forked from mushorg/go-dpi
/
smb.go
44 lines (39 loc) · 1.29 KB
/
smb.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
package classifiers
import (
"encoding/binary"
"strings"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
"github.com/nayyara-samuel/go-dpi/types"
)
// SMBClassifier struct
type SMBClassifier struct{}
// HeuristicClassify for SMBClassifier
func (classifier SMBClassifier) HeuristicClassify(flow *types.Flow) bool {
return checkFirstPayload(flow.GetPackets(), layers.LayerTypeTCP,
func(payload []byte, packetsRest []gopacket.Packet) bool {
// skip netbios layer if it exists
if len(payload) > 4 && payload[0] == 0 {
netbiosLen := binary.BigEndian.Uint32(payload[:4])
if int(netbiosLen) == len(payload[4:]) {
payload = payload[4:]
}
}
if len(payload) < 10 {
return false
}
// SMB protocol prefix
hasSMBPrefix := strings.HasPrefix(string(payload), "\xFFSMB")
// SMB protocol negotiation code
isNegotiateProtocol := payload[4] == 0x72
// error code must be zero
errCode := binary.BigEndian.Uint32(payload[5:9])
// if flag is 0 this packet is from the server to the client
directionFlag := payload[9] & 0x80
return hasSMBPrefix && isNegotiateProtocol && errCode == 0 && directionFlag == 0
})
}
// GetProtocol returns the corresponding protocol
func (classifier SMBClassifier) GetProtocol() types.Protocol {
return types.SMB
}