From 83070102557d2755b9ffc67bb14b9b4d48b039e9 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 17 Feb 2021 15:36:12 +0100
Subject: [PATCH] smb: relax probing parser to handle first NBSS message

cf dcerpc-udp S-V test :
First message is Message Type: Session request (0x81)
Second message is SMB
---
 rust/src/smb/smb.rs | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index 77db7c221a..13f794410b 100644
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -1990,6 +1990,26 @@ pub extern "C" fn rs_smb_probe_tcp(flags: u8,
                 return 1;
             } else if hdr.needs_more(){
                 return 0;
+            } else if hdr.is_valid() &&
+                hdr.message_type != NBSS_MSGTYPE_SESSION_MESSAGE {
+                //we accept a first small netbios message before real SMB
+                let hl = hdr.length as usize;
+                if hdr.data.len() >= hl + 8 {
+                    // 8 is 4 bytes NBSS + 4 bytes SMB0xFX magic
+                    match parse_nbss_record_partial(&hdr.data[hl..]) {
+                        Ok((_, ref hdr2)) => {
+                            if hdr2.is_smb() {
+                                SCLogDebug!("smb found");
+                                return 1;
+                            }
+                        }
+                        _ => {}
+                    }
+                } else if hdr.length < 256 {
+                    // we want more data, 256 is some random value
+                    return 0;
+                }
+                // default is failure
             }
         },
         _ => { },
-- 
2.47.2