rust/smb: import NT status code for microsoft doc

This patch updates the NT status code definition to use the status definitiion used on Microsoft documentation website. A first python script is building JSON object with code definition. ``` import json from bs4 import BeautifulSoup import requests ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55') ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser') ntstatus_parsed = ntstatus_parsed.find('tbody') ntstatus_dict = {} for item in ntstatus_parsed.find_all('tr'): cell = item.find_all('td') if len(cell) == 0: continue code = cell[0].find_all('p') description_ps = cell[1].find_all('p') description_list = [] if len(description_ps): for desc in description_ps: if not desc.string is None: description_list.append(desc.string.replace('\n ', '')) else: description_list = ['Description not available'] if not code[0].string.lower() in ntstatus_dict: ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)} print(json.dumps(ntstatus_dict)) ``` The second one is generating the code that is ready to be inserted into smb.rs: ``` import json ntstatus_file = open('ntstatus.json', 'r') ntstatus = json.loads(ntstatus_file.read()) declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n' resolution_format = ' SMB_NT%s%s=> "%s",\n' declaration = "" resolution = "" text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len)) for code in ntstatus.keys(): text = ntstatus[code]['text'] text_spaces = ' ' * (4 + text_max - len(text)) declaration += declaration_format % (text, text_spaces, code) resolution += resolution_format % (text, text_spaces, text) print(declaration) print('\n') print(''' pub fn smb_ntstatus_string(c: u32) -> String { match c { ''') print(resolution) print(''' _ => { return (c).to_string(); }, }.to_string() } ''') ``` Bug OISF#5412.
regit · Jun 29, 2022 · 1216a52 · 1216a52
1 parent a898409
commit 1216a52
Show file tree

Hide file tree

Showing 10 changed files with 3,677 additions and 81 deletions.
diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst
@@ -23,6 +23,7 @@ Suricata Rules
    enip-keyword
    ftp-keywords
    kerberos-keywords
+   smb-keywords
    snmp-keywords
    base64-keywords
    sip-keywords

diff --git a/doc/userguide/rules/smb-keywords.rst b/doc/userguide/rules/smb-keywords.rst
@@ -0,0 +1,60 @@
+SMB Keywords
+==============
+
+SMB keywords used in both SMB1 and SMB2 protocols.
+
+smb.named_pipe
+--------------
+
+Match on SMB named pipe in tree connect.
+
+Examples::
+
+  smb.named_pipe; content:"IPC"; endswith;
+  smb.named_pipe; content:"strange"; nocase; pcre:"/really$/";
+
+``smb.named_pipe`` is a 'sticky buffer'.
+
+``smb.named_pipe`` can be used as ``fast_pattern``.
+
+smb.share
+---------
+
+Match on SMB share name in tree connect.
+
+Examples::
+
+  smb.share; content:"shared"; endswith;
+  smb.share; content:"strange"; nocase; pcre:"/really$/";
+
+``smb.share`` is a 'sticky buffer'.
+
+``smb.share`` can be used as ``fast_pattern``.
+
+smb.ntlmssp_user
+----------------
+
+Match on SMB ntlmssp user in session setup.
+
+Examples::
+
+  smb.ntlmssp_user; content:"doe"; endswith;
+  smb.ntlmssp_user; content:"doe"; nocase; pcre:"/j(ohn|ane).*doe$/";
+
+``smb.ntlmssp_user`` is a 'sticky buffer'.
+
+``smb.ntlmssp_user`` can be used as ``fast_pattern``.
+
+smb.ntlmssp_domain
+------------------
+
+Match on SMB ntlmssp domain in session setup.
+
+Examples::
+
+  smb.ntlmssp_domain; content:"home"; endswith;
+  smb.ntlmssp_domain; content:"home"; nocase; pcre:"/home(sweet)*$/";
+
+``smb.ntlmssp_domain`` is a 'sticky buffer'.
+
+``smb.ntlmssp_domain`` can be used as ``fast_pattern``.
diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
@@ -23,6 +23,7 @@ use crate::smb::smb2::*;
 use crate::smb::dcerpc_records::*;
 use crate::smb::events::*;
 use crate::dcerpc::dcerpc::*;
+use crate::smb::smb_status::*;
 
 impl SMBCommonHdr {
     /// helper for DCERPC tx tracking. Check if we need

diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs
@@ -24,6 +24,7 @@ use crate::smb::smb1::*;
 use crate::smb::smb2::*;
 use crate::dcerpc::dcerpc::*;
 use crate::smb::funcs::*;
+use crate::smb::smb_status::*;
 
 #[cfg(not(feature = "debug"))]
 fn debug_add_progress(_js: &mut JsonBuilder, _tx: &SMBTransaction) -> Result<(), JsonError> { Ok(()) }

diff --git a/rust/src/smb/mod.rs b/rust/src/smb/mod.rs
@@ -17,6 +17,7 @@
 
 pub mod error;
 pub mod smb_records;
+pub mod smb_status;
 pub mod smb1_records;
 pub mod smb2_records;
 pub mod nbss_records;

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
@@ -93,87 +93,6 @@ pub extern "C" fn rs_smb_init(context: &'static mut SuricataFileContext)
     }
 }
 
-pub const SMB_NTSTATUS_SUCCESS:                    u32 = 0;
-pub const SMB_NTSTATUS_PENDING:                    u32 = 0x00000103;
-pub const SMB_NTSTATUS_BUFFER_OVERFLOW:            u32 = 0x80000005;
-pub const SMB_NTSTATUS_NO_MORE_FILES:              u32 = 0x80000006;
-pub const SMB_NTSTATUS_NO_MORE_ENTRIES:            u32 = 0x8000001a;
-pub const SMB_NTSTATUS_INVALID_HANDLE:             u32 = 0xc0000008;
-pub const SMB_NTSTATUS_INVALID_PARAMETER:          u32 = 0xc000000d;
-pub const SMB_NTSTATUS_NO_SUCH_DEVICE:             u32 = 0xc000000e;
-pub const SMB_NTSTATUS_NO_SUCH_FILE:               u32 = 0xc000000f;
-pub const SMB_NTSTATUS_INVALID_DEVICE_REQUEST:     u32 = 0xc0000010;
-pub const SMB_NTSTATUS_END_OF_FILE:                u32 = 0xc0000011;
-pub const SMB_NTSTATUS_MORE_PROCESSING_REQUIRED:   u32 = 0xc0000016;
-pub const SMB_NTSTATUS_ACCESS_DENIED:              u32 = 0xc0000022;
-pub const SMB_NTSTATUS_OBJECT_NAME_INVALID:        u32 = 0xc0000033;
-pub const SMB_NTSTATUS_OBJECT_NAME_NOT_FOUND:      u32 = 0xc0000034;
-pub const SMB_NTSTATUS_OBJECT_NAME_COLLISION:      u32 = 0xc0000035;
-pub const SMB_NTSTATUS_OBJECT_PATH_NOT_FOUND:      u32 = 0xc000003a;
-pub const SMB_NTSTATUS_SHARING_VIOLATION:          u32 = 0xc0000043;
-pub const SMB_NTSTATUS_LOCK_CONFLICT:              u32 = 0xc0000054;
-pub const SMB_NTSTATUS_LOCK_NOT_GRANTED:           u32 = 0xc0000055;
-pub const SMB_NTSTATUS_PRIVILEGE_NOT_HELD:         u32 = 0xc0000061;
-pub const SMB_NTSTATUS_LOGON_FAILURE:              u32 = 0xc000006d;
-pub const SMB_NTSTATUS_PIPE_DISCONNECTED:          u32 = 0xc00000b0;
-pub const SMB_NTSTATUS_FILE_IS_A_DIRECTORY:        u32 = 0xc00000ba;
-pub const SMB_NTSTATUS_NOT_SUPPORTED:              u32 = 0xc00000bb;
-pub const SMB_NTSTATUS_BAD_NETWORK_NAME:           u32 = 0xc00000cc;
-pub const SMB_NTSTATUS_REQUEST_NOT_ACCEPTED:       u32 = 0xc00000d0;
-pub const SMB_NTSTATUS_OPLOCK_NOT_GRANTED:         u32 = 0xc00000e2;
-pub const SMB_NTSTATUS_CANCELLED:                  u32 = 0xc0000120;
-pub const SMB_NTSTATUS_FILE_CLOSED:                u32 = 0xc0000128;
-pub const SMB_NTSTATUS_FS_DRIVER_REQUIRED:         u32 = 0xc000019c;
-pub const SMB_NTSTATUS_INSUFF_SERVER_RESOURCES:    u32 = 0xc0000205;
-pub const SMB_NTSTATUS_NOT_FOUND:                  u32 = 0xc0000225;
-pub const SMB_NTSTATUS_PIPE_BROKEN:                u32 = 0xc000014b;
-pub const SMB_NTSTATUS_TRUSTED_RELATIONSHIP_FAILURE:    u32 = 0xc000018d;
-pub const SMB_NTSTATUS_NOT_A_REPARSE_POINT:        u32 = 0xc0000275;
-pub const SMB_NTSTATUS_NETWORK_SESSION_EXPIRED:    u32 = 0xc000035c;
-
-pub fn smb_ntstatus_string(c: u32) -> String {
-    match c {
-        SMB_NTSTATUS_SUCCESS                   => "STATUS_SUCCESS",
-        SMB_NTSTATUS_BUFFER_OVERFLOW           => "STATUS_BUFFER_OVERFLOW",
-        SMB_NTSTATUS_PENDING                   => "STATUS_PENDING",
-        SMB_NTSTATUS_NO_MORE_FILES             => "STATUS_NO_MORE_FILES",
-        SMB_NTSTATUS_NO_MORE_ENTRIES           => "STATUS_NO_MORE_ENTRIES",
-        SMB_NTSTATUS_INVALID_HANDLE            => "STATUS_INVALID_HANDLE",
-        SMB_NTSTATUS_INVALID_PARAMETER         => "STATUS_INVALID_PARAMETER",
-        SMB_NTSTATUS_NO_SUCH_DEVICE            => "STATUS_NO_SUCH_DEVICE",
-        SMB_NTSTATUS_NO_SUCH_FILE              => "STATUS_NO_SUCH_FILE",
-        SMB_NTSTATUS_INVALID_DEVICE_REQUEST    => "STATUS_INVALID_DEVICE_REQUEST",
-        SMB_NTSTATUS_END_OF_FILE               => "STATUS_END_OF_FILE",
-        SMB_NTSTATUS_MORE_PROCESSING_REQUIRED  => "STATUS_MORE_PROCESSING_REQUIRED",
-        SMB_NTSTATUS_ACCESS_DENIED             => "STATUS_ACCESS_DENIED",
-        SMB_NTSTATUS_OBJECT_NAME_INVALID       => "STATUS_OBJECT_NAME_INVALID",
-        SMB_NTSTATUS_OBJECT_NAME_NOT_FOUND     => "STATUS_OBJECT_NAME_NOT_FOUND",
-        SMB_NTSTATUS_OBJECT_NAME_COLLISION     => "STATUS_OBJECT_NAME_COLLISION",
-        SMB_NTSTATUS_OBJECT_PATH_NOT_FOUND     => "STATUS_OBJECT_PATH_NOT_FOUND",
-        SMB_NTSTATUS_SHARING_VIOLATION         => "STATUS_SHARING_VIOLATION",
-        SMB_NTSTATUS_LOCK_CONFLICT             => "STATUS_LOCK_CONFLICT",
-        SMB_NTSTATUS_LOCK_NOT_GRANTED          => "STATUS_LOCK_NOT_GRANTED",
-        SMB_NTSTATUS_PRIVILEGE_NOT_HELD        => "STATUS_PRIVILEGE_NOT_HELD",
-        SMB_NTSTATUS_LOGON_FAILURE             => "STATUS_LOGON_FAILURE",
-        SMB_NTSTATUS_PIPE_DISCONNECTED         => "STATUS_PIPE_DISCONNECTED",
-        SMB_NTSTATUS_FILE_IS_A_DIRECTORY       => "STATUS_FILE_IS_A_DIRECTORY",
-        SMB_NTSTATUS_NOT_SUPPORTED             => "STATUS_NOT_SUPPORTED",
-        SMB_NTSTATUS_BAD_NETWORK_NAME          => "STATUS_BAD_NETWORK_NAME",
-        SMB_NTSTATUS_REQUEST_NOT_ACCEPTED      => "STATUS_REQUEST_NOT_ACCEPTED",
-        SMB_NTSTATUS_OPLOCK_NOT_GRANTED        => "STATUS_OPLOCK_NOT_GRANTED",
-        SMB_NTSTATUS_CANCELLED                 => "STATUS_CANCELLED",
-        SMB_NTSTATUS_FILE_CLOSED               => "STATUS_FILE_CLOSED",
-        SMB_NTSTATUS_FS_DRIVER_REQUIRED        => "STATUS_FS_DRIVER_REQUIRED",
-        SMB_NTSTATUS_INSUFF_SERVER_RESOURCES   => "STATUS_INSUFF_SERVER_RESOURCES",
-        SMB_NTSTATUS_NOT_FOUND                 => "STATUS_NOT_FOUND",
-        SMB_NTSTATUS_PIPE_BROKEN               => "STATUS_PIPE_BROKEN",
-        SMB_NTSTATUS_TRUSTED_RELATIONSHIP_FAILURE   => "STATUS_TRUSTED_RELATIONSHIP_FAILURE",
-        SMB_NTSTATUS_NOT_A_REPARSE_POINT       => "STATUS_NOT_A_REPARSE_POINT",
-        SMB_NTSTATUS_NETWORK_SESSION_EXPIRED   => "STATUS_NETWORK_SESSION_EXPIRED",
-        _ => { return (c).to_string(); },
-    }.to_string()
-}
-
 pub const SMB_SRV_ERROR:                u16 = 1;
 pub const SMB_SRV_BADPW:                u16 = 2;
 pub const SMB_SRV_BADTYPE:              u16 = 3;

diff --git a/rust/src/smb/smb1.rs b/rust/src/smb/smb1.rs
@@ -29,6 +29,8 @@ use crate::smb::files::*;
 use crate::smb::smb1_records::*;
 use crate::smb::smb1_session::*;
 
+use crate::smb::smb_status::*;
+
 use nom7::Err;
 
 // https://msdn.microsoft.com/en-us/library/ee441741.aspx

diff --git a/rust/src/smb/smb2.rs b/rust/src/smb/smb2.rs
@@ -26,6 +26,7 @@ use crate::smb::smb2_ioctl::*;
 use crate::smb::dcerpc::*;
 use crate::smb::events::*;
 use crate::smb::files::*;
+use crate::smb::smb_status::*;
 
 pub const SMB2_COMMAND_NEGOTIATE_PROTOCOL:      u16 = 0;
 pub const SMB2_COMMAND_SESSION_SETUP:           u16 = 1;

diff --git a/rust/src/smb/smb2_ioctl.rs b/rust/src/smb/smb2_ioctl.rs
@@ -22,6 +22,7 @@ use crate::smb::dcerpc::*;
 use crate::smb::events::*;
 #[cfg(feature = "debug")]
 use crate::smb::funcs::*;
+use crate::smb::smb_status::*;
 
 #[derive(Debug)]
 pub struct SMBTransactionIoctl {