diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-07-07 19:24:31 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-07 19:24:31 +0200 |
| commit | f8076e3a58e628d6761d16acdb4c8c7220a260ec (patch) | |
| tree | 66a5d0f8326fe4317db53b1626279b0afd6c23cd /src/lib/protocols/smb.c | |
| parent | ff4e010501ff057e353c7f1d9785b5caadceade3 (diff) | |
SMB: add (partial) support for messages split into multiple TCP segments (#1644)
Diffstat (limited to 'src/lib/protocols/smb.c')
| -rw-r--r-- | src/lib/protocols/smb.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index 6ae319ccf..c84196343 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -37,21 +37,29 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if(((packet->tcp->dest == fourfourfive) || (packet->tcp->source == fourfourfive)) && packet->payload_packet_len > (32 + 4 + 4) - && ((uint32_t)packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) - ) { - u_int8_t smbv1[] = { 0xff, 0x53, 0x4d, 0x42 }; + && packet->payload[0] == 0x00) { + u_int32_t length; - NDPI_LOG_INFO(ndpi_struct, "found SMB\n"); + length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; + /* If the message is split into multiple TCP segments, let's hope that + the first message we receive is the first segment */ + if(length >= (uint32_t)packet->payload_packet_len - 4) { + u_int8_t smbv1[] = { 0xff, 0x53, 0x4d, 0x42 }; + u_int8_t smbv2[] = { 0xfe, 0x53, 0x4d, 0x42 }; - if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) { - if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); - } - } else - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); - - return; + if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) { + if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { + NDPI_LOG_INFO(ndpi_struct, "found SMBv1\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); + ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); + } + return; + } else if(memcmp(&packet->payload[4], smbv2, sizeof(smbv2)) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found SMBv23\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); + return; + } + } } } |