From: Philippe Antoine Date: Mon, 23 Aug 2021 15:31:51 +0000 (+0200) Subject: smb: midstream probing checks for netbios message type X-Git-Tag: suricata-5.0.8~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb2665960c6c88ddf323d70e685126e9a356fa40;p=thirdparty%2Fsuricata.git smb: midstream probing checks for netbios message type If it is available Bug: #4620. (cherry picked from commit f37240a3e2758756f345a237b6d348ab38fb758b) --- diff --git a/rust/src/smb/smb2_records.rs b/rust/src/smb/smb2_records.rs index e8f2fdd155..5a6bfd95d3 100644 --- a/rust/src/smb/smb2_records.rs +++ b/rust/src/smb/smb2_records.rs @@ -18,6 +18,7 @@ use nom; use nom::{rest, le_u8, le_u16, le_u32, le_u64, IResult}; use crate::smb::smb::*; +use crate::smb::nbss_records::NBSS_MSGTYPE_SESSION_MESSAGE; #[derive(Debug,PartialEq)] pub struct Smb2SecBlobRecord<'a> { @@ -537,15 +538,34 @@ named!(pub parse_smb2_response_record, }) )); +fn smb_basic_search(d: &[u8]) -> usize { + let needle = b"SMB"; + let mut r = 0 as usize; + // this could be replaced by aho-corasick + let iter = d.windows(needle.len()); + for window in iter { + if window == needle { + return r; + } + r = r + 1; + } + return 0; +} + pub fn search_smb_record<'a>(i: &'a [u8]) -> nom::IResult<&'a [u8], &'a [u8]> { let mut d = i; while d.len() >= 4 { - if &d[1..4] == b"SMB" && - (d[0] == 0xfe || d[0] == 0xff || d[0] == 0xfd) - { - return Ok((&d[4..], d)); + let index = smb_basic_search(d); + if index == 0 { + return Err(nom::Err::Incomplete(nom::Needed::Size(4))); + } + if d[index - 1] == 0xfe || d[index - 1] == 0xff || d[index - 1] == 0xfd { + // if we have enough data, check nbss + if index < 5 || d[index-5] == NBSS_MSGTYPE_SESSION_MESSAGE { + return Ok((&d[index + 3..], &d[index - 1..])); + } } - d = &d[1..]; + d = &d[index + 3..]; } Err(nom::Err::Incomplete(nom::Needed::Size(4 as usize - d.len()))) }