diff options
| author | Luca Deri <deri@ntop.org> | 2020-07-27 13:05:06 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-07-27 13:05:06 +0200 |
| commit | da87cc315744914c92cca27725dc87f59f83deec (patch) | |
| tree | 6a15bbcd0aa4ddaf37cade61cf621cb94198c8d4 | |
| parent | 69f140878ca61a6ea8077901986e0dbc2e129b2e (diff) | |
Added NDPI_SMB_INSECURE_VERSION for detecting insecure SMB versions (e.g. v1)
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/smb.c | 3 | ||||
| -rw-r--r-- | tests/result/smbv1.pcap.out | 2 |
4 files changed, 7 insertions, 2 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 824e2585f..6d1a1719d 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -78,6 +78,7 @@ typedef enum { NDPI_MALFORMED_PACKET, NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, + NDPI_SMB_INSECURE_VERSION, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 2fb3a5d9e..347e65d52 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1530,6 +1530,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER: return("SSH Obsolete Server Version/Cipher"); + case NDPI_SMB_INSECURE_VERSION: + return("SMB Insecure Version"); + default: snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index a70072853..9a56ead93 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -44,8 +44,9 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_INFO(ndpi_struct, "found SMB\n"); if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) { - if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { + if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS); + NDPI_SET_BIT(flow->risk, NDPI_SMB_INSECURE_VERSION); } } else ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS); diff --git a/tests/result/smbv1.pcap.out b/tests/result/smbv1.pcap.out index 8bbe697fd..46aee3f45 100644 --- a/tests/result/smbv1.pcap.out +++ b/tests/result/smbv1.pcap.out @@ -1,3 +1,3 @@ SMBv1 7 1197 1 - 1 TCP 172.16.156.130:50927 <-> 10.128.0.243:445 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][4 pkts/669 bytes <-> 3 pkts/528 bytes][Goodput ratio: 68/69][0.10 sec][bytes ratio: 0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 27/34 32/35 37/36 4/1][Pkt Len c2s/s2c min/avg/max/stddev: 136/114 167/176 194/243 26/53][Risk: ** Known protocol on non standard port **][PLAIN TEXT (PC NETWORK PROGRAM 1.0)][Plen Bins: 0,14,28,14,28,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 172.16.156.130:50927 <-> 10.128.0.243:445 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][4 pkts/669 bytes <-> 3 pkts/528 bytes][Goodput ratio: 68/69][0.10 sec][bytes ratio: 0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 27/34 32/35 37/36 4/1][Pkt Len c2s/s2c min/avg/max/stddev: 136/114 167/176 194/243 26/53][Risk: ** Known protocol on non standard port **** SMB Insecure Version **][PLAIN TEXT (PC NETWORK PROGRAM 1.0)][Plen Bins: 0,14,28,14,28,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |