From af7d245a315ed6d1d419c6190f604fd03881b214 Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Tue, 18 Jun 2019 17:05:39 +0200
Subject: [PATCH] rust/snmp: add event when expected/received PDU versions
 mismatch

---
 rust/src/snmp/snmp.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/rust/src/snmp/snmp.rs b/rust/src/snmp/snmp.rs
index 3b63153006..afb9a71a75 100644
--- a/rust/src/snmp/snmp.rs
+++ b/rust/src/snmp/snmp.rs
@@ -37,6 +37,7 @@ use nom::{ErrorKind,IResult};
 pub enum SNMPEvent {
     MalformedData = 0,
     UnknownSecurityModel,
+    VersionMismatch,
 }
 
 impl SNMPEvent {
@@ -143,6 +144,11 @@ impl SNMPState {
 
     fn handle_snmp_v12(&mut self, msg:SnmpMessage, _direction: u8) -> i32 {
         let mut tx = self.new_tx();
+        // in the message, version is encoded as 0 (version 1) or 1 (version 2)
+        if self.version != msg.version + 1 {
+            SCLogDebug!("SNMP version mismatch: expected {}, received {}", self.version, msg.version+1);
+            self.set_event_tx(&mut tx, SNMPEvent::VersionMismatch);
+        }
         self.add_pdu_info(&msg.pdu, &mut tx);
         tx.community = Some(msg.community.clone());
         self.transactions.push(tx);
@@ -151,6 +157,10 @@ impl SNMPState {
 
     fn handle_snmp_v3(&mut self, msg: SnmpV3Message, _direction: u8) -> i32 {
         let mut tx = self.new_tx();
+        if self.version != msg.version {
+            SCLogDebug!("SNMP version mismatch: expected {}, received {}", self.version, msg.version);
+            self.set_event_tx(&mut tx, SNMPEvent::VersionMismatch);
+        }
         match msg.data {
             ScopedPduData::Plaintext(pdu) => {
                 self.add_pdu_info(&pdu.data, &mut tx);
@@ -436,6 +446,7 @@ pub extern "C" fn rs_snmp_state_get_event_info_by_id(event_id: std::os::raw::c_i
         let estr = match e {
             SNMPEvent::MalformedData         => { "malformed_data\0" },
             SNMPEvent::UnknownSecurityModel  => { "unknown_security_model\0" },
+            SNMPEvent::VersionMismatch       => { "version_mismatch\0" },
         };
         unsafe{
             *event_name = estr.as_ptr() as *const std::os::raw::c_char;
@@ -460,6 +471,7 @@ pub extern "C" fn rs_snmp_state_get_event_info(event_name: *const std::os::raw::
             match s {
                 "malformed_data"         => SNMPEvent::MalformedData as i32,
                 "unknown_security_model" => SNMPEvent::UnknownSecurityModel as i32,
+                "version_mismatch"       => SNMPEvent::VersionMismatch as i32,
                 _                        => -1, // unknown event
             }
         },
-- 
2.47.2