suricata
app-layer-smb.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * SMB protocol handling
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "app-layer-protos.h"
28 #include "app-layer-detect-proto.h"
29 #include "app-layer-parser.h"
30 
31 #include "util-unittest.h"
32 
33 #include "rust.h"
34 #include "app-layer-smb.h"
35 #include "util-misc.h"
36 
37 
38 static StreamingBufferConfig sbcfg = STREAMING_BUFFER_CONFIG_INITIALIZER;
39 static SuricataFileContext sfc = { &sbcfg };
40 
41 #ifdef UNITTESTS
42 static void SMBParserRegisterTests(void);
43 #endif
44 
45 void RegisterSMBParsers(void)
46 {
47  rs_smb_init(&sfc);
48  rs_smb_register_parser();
49 
50 #ifdef UNITTESTS
51  AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_SMB, SMBParserRegisterTests);
52 #endif
53 }
54 
55 #ifdef UNITTESTS
56 #include "stream-tcp.h"
57 #include "util-unittest-helper.h"
58 
59 /** \test multi transactions and cleanup */
60 static int SMBParserTxCleanupTest(void)
61 {
62  uint64_t ret[4];
63  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
64  FAIL_IF_NULL(alp_tctx);
65 
66  StreamTcpInitConfig(true);
67  TcpSession ssn;
68  memset(&ssn, 0, sizeof(ssn));
69 
70  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 445);
71  FAIL_IF_NULL(f);
72  f->protoctx = &ssn;
73  f->proto = IPPROTO_TCP;
74  f->alproto = ALPROTO_SMB;
75 
76  char req_str[] ="\x00\x00\x00\x79\xfe\x53\x4d\x42\x40\x00\x01\x00\x00\x00\x00\x00" \
77  "\x05\x00\xe0\x1e\x10\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00" \
78  "\x00\x00\x00\x00\x00\x00\x00\x00\x10\x72\xd2\x9f\x36\xc2\x08\x14" \
79  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
80  "\x00\x00\x00\x00\x39\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00" \
81  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00" \
82  "\x00\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" \
83  "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
84  req_str[28] = 0x01;
85  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
86  STREAM_TOSERVER | STREAM_START, (uint8_t *)req_str, sizeof(req_str));
87  FAIL_IF_NOT(r == 0);
88  req_str[28]++;
89  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
90  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
91  FAIL_IF_NOT(r == 0);
92  req_str[28]++;
93  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
94  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
95  FAIL_IF_NOT(r == 0);
96  req_str[28]++;
97  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
98  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
99  FAIL_IF_NOT(r == 0);
100  req_str[28]++;
101  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
102  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
103  FAIL_IF_NOT(r == 0);
104  req_str[28]++;
105  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
106  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
107  FAIL_IF_NOT(r == 0);
108  req_str[28]++;
109  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
110  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
111  FAIL_IF_NOT(r == 0);
112  req_str[28]++;
113  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
114  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
115  FAIL_IF_NOT(r == 0);
116  req_str[28]++;
117 
118  AppLayerParserTransactionsCleanup(f, STREAM_TOSERVER);
119  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
120  FAIL_IF_NOT(ret[0] == 0); // inspect_id[0]
121  FAIL_IF_NOT(ret[1] == 0); // inspect_id[1]
122  FAIL_IF_NOT(ret[2] == 0); // log_id
123  FAIL_IF_NOT(ret[3] == 0); // min_id
124 
125  char resp_str[] = "\x00\x00\x00\x98\xfe\x53\x4d\x42\x40\x00\x01\x00\x00\x00\x00\x00" \
126  "\x05\x00\x21\x00\x11\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00" \
127  "\x00\x00\x00\x00\x00\x00\x00\x00\x10\x72\xd2\x9f\x36\xc2\x08\x14" \
128  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
129  "\x00\x00\x00\x00\x59\x00\x00\x00\x01\x00\x00\x00\x48\x38\x40\xb3" \
130  "\x0f\xa8\xd3\x01\x84\x9a\x2b\x46\xf7\xa8\xd3\x01\x48\x38\x40\xb3" \
131  "\x0f\xa8\xd3\x01\x48\x38\x40\xb3\x0f\xa8\xd3\x01\x00\x00\x00\x00" \
132  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00" \
133  "\x00\x00\x00\x00\x9e\x8f\xb8\x91\x00\x00\x00\x00\x01\x5b\x11\xbb" \
134  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
135 
136  resp_str[28] = 0x01;
137  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
138  STREAM_TOCLIENT | STREAM_START, (uint8_t *)resp_str, sizeof(resp_str));
139  FAIL_IF_NOT(r == 0);
140  resp_str[28] = 0x04;
141  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
142  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
143  FAIL_IF_NOT(r == 0);
144  resp_str[28] = 0x05;
145  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
146  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
147  FAIL_IF_NOT(r == 0);
148  resp_str[28] = 0x06;
149  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
150  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
151  FAIL_IF_NOT(r == 0);
152  resp_str[28] = 0x08;
153  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
154  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
155  FAIL_IF_NOT(r == 0);
156  resp_str[28] = 0x02;
157  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
158  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
159  FAIL_IF_NOT(r == 0);
160  resp_str[28] = 0x07;
161  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
162  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
163  FAIL_IF_NOT(r == 0);
164  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
165 
166  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
167  FAIL_IF_NOT(ret[0] == 2); // inspect_id[0]
168  FAIL_IF_NOT(ret[1] == 2); // inspect_id[1]
169  FAIL_IF_NOT(ret[2] == 2); // log_id
170  FAIL_IF_NOT(ret[3] == 2); // min_id
171 
172  resp_str[28] = 0x03;
173  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
174  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
175  FAIL_IF_NOT(r == 0);
176  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
177 
178  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
179  FAIL_IF_NOT(ret[0] == 8); // inspect_id[0]
180  FAIL_IF_NOT(ret[1] == 8); // inspect_id[1]
181  FAIL_IF_NOT(ret[2] == 8); // log_id
182  FAIL_IF_NOT(ret[3] == 8); // min_id
183 
184  req_str[28] = 0x09;
185  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
186  STREAM_TOSERVER | STREAM_EOF, (uint8_t *)req_str, sizeof(req_str));
187  FAIL_IF_NOT(r == 0);
188  AppLayerParserTransactionsCleanup(f, STREAM_TOSERVER);
189 
190  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
191  FAIL_IF_NOT(ret[0] == 8); // inspect_id[0] not updated by ..Cleanup() until full tx is done
192  FAIL_IF_NOT(ret[1] == 8); // inspect_id[1]
193  FAIL_IF_NOT(ret[2] == 8); // log_id
194  FAIL_IF_NOT(ret[3] == 8); // min_id
195 
196  resp_str[28] = 0x09;
197  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
198  STREAM_TOCLIENT | STREAM_EOF, (uint8_t *)resp_str, sizeof(resp_str));
199  FAIL_IF_NOT(r == 0);
200  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
201 
202  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
203  FAIL_IF_NOT(ret[0] == 9); // inspect_id[0]
204  FAIL_IF_NOT(ret[1] == 9); // inspect_id[1]
205  FAIL_IF_NOT(ret[2] == 9); // log_id
206  FAIL_IF_NOT(ret[3] == 9); // min_id
207 
208  AppLayerParserThreadCtxFree(alp_tctx);
209  StreamTcpFreeConfig(true);
210  UTHFreeFlow(f);
211 
212  PASS;
213 }
214 
215 static void SMBParserRegisterTests(void)
216 {
217  UtRegisterTest("SMBParserTxCleanupTest", SMBParserTxCleanupTest);
218 }
219 
220 #endif /* UNITTESTS */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
RegisterSMBParsers
void RegisterSMBParsers(void)
Definition: app-layer-smb.c:45
stream-tcp.h
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:884
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:378
STREAMING_BUFFER_CONFIG_INITIALIZER
#define STREAMING_BUFFER_CONFIG_INITIALIZER
Definition: util-streaming-buffer.h:74
Flow_
Flow data structure.
Definition: flow.h:356
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
rust.h
Flow_::protoctx
void * protoctx
Definition: flow.h:446
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:480
app-layer-detect-proto.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:482
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
app-layer-parser.h
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1771
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:487
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
suricata-common.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:65
SuricataFileContext_
Definition: rust-context.h:66
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:203
app-layer-protos.h
suricata.h
app-layer-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
util-misc.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455