Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/smb/v19.6 #3286

Merged
merged 51 commits into from
Mar 15, 2018
Merged

Feature/smb/v19.6 #3286

merged 51 commits into from
Mar 15, 2018

Conversation

victorjulien
Copy link
Member

Replaces #3284. Earlier PRs #3281 #3266 #3260 #3256

Describe changes:

  • add SMB records to fileinfo records
  • add 'fuid' field: FID for SMB1, file GUID for SMB2
  • SMB2: no log record per READ/WRITE/etc command

PRScript output (if applicable):

@victorjulien
eve: log pcap filename
50a1821
@victorjulien
rust/smb: initial support
75d7c9d 
Implement SMB app-layer parser for SMB1/2/3. Features:
- file extraction
- eve logging
- existing dce keyword support
- smb_share/smb_named_pipe keyword support (stickybuffers)
- auth meta data extraction (ntlmssp, kerberos5)
@victorjulien
smb: session setup improvements
8bef120 
Improve ntlmssp version extraction and logging, make its data structures
optional. Extract native os/lm from smb1 ssn setup.

Move session setup handling into their own files.

Only log auth data for the session setup tx.
@victorjulien
smb/nbss: work around bad traffic
7dff9b9
@victorjulien
smb1: locking andx may have no response
595557e
@victorjulien
smb1: implement WRITE_AND_CLOSE
98b926b
@victorjulien
smb: add status
7ceb671
@victorjulien
smb1: improve error handling
170edf7
@victorjulien
smb2: add missing commands and improve ioctl err handling
894a73e
@victorjulien
smb3: parse transform records
b343920
@victorjulien
smb2: improve write error handling
ecbf10d
@victorjulien
smb: cleaner server component parsing
d9e43d3
@victorjulien
smb1: parser cleanups
7114d5d
@victorjulien
smb: redo gap catch up handling
a44504a
@victorjulien
smb1: minor debug improvment
ad1bc7f
@victorjulien
smb: remove unused dialects from state
0d69e7b
@victorjulien
smb: update to der-parser 0.5.1
dab055d
@victorjulien
smb: small cleanups, fixes and optimizations
be615c9
@victorjulien
smb: fix event handling when no tx is available
05992f1
@victorjulien
smb: generic event per trans/read/write for tx events
78cd92a
@victorjulien
smb1: disable 'generic tx's for common commands
28f16e3 
Don't create a generic TX for each READ, WRITE, TRANS, TRANS2,
except if they cause events to trigger.
@victorjulien
smb2: parse and log timestamps in CREATE
0e05ef7
@victorjulien
smb1: parse and log timestamps in CREATE
caf29e9
@victorjulien
smb: rename file to filename in output
c91242e
@victorjulien
smb1: set event on empty/malformed dialect
1d4aac1
@victorjulien
smb: make string parsing functions public
1c701dc
@victorjulien
smb: move common parsing funcs into own file
0ed00cf
@victorjulien
smb1: more exact tree connect record parsing
668c747
@victorjulien
smb1: generic smb string parse func
76917a8
@victorjulien
smb1: use generic string parsing for trans
90e2aba
@victorjulien
smb1: log create 'service' fields
fcbeab7
@victorjulien
smb: log create empty filename as '<share_root>' like Bro does
d75ebdb
@victorjulien
smb2: log share type
c56f5e1
@victorjulien
smb2: log client and server guid from negotiate
6d56edc
@victorjulien
smb1: extract server guid from negotiate
eed4925
@victorjulien
smb: disable debug output
f7ed749
@victorjulien
smb: use formal MS names for disposition
7cd6651
@victorjulien
smb2: map ioctl funcs to names
75265ec 
List is based on Wireshark's list.
@victorjulien
smb2: add ioctl transactions to log the funcs
5c26020
@victorjulien
smb2: parse async records
bf08285
@victorjulien
smb2: break out ioctl handling
283be3c
@victorjulien
smb: add smb to default eve-log config
251a8e7
@victorjulien
rust/smb: improve protocol detection
ff398de 
Register both pattern based detection and probing parsers.
@victorjulien
rust/smb: implement minimal record parsing in probing
7ab071a
@victorjulien
smb: improve nbss/smb record detection
286c054
@victorjulien
smb1: ignore tree_id in session setup
0519807
@victorjulien
smb1: improve non nt-status handling
816bd02 
Support SRV error, with a couple of codes.
Rename statux field to status_code.
@victorjulien
smb: add smb records to fileinfo
67f0e27
@victorjulien
smb: log file FID/GUID as fuid
fb986ab
@victorjulien
smb2: don't log/track each READ/WRITE/etc
32b19fa
@victorjulien
smb1: add OPEN_ANDX command name for logging
bc19324
@victorjulien victorjulien requested review from jasonish, norg and a team as code owners March 14, 2018 15:29
This was referenced Mar 14, 2018
Closed
Merged
@inliniac inliniac merged commit bc19324 into OISF:master Mar 15, 2018
@victorjulien victorjulien deleted the feature/smb/v19.6 branch April 16, 2018 05:17
victorjulien added a commit to victorjulien/suricata that referenced this pull request Dec 13, 2019
@victorjulien
stream: fix SYN_SENT RST/FIN injection
9f0294f 
RST injection during the SYN_SENT state could trick Suricata into marking
a session as CLOSED. The way this was done is: using invalid TSECR value
in RST+ACK packet. The ACK was needed to force Linux into considering the
TSECR value and compare it to the TSVAL from the SYN packet.

The second works only against Windows. The client would not use a TSVAL
but the RST packet would. Windows will reject this, but Suricata considered
the RST valid and triggered the CLOSED logic.

This patch addresses both. When the SYN packet used timestamp support
the timestamp of incoming packet is validated. Otherwise, packet responding
should not have a timestamp.

Bug OISF#3286

Reported-by: Nicolas Adba
victorjulien added a commit to victorjulien/suricata that referenced this pull request Dec 13, 2019
@victorjulien
stream: fix SYN_SENT RST/FIN injection
ea0659d 
RST injection during the SYN_SENT state could trick Suricata into marking
a session as CLOSED. The way this was done is: using invalid TSECR value
in RST+ACK packet. The ACK was needed to force Linux into considering the
TSECR value and compare it to the TSVAL from the SYN packet.

The second works only against Windows. The client would not use a TSVAL
but the RST packet would. Windows will reject this, but Suricata considered
the RST valid and triggered the CLOSED logic.

This patch addresses both. When the SYN packet used timestamp support
the timestamp of incoming packet is validated. Otherwise, packet responding
should not have a timestamp.

Bug OISF#3286

Reported-by: Nicolas Adba
(cherry picked from commit 9f0294f)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@norg norg Awaiting requested review from norg

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@victorjulien @inliniac