From: Victor Julien Date: Mon, 9 Jul 2018 13:43:02 +0000 (+0200) Subject: smb1: add support for trans2 set_path_info rename X-Git-Tag: suricata-4.1.0-rc1~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eefac0ef95757ff8d148bd141881c5625abfb7c7;p=thirdparty%2Fsuricata.git smb1: add support for trans2 set_path_info rename --- diff --git a/rust/src/smb/smb1.rs b/rust/src/smb/smb1.rs index 2ee9b9d2c1..67e88616eb 100644 --- a/rust/src/smb/smb1.rs +++ b/rust/src/smb/smb1.rs @@ -215,7 +215,56 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 { IResult::Done(_, rd) => { SCLogDebug!("TRANS2 DONE {:?}", rd); - if rd.subcmd == 8 { + if rd.subcmd == 6 { + SCLogDebug!("SET_PATH_INFO"); + match parse_trans2_request_params_set_path_info(rd.setup_blob) { + IResult::Done(_, pd) => { + SCLogDebug!("TRANS2 SET_PATH_INFO PARAMS DONE {:?}", pd); + + if pd.loi == 1010 { + match parse_trans2_request_data_set_path_info_rename(rd.data_blob) { + IResult::Done(_, ren) => { + SCLogDebug!("TRANS2 SET_PATH_INFO DATA RENAME DONE {:?}", ren); + let tx_hdr = SMBCommonHdr::from1(r, SMBHDR_TYPE_GENERICTX); + let mut newname = ren.newname.to_vec(); + newname.retain(|&i|i != 0x00); + + let fid : Vec = Vec::new(); + + let tx = state.new_rename_tx(fid, pd.oldname, newname); + tx.hdr = tx_hdr; + tx.request_done = true; + tx.vercmd.set_smb1_cmd(SMB1_COMMAND_TRANS2); + true + }, + IResult::Incomplete(n) => { + SCLogDebug!("TRANS2 SET_PATH_INFO DATA RENAME INCOMPLETE {:?}", n); + events.push(SMBEvent::MalformedData); + false + }, + IResult::Error(e) => { + SCLogDebug!("TRANS2 SET_PATH_INFO DATA RENAME ERROR {:?}", e); + events.push(SMBEvent::MalformedData); + false + }, + } + } else { + false + } + }, + IResult::Incomplete(n) => { + SCLogDebug!("TRANS2 SET_PATH_INFO PARAMS INCOMPLETE {:?}", n); + events.push(SMBEvent::MalformedData); + false + }, + IResult::Error(e) => { + SCLogDebug!("TRANS2 SET_PATH_INFO PARAMS ERROR {:?}", e); + events.push(SMBEvent::MalformedData); + false + }, + } + } else if rd.subcmd == 8 { + SCLogDebug!("SET_FILE_INFO"); match parse_trans2_request_params_set_file_info(rd.setup_blob) { IResult::Done(_, pd) => { SCLogDebug!("TRANS2 SET_FILE_INFO PARAMS DONE {:?}", pd); diff --git a/rust/src/smb/smb1_records.rs b/rust/src/smb/smb1_records.rs index dff292ebbc..36b367470b 100644 --- a/rust/src/smb/smb1_records.rs +++ b/rust/src/smb/smb1_records.rs @@ -597,6 +597,42 @@ named!(pub parse_trans2_request_data_set_file_info_rename { + pub loi: u16, + pub oldname: Vec, +} + +named!(pub parse_trans2_request_params_set_path_info, + do_parse!( + loi: le_u16 + >> _reserved: take!(4) + >> oldname: call!(smb_get_unicode_string) + >> (Trans2RecordParamSetPathInfo { + loi:loi, + oldname:oldname, + }) +)); + +#[derive(Debug,PartialEq)] +pub struct Trans2RecordParamSetPathInfoRename<'a> { + pub replace: bool, + pub newname: &'a[u8], +} + +named!(pub parse_trans2_request_data_set_path_info_rename, + do_parse!( + replace: le_u8 + >> _reserved: take!(3) + >> root_dir: take!(4) + >> newname_len: le_u32 + >> newname: take!(newname_len) + >> (Trans2RecordParamSetPathInfoRename { + replace: replace==1, + newname: newname, + }) +)); + #[derive(Debug,PartialEq)] pub struct SmbRequestTrans2Record<'a> { pub subcmd: u16,