS3."); + return ALPROTO_UNKNOWN; +} + +static AppProto NFS3ProbingParserTC(uint8_t *input, uint32_t input_len, + uint32_t *offset) +{ + if (input_len < NFS3_MIN_FRAME_LEN) { + return ALPROTO_UNKNOWN; + } + + int8_t r = rs_nfs_probe_tc(input, input_len); if (r == 1) { return ALPROTO_NFS3; } else if (r == -1) { @@ -269,21 +287,21 @@ void RegisterNFS3Parsers(void) SCLogDebug("Unittest mode, registering default configuration."); AppLayerProtoDetectPPRegister(IPPROTO_TCP, NFS3_DEFAULT_PORT, ALPROTO_NFS3, 0, NFS3_MIN_FRAME_LEN, STREAM_TOSERVER, - NFS3ProbingParser, NULL); + NFS3ProbingParserTS, NFS3ProbingParserTC); } else { if (!AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_NFS3, 0, NFS3_MIN_FRAME_LEN, - NFS3ProbingParser, NULL)) { + NFS3ProbingParserTS, NFS3ProbingParserTC)) { SCLogDebug("No NFS3 app-layer configuration, enabling NFS3" " detection TCP detection on port %s.", NFS3_DEFAULT_PORT); AppLayerProtoDetectPPRegister(IPPROTO_TCP, NFS3_DEFAULT_PORT, ALPROTO_NFS3, 0, NFS3_MIN_FRAME_LEN, STREAM_TOSERVER, - NFS3ProbingParser, NULL); + NFS3ProbingParserTS, NFS3ProbingParserTC); } }