Imporoved SMBv1 heuristic to avoid triggering risks for SMBv1 broadcast messages when used to browse (old) network devices

author: Luca Deri <deri@ntop.org> 2025-01-03 11:15:27 +0100
committer: Luca Deri <deri@ntop.org> 2025-01-03 11:15:27 +0100
commit: 71de91dc7a399cf00f907bc6eab968331b4552a9 (patch)
tree: 32e9202db26353962094412d8084043ddd33ede6 /src/lib/protocols
parent: cb1548deb970c7195ea5cd74b1226ae201837399 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c
index b0255cb63..3733b3747 100644
--- a/src/lib/protocols/smb.c
+++ b/src/lib/protocols/smb.c
@@ -52,7 +52,19 @@ static void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct
           if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {
             NDPI_LOG_INFO(ndpi_struct, "found SMBv1\n");
             ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI);
-            ndpi_set_risk(flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1");
+
+	    /*
+	      Before we complain let's check if this is a broadacast message
+	      as for broadcast we can tolerate v1 as it can be used to
+	      discover old device versions.
+
+	      As nDPI has not MAC address visibility (checking for destination MAC
+	      FF:FF:FF:FF:FF:FF would have been easier) we need to implement
+	      some heuristic here.
+	    */
+
+	    if(packet->payload[8] != 0x25) /* Skip SMB command Trans */
+	      ndpi_set_risk(flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1");
           }
           return;
         } else if(memcmp(&packet->payload[4], smbv2, sizeof(smbv2)) == 0) {
author	Luca Deri <deri@ntop.org>	2025-01-03 11:15:27 +0100
committer	Luca Deri <deri@ntop.org>	2025-01-03 11:15:27 +0100
commit	71de91dc7a399cf00f907bc6eab968331b4552a9 (patch)
tree	32e9202db26353962094412d8084043ddd33ede6 /src/lib/protocols
parent	cb1548deb970c7195ea5cd74b1226ae201837399 (diff)