detect: update smb.version keyword

Signed-off-by: jason taylor <jtfas90@gmail.com>
OISF · Jan 19, 2024 · 3cb7112 · 3cb7112
1 parent bfc0790
commit 3cb7112
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 29 deletions.
diff --git a/doc/userguide/rules/smb-keywords.rst b/doc/userguide/rules/smb-keywords.rst
@@ -61,46 +61,56 @@ Examples::
 
 ``smb.ntlmssp_domain`` can be used as ``fast_pattern``.
 
+
 smb.version
---------------
+------------
 
-Used to match the SMB version, that can be 1 or 2.
+Keyword to match on the SMB version seen in an SMB transaction.
 
-Example signatures::
+Signature Example:
+
+.. container:: example-rule
+
+  alert smb $HOME_NET any -> any any (msg:"SMBv1 version rule"; \
+  :example-rule-options:`smb.version:1;` sid:1;)
+
+  alert smb $HOME_NET any -> any any (msg:"SMBv2 version rule"; \
+  :example-rule-options:`smb.version:2;` sid:2;)
 
-  alert smb any any -> any any (msg: "SMB1 version rule"; smb.version: 1; sid: 44;)
-  alert smb any any -> any any (msg: "SMB2 version rule"; smb.version: 2; sid: 45;)
 
 Matching in transition from SMBv1 to SMBv2
-********************************************
+******************************************
 
-In the initial negotiation protocol request, a client supporting SMBv1 and SMBv2 can send an initial SMBv1 request and receive an SMBv2 response from server, indicating that SMBv2 will be used.
+In the initial protocol negotiation request, a client supporting SMBv1 and SMBv2 can send an initial SMBv1 request and receive a SMBv2 response from server, indicating that SMBv2 will be used.
 
 This first SMBv2 response made by the server will match as SMBv1, since the entire transaction will be considered a SMBv1 transaction.
 
-Does `smb.version` match SMBv3?
-****************************************
+Will ``smb.version`` match SMBv3 traffic?
+*****************************************
 
-Yes, it will match SMBv3 messages using `smb.version: 2;`, which will match SMBv2 and SMBv3, since they use the same version identifier in the SMB header.
+Yes, it will match SMBv3 messages using `smb.version:2;`, which will match SMBv2 and SMBv3, since they use the same version identifier in the SMB header.
 
 This keyword will use the Protocol ID specified in SMB header to determine the version. Here is a summary of the Protocol ID codes:
 
-- 0xffSMB is SMB1 `header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/3c0848a6-efe9-47c2-b57a-f7e8217150b9>`_
-- 0xfeSMB is SMB2 `normal header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5cd64522-60b3-4f3e-a157-fe66f1228052>`_ (can be `sync <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/fb188936-5050-48d3-b350-dc43059638a4>`_ or `async <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/ea4560b7-90da-4803-82b5-344754b92a79>`_)
-- 0xfdSMB is SMB2 `transform header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d6ce2327-a4c9-4793-be66-7b5bad2175fa>`_. This is only valid for the SMB 3.x dialect family.
-- 0xfcSMB is SMB2 `transform compression header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d6ce2327-a4c9-4793-be66-7b5bad2175fa>`_ (can be `chained <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/aa880fe8-ebed-4409-a474-ec6e0ca0dbcb>`_ or `unchained <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/793db6bb-25b4-4469-be49-a8d7045ba3a6>`_). These ones requires the use of 3.1.1 dialect.
+- 0xffSMB is SMBv1 `header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/3c0848a6-efe9-47c2-b57a-f7e8217150b9>`_
+- 0xfeSMB is SMBv2 `normal header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5cd64522-60b3-4f3e-a157-fe66f1228052>`_ (can be `sync <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/fb188936-5050-48d3-b350-dc43059638a4>`_ or `async <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/ea4560b7-90da-4803-82b5-344754b92a79>`_)
+- 0xfdSMB is SMBv2 `transform header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d6ce2327-a4c9-4793-be66-7b5bad2175fa>`_. This is only valid for the SMB 3.x dialect family.
+- 0xfcSMB is SMBv2 `transform compression header <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d6ce2327-a4c9-4793-be66-7b5bad2175fa>`_ (can be `chained <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/aa880fe8-ebed-4409-a474-ec6e0ca0dbcb>`_ or `unchained <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/793db6bb-25b4-4469-be49-a8d7045ba3a6>`_). These ones require the use of the 3.1.1 dialect.
 
-The Protocol ID in header distinguishes only SMB1 and SMB2 since they are totally different protocols with total different message formats, types and implementation.
+The Protocol ID in the header distinguishes only SMBv1 and SMBv2 since they are completely different protocols with entirely
+different message formats, types and implementations.
 
-On the other hand SMB3 is more an extension for SMB2. When using SMB2 we can select one of the following dialects for the conversation between client and server:
+On the other hand, SMBv3 is more like an extension of SMBv2. When using SMBv2 we can select one of the following dialects for the conversation between client and server:
 
 - 2.0.2
 - 2.1
 - 3.0
 - 3.0.2
 - 3.1.1
 
-We say we are using SMB3 when we select a 3.x dialect for the conversation, so you can use SMB3.0, SMB3.0.2 or SMB3.1.1. The higher you choose, the more capabilities you have, but the message syntax and message command number remains the same.
+We say we are using SMBv3 when we select a 3.x dialect for the conversation, so you can use SMB 3.0, SMB 3.0.2 or SMB 3.1.1. The higher you choose, the more capabilities you have, but the message syntax and message command number remains the same.
+
+SMB version and dialect are separate components. In the case of SMBv3 for instance, the SMB version will be 2 but the dialect will be 3.x. Dialect specification is not available currently via keyword.
 
 file.name
 ---------

diff --git a/rust/src/smb/detect.rs b/rust/src/smb/detect.rs
@@ -1,4 +1,4 @@
-/* Copyright (C) 2017 Open Information Security Foundation
+/* Copyright (C) 2017-2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -19,7 +19,6 @@ use crate::core::*;
 use crate::dcerpc::dcerpc::DCERPC_TYPE_REQUEST;
 use crate::dcerpc::detect::{DCEIfaceData, DCEOpnumData, DETECT_DCE_OPNUM_RANGE_UNINITIALIZED};
 use crate::detect::uint::detect_match_uint;
-use crate::smb::smb::SMBTransaction;
 use crate::smb::smb::*;
 use std::ffi::CStr;
 use std::os::raw::{c_char, c_void};
@@ -190,6 +189,7 @@ pub unsafe extern "C" fn rs_smb_version_match(
     tx: &mut SMBTransaction, version_data: &mut u8,
 ) -> u8 {
     let version = tx.vercmd.get_version();
+    SCLogDebug!("smb_version: version returned: {}", version);
     if version == *version_data {
         return 1;
     }
@@ -212,16 +212,11 @@ pub unsafe extern "C" fn rs_smb_version_parse(carg: *const c_char) -> *mut c_voi
     return std::ptr::null_mut();
 }
 
-#[no_mangle]
-pub unsafe extern "C" fn rs_smb_version_free(ptr: *mut c_void) {
-    if ptr != std::ptr::null_mut() {
-        std::mem::drop(Box::from_raw(ptr as *mut u8));
-    }
-}
-
 fn parse_version_data(arg: &str) -> Result<u8, ()> {
     let arg = arg.trim();
-    let version = u8::from_str_radix(&arg, 10).map_err(|_| ())?;
+    let version: u8 = arg.parse().map_err(|_| ())?;
+
+    SCLogDebug!("smb_version: sig parse arg: {} version: {}", arg, version);
 
     if version != 1 && version != 2 {
         return Err(());
@@ -230,6 +225,11 @@ fn parse_version_data(arg: &str) -> Result<u8, ()> {
     return Ok(version);
 }
 
+#[no_mangle]
+pub unsafe extern "C" fn rs_smb_version_free(ptr: *mut c_void) {
+    std::mem::drop(Box::from_raw(ptr as *mut u8));
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -247,4 +247,4 @@ mod tests {
         assert_eq!(1u8, parse_version_data(" 1").unwrap());
         assert_eq!(2u8, parse_version_data(" 2 ").unwrap());
     }
-}
+}
diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
@@ -620,7 +620,6 @@ void SigTableSetup(void)
     DetectSmbNtlmsspUserRegister();
     DetectSmbNtlmsspDomainRegister();
     DetectSmbVersionRegister();
-
     DetectTlsRegister();
     DetectTlsValidityRegister();
     DetectTlsVersionRegister();