OISF · zer1t0 · Apr 28, 2022 · Apr 28, 2022
@@ -26,6 +26,7 @@ Suricata Rules
    snmp-keywords
    base64-keywords
    sip-keywords
+   smb-keywords
    rfb-keywords
    mqtt-keywords
    ike-keywords

@@ -0,0 +1,26 @@
+SMB Keywords
+==============
+
+SMB keywords used in both SMB1 and SMB2 protocols.
+
+smb.filename
+--------------
+
+SMB filename is a sticky buffer to match the filename in SMB Create requests.
+
+If you want to match traffic that access to file "a.txt", you could use the following rule::
+
+  alert smb any any -> any any (msg: "SMB file match";smb.filename; content:"a.txt";sid:1;)
+
+.. topic:: Difference between smb.filename and filename keyword
+
+   They were made for different purposes. *filename* keyword (and *file.name* sticky buffer) were made to match the name of the file extracted/transferred from different protocols, that includes SMB. However **smb.filename will match in any SMB create request**.
+
+   This means that *smb.filename* will match for files that were opened for read or write, that will be matched by *filename* also. But *smb.filename* will also match files opened to read files attributes, which won't be matched by *filename*.
+
+   Other difference is that *smb.filename* will match for directories that are open with SMB create.
+
+   Therefore:
+
+   - **filename**: Name of tranferred files over many protocols, including SMB.
+   - **smb.filename**: SMB create file request filename field, so files and directories opened for any purpose (transfer, query, list, etc).
@@ -201,3 +201,20 @@ pub extern "C" fn rs_smb_tx_get_dce_iface(state: &mut SMBState,
     }
     return 0;
 }
+
+#[no_mangle]
+pub unsafe extern "C" fn rs_smb_tx_get_filename(tx: &mut SMBTransaction,
+                                                buffer: *mut *const u8,
+                                                buffer_len: *mut u32)
+                                                -> u8
+{
+    if let Some(SMBTransactionTypeData::CREATE(ref x)) = tx.type_data {
+        *buffer = x.filename.as_ptr();
+        *buffer_len = x.filename.len() as u32;
+        return 1;
+    }
+
+    *buffer = ptr::null();
+    *buffer_len = 0;
+    return 0;
+}
@@ -499,10 +499,12 @@ pub fn smb2_request_record<'b>(state: &mut SMBState, r: &Smb2Record<'b>)
                     SCLogDebug!("create_options {:08x}", cr.create_options);
 
                     let name_key = SMBCommonHdr::from2(r, SMBHDR_TYPE_FILENAME);
-                    state.ssn2vec_map.insert(name_key, cr.data.to_vec());
+                    let mut name_val = cr.data.to_vec();
+                    name_val.retain(|&i|i != 0x00);
 
+                    state.ssn2vec_map.insert(name_key, name_val.to_vec());
                     let tx_hdr = SMBCommonHdr::from2(r, SMBHDR_TYPE_GENERICTX);
-                    let tx = state.new_create_tx(&cr.data.to_vec(),
+                    let tx = state.new_create_tx(&name_val.to_vec(),
                             cr.disposition, del, dir, tx_hdr);
                     tx.vercmd.set_smb2_cmd(r.command);
                     SCLogDebug!("TS CREATE TX {} created", tx.id);

@@ -292,6 +292,7 @@ noinst_HEADERS = \
 	detect-sip-stat-code.h \
 	detect-sip-stat-msg.h \
 	detect-sip-uri.h \
+	detect-smb-filename.h \
 	detect-smb-share.h \
 	detect-snmp-community.h \
 	detect-snmp-pdu_type.h \
@@ -885,6 +886,7 @@ libsuricata_c_a_SOURCES = \
 	detect-sip-stat-code.c \
 	detect-sip-stat-msg.c \
 	detect-sip-uri.c \
+	detect-smb-filename.c \
 	detect-smb-share.c \
 	detect-snmp-community.c \
 	detect-snmp-pdu_type.c \

@@ -73,6 +73,7 @@
 
 #include "detect-config.h"
 
+#include "detect-smb-filename.h"
 #include "detect-smb-share.h"
 
 #include "detect-base64-decode.h"
@@ -579,6 +580,7 @@ void SigTableSetup(void)
     DetectDceIfaceRegister();
     DetectDceOpnumRegister();
     DetectDceStubDataRegister();
+    DetectSmbFilenameRegister();
     DetectSmbNamedPipeRegister();
     DetectSmbShareRegister();
     DetectTlsRegister();

@@ -187,6 +187,7 @@ enum DetectKeywordId {
     DETECT_DCE_IFACE,
     DETECT_DCE_OPNUM,
     DETECT_DCE_STUB_DATA,
+    DETECT_SMB_FILENAME,
     DETECT_SMB_NAMED_PIPE,
     DETECT_SMB_SHARE,
 

@@ -0,0 +1,84 @@
+/* Copyright (C) 2017-2022 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "suricata-common.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+#include "detect-engine-content-inspection.h"
+
+#include "detect-smb-share.h"
+#include "rust.h"
+
+static int g_smb_filename_buffer_id = 0;
+
+void DetectSmbFilenameRegister(void);
+
+static int DetectSmbFilenameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(s, g_smb_filename_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SMB) < 0)
+        return -1;
+
+    return 0;
+}
+
+static InspectionBuffer *GetFilenameData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    SCEnter();
+
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        uint32_t b_len = 0;
+        const uint8_t *b = NULL;
+
+        if (rs_smb_tx_get_filename(txv, &b, &b_len) != 1)
+            return NULL;
+        if (b == NULL || b_len == 0)
+            return NULL;
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
+void DetectSmbFilenameRegister(void)
+{
+    sigmatch_table[DETECT_SMB_FILENAME].name = "smb.filename";
+    sigmatch_table[DETECT_SMB_FILENAME].Setup = DetectSmbFilenameSetup;
+    sigmatch_table[DETECT_SMB_FILENAME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+    sigmatch_table[DETECT_SMB_FILENAME].desc =
+            "Sticky buffer to match on SMB filenames in create request";
+
+    DetectAppLayerMpmRegister2("smb_filename", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
+            GetFilenameData, ALPROTO_SMB, 1);
+
+    DetectAppLayerInspectEngineRegister2("smb_filename", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
+            DetectEngineInspectBufferGeneric, GetFilenameData);
+
+    g_smb_filename_buffer_id = DetectBufferTypeGetByName("smb_filename");
+}
@@ -0,0 +1,23 @@
+/* Copyright (C) 2017-2022 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_SMB_FILENAME_H__
+#define __DETECT_SMB_FILENAME_H__
+
+void DetectSmbFilenameRegister(void);
+
+#endif /* __DETECT_SMB_FILENAME_H__ */