"Fossies" - the Fresh Open Source Software Archive 
Member "snort-2.9.17/src/dynamic-preprocessors/dcerpc2/dce2_smb.h" (16 Oct 2020, 13147 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "dce2_smb.h" see the
Fossies "Dox" file reference documentation and the latest
Fossies "Diffs" side-by-side code changes report:
2.9.16.1_vs_2.9.17.
1 /****************************************************************************
2 * Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
3 * Copyright (C) 2008-2013 Sourcefire, Inc.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License Version 2 as
7 * published by the Free Software Foundation. You may not use, modify or
8 * distribute this program under any other version of the GNU General
9 * Public License.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 *
20 ****************************************************************************
21 *
22 ****************************************************************************/
23
24 #ifndef _DCE2_SMB_H_
25 #define _DCE2_SMB_H_
26
27 #include "dce2_session.h"
28 #include "dce2_tcp.h"
29 #include "dce2_list.h"
30 #include "dce2_utils.h"
31 #include "smb.h"
32 #include "sf_snort_packet.h"
33 #include "sf_types.h"
34 #include "snort_debug.h"
35
36 /********************************************************************
37 * Macros
38 ********************************************************************/
39 // Used for reassembled packets
40 #define DCE2_MOCK_HDR_LEN__SMB_CLI \
41 (sizeof(NbssHdr) + sizeof(SmbNtHdr) + sizeof(SmbWriteAndXReq))
42 #define DCE2_MOCK_HDR_LEN__SMB_SRV \
43 (sizeof(NbssHdr) + sizeof(SmbNtHdr) + sizeof(SmbReadAndXResp))
44
45 // This is for ease of comparison so a 32 bit numeric compare can be done
46 // instead of a string compare.
47 #define DCE2_SMB_ID 0xff534d42 /* \xffSMB */
48 #define DCE2_SMB2_ID 0xfe534d42 /* \xfeSMB */
49
50 // MS-FSCC Section 2.1.5 - Pathname
51 #define DCE2_SMB_MAX_PATH_LEN 32760
52 #define DCE2_SMB_MAX_COMP_LEN 255
53
54 /********************************************************************
55 * Externs
56 ********************************************************************/
57 extern SmbAndXCom smb_chain_map[SMB_MAX_NUM_COMS];
58 extern const char *smb_com_strings[SMB_MAX_NUM_COMS];
59 extern const char *smb_transaction_sub_command_strings[TRANS_SUBCOM_MAX];
60 extern const char *smb_transaction2_sub_command_strings[TRANS2_SUBCOM_MAX];
61 extern const char *smb_nt_transact_sub_command_strings[NT_TRANSACT_SUBCOM_MAX];
62 extern uint8_t smb_file_name[2*DCE2_SMB_MAX_PATH_LEN + UTF_16_LE_BOM_LEN + 2];
63 extern uint16_t smb_file_name_len;
64
65 /********************************************************************
66 * Enums
67 ********************************************************************/
68 typedef enum _DCE2_SmbSsnState
69 {
70 DCE2_SMB_SSN_STATE__START = 0x00,
71 DCE2_SMB_SSN_STATE__NEGOTIATED = 0x01,
72 DCE2_SMB_SSN_STATE__FP_CLIENT = 0x02, // Fingerprinted client
73 DCE2_SMB_SSN_STATE__FP_SERVER = 0x04 // Fingerprinted server
74
75 } DCE2_SmbSsnState;
76
77 typedef enum _DCE2_SmbDataState
78 {
79 DCE2_SMB_DATA_STATE__NETBIOS_HEADER,
80 DCE2_SMB_DATA_STATE__SMB_HEADER,
81 DCE2_SMB_DATA_STATE__NETBIOS_PDU
82
83 } DCE2_SmbDataState;
84
85 typedef enum _DCE2_SmbPduState
86 {
87 DCE2_SMB_PDU_STATE__COMMAND,
88 DCE2_SMB_PDU_STATE__RAW_DATA
89
90 } DCE2_SmbPduState;
91
92 typedef enum _DCE2_SmbFileDirection
93 {
94 DCE2_SMB_FILE_DIRECTION__UNKNOWN = 0,
95 DCE2_SMB_FILE_DIRECTION__UPLOAD,
96 DCE2_SMB_FILE_DIRECTION__DOWNLOAD
97
98 } DCE2_SmbFileDirection;
99
100 /* This structure is to maintain that we have received a pending veridct in case of upload & we will not delete the trackers*/
101 typedef enum _DCE2_SmbRetransmitPending
102 {
103 DCE2_SMB_RETRANSMIT_PENDING__UNSET = 0,
104 DCE2_SMB_RETRANSMIT_PENDING__SET
105
106 } DCE2_SmbRetransmitPending;
107
108 /********************************************************************
109 * Structures
110 ********************************************************************/
111 typedef struct _DCE2_SmbWriteAndXRaw
112 {
113 int remaining; // A signed integer so it can be negative
114 DCE2_Buffer *buf;
115
116 } DCE2_SmbWriteAndXRaw;
117
118 typedef struct _DCE2_SmbFileChunk
119 {
120 uint64_t offset;
121 uint32_t length;
122 uint8_t *data;
123
124 } DCE2_SmbFileChunk;
125
126 typedef struct _DCE2_SmbFileTracker
127 {
128 union
129 {
130 struct
131 {
132 int file_id; // A signed integer so it can be set to sentinel
133 uint16_t u_id;
134 uint16_t tree_id;
135 } id_smb1;
136
137 struct
138 {
139 uint64_t file_id;
140 } id_smb2;
141
142 } file_key;
143
144 bool is_ipc;
145 bool is_smb2;
146 uint16_t file_name_len;
147 uint8_t *file_name;
148 union
149 {
150 struct
151 {
152 // If pipe has been set to byte mode via TRANS_SET_NMPIPE_STATE
153 bool byte_mode;
154
155 // For Windows 2000
156 bool used;
157
158 // For WriteAndX requests that use raw mode flag
159 // Windows only
160 DCE2_SmbWriteAndXRaw *writex_raw;
161
162 // Connection-oriented DCE/RPC tracker
163 DCE2_CoTracker *co_tracker;
164
165 } nmpipe;
166
167 struct
168 {
169 uint64_t file_size;
170 uint64_t file_offset;
171 uint64_t bytes_processed;
172 DCE2_List *file_chunks;
173 uint32_t bytes_queued;
174 DCE2_SmbFileDirection file_direction;
175 bool sequential_only;
176
177 } file;
178
179 } tracker;
180
181 #define fid_v1 file_key.id_smb1.file_id
182 #define uid_v1 file_key.id_smb1.u_id
183 #define tid_v1 file_key.id_smb1.tree_id
184 #define fid_v2 file_key.id_smb2.file_id
185 #define fp_byte_mode tracker.nmpipe.byte_mode
186 #define fp_used tracker.nmpipe.used
187 #define fp_writex_raw tracker.nmpipe.writex_raw
188 #define fp_co_tracker tracker.nmpipe.co_tracker
189 #define ff_file_size tracker.file.file_size
190 #define ff_file_offset tracker.file.file_offset
191 #define ff_bytes_processed tracker.file.bytes_processed
192 #define ff_file_direction tracker.file.file_direction
193 #define ff_file_chunks tracker.file.file_chunks
194 #define ff_bytes_queued tracker.file.bytes_queued
195 #define ff_sequential_only tracker.file.sequential_only
196
197 } DCE2_SmbFileTracker;
198
199 typedef enum _DCE2_SmbVersion
200 {
201 DCE2_SMB_VERISON_NULL,
202 DCE2_SMB_VERISON_1,
203 DCE2_SMB_VERISON_2
204 } DCE2_SmbVersion;
205
206
207 typedef struct _Smb2Request
208 {
209 uint64_t message_id; /* identifies a message uniquely on connection */
210 uint16_t command;
211 union {
212 struct {
213 uint64_t offset; /* data offset */
214 uint64_t file_id; /* file id */
215 }read_req;
216 struct {
217 char *file_name; /*file name*/
218 uint16_t file_name_len; /*size*/
219 bool durable_reconnect; /*durable reconenct? */
220 }create_req;
221 };
222 struct _Smb2Request *next;
223 struct _Smb2Request *previous;
224 } Smb2Request;
225
226 typedef struct _DCE2_SmbTransactionTracker
227 {
228 int smb_type;
229 uint8_t subcom;
230 bool one_way;
231 bool disconnect_tid;
232 bool pipe_byte_mode;
233 uint32_t tdcnt;
234 uint32_t dsent;
235 DCE2_Buffer *dbuf;
236 uint32_t tpcnt;
237 uint32_t psent;
238 DCE2_Buffer *pbuf;
239 // For Transaction2/Query File Information
240 uint16_t info_level;
241
242 } DCE2_SmbTransactionTracker;
243
244 typedef struct _DCE2_SmbRequestTracker
245 {
246 int smb_com;
247
248 int mid; // A signed integer so it can be set to sentinel
249 uint16_t uid;
250 uint16_t tid;
251 uint16_t pid;
252
253 // For WriteRaw
254 bool writeraw_writethrough;
255 uint32_t writeraw_remaining;
256 uint16_t file_name_len;
257
258 // For Transaction/Transaction2/NtTransact
259 DCE2_SmbTransactionTracker ttracker;
260
261 // Client can chain a write to an open. Need to write data, but also
262 // need to associate tracker with fid returned from server
263 DCE2_Queue *ft_queue;
264
265 // This is a reference to an existing file tracker
266 DCE2_SmbFileTracker *ftracker;
267
268 // Used for requests to cache data that will ultimately end up in
269 // the file tracker upon response.
270 uint8_t *file_name;
271 uint64_t file_size;
272 uint64_t file_offset;
273 bool sequential_only;
274
275 // For TreeConnect to know whether it's to IPC
276 bool is_ipc;
277
278 } DCE2_SmbRequestTracker;
279
280 typedef struct _DCE2_SmbSsnData
281 {
282 DCE2_SsnData sd; // This member must be first
283
284 DCE2_Policy policy;
285
286 int dialect_index;
287 int ssn_state_flags;
288
289 DCE2_SmbDataState cli_data_state;
290 DCE2_SmbDataState srv_data_state;
291
292 DCE2_SmbPduState pdu_state;
293
294 int uid; // A signed integer so it can be set to sentinel
295 int tid; // A signed integer so it can be set to sentinel
296 DCE2_List *uids;
297 DCE2_List *tids;
298
299 // For tracking files and named pipes
300 DCE2_SmbFileTracker ftracker;
301 DCE2_List *ftrackers; // List of DCE2_SmbFileTracker
302
303 // For tracking requests / responses
304 DCE2_SmbRequestTracker rtracker;
305 DCE2_Queue *rtrackers;
306
307 // The current pid/mid node for this request/response
308 DCE2_SmbRequestTracker *cur_rtracker;
309
310 // Used for TCP segmentation to get full PDU
311 DCE2_Buffer *cli_seg;
312 DCE2_Buffer *srv_seg;
313
314 // These are used for commands we don't need to process
315 uint32_t cli_ignore_bytes;
316 uint32_t srv_ignore_bytes;
317
318 // The file API supports one concurrent upload/download per session.
319 // This is a reference to a file tracker so shouldn't be freed.
320 DCE2_SmbFileTracker *fapi_ftracker;
321
322 Smb2Request *smb2_requests;
323
324 #ifdef ACTIVE_RESPONSE
325 DCE2_SmbFileTracker *fb_ftracker;
326 bool block_pdus;
327 #endif
328
329 bool smbfound;
330 bool smbretransmit;
331 uint16_t max_outstanding_requests;
332 uint16_t outstanding_requests;
333 // Maximum file depth as returned from file API
334 int64_t max_file_depth;
335
336 } DCE2_SmbSsnData;
337
338 typedef struct _DCE2SmbFsm
339 {
340 char input;
341 int next_state;
342 int fail_state;
343
344 } DCE2_SmbFsm;
345
346 /********************************************************************
347 * Inline function prototypes
348 ********************************************************************/
349 static inline DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *);
350 static inline void DCE2_SmbSetFingerprintedClient(DCE2_SmbSsnData *);
351 static inline bool DCE2_SmbFingerprintedClient(DCE2_SmbSsnData *);
352 static inline void DCE2_SmbSetFingerprintedServer(DCE2_SmbSsnData *);
353 static inline bool DCE2_SmbFingerprintedServer(DCE2_SmbSsnData *);
354
355 /********************************************************************
356 * Public function prototypes
357 ********************************************************************/
358 void DCE2_SmbInitGlobals(void);
359 void DCE2_SmbInitRdata(uint8_t *, int);
360 void DCE2_SmbSetRdata(DCE2_SmbSsnData *, uint8_t *, uint16_t);
361 DCE2_SmbSsnData * DCE2_SmbSsnInit(SFSnortPacket *);
362 void DCE2_SmbProcess(DCE2_SmbSsnData *);
363 void DCE2_SmbDataFree(DCE2_SmbSsnData *);
364 void DCE2_SmbSsnFree(void *);
365 #ifdef ACTIVE_RESPONSE
366 void DCE2_SmbInitDeletePdu(void);
367 #endif
368 void DCE2_Process_Retransmitted(SFSnortPacket *);
369 /*********************************************************************
370 * Function: DCE2_SmbAutodetect()
371 *
372 * Purpose: Tries to determine if a packet is likely to be SMB.
373 *
374 * Arguments:
375 * const uint8_t * - pointer to packet data.
376 * uint16_t - packet data length.
377 *
378 * Returns:
379 * DCE2_TranType
380 *
381 *********************************************************************/
382 static inline DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *p)
383 {
384 if (p->payload_size > (sizeof(NbssHdr) + sizeof(SmbNtHdr)))
385 {
386 NbssHdr *nb_hdr = (NbssHdr *)p->payload;
387
388 switch (NbssType(nb_hdr))
389 {
390 case NBSS_SESSION_TYPE__MESSAGE:
391 {
392 SmbNtHdr *smb_hdr = (SmbNtHdr *)(p->payload + sizeof(NbssHdr));
393
394 if ((SmbId(smb_hdr) == DCE2_SMB_ID)
395 || (SmbId(smb_hdr) == DCE2_SMB2_ID))
396 {
397 return DCE2_TRANS_TYPE__SMB;
398 }
399 }
400
401 break;
402
403 default:
404 break;
405
406 }
407 }
408
409 return DCE2_TRANS_TYPE__NONE;
410 }
411
412 static inline void DCE2_SmbSetFingerprintedClient(DCE2_SmbSsnData *ssd)
413 {
414 ssd->ssn_state_flags |= DCE2_SMB_SSN_STATE__FP_CLIENT;
415 }
416
417 static inline bool DCE2_SmbFingerprintedClient(DCE2_SmbSsnData *ssd)
418 {
419 return ssd->ssn_state_flags & DCE2_SMB_SSN_STATE__FP_CLIENT;
420 }
421
422 static inline void DCE2_SmbSetFingerprintedServer(DCE2_SmbSsnData *ssd)
423 {
424 ssd->ssn_state_flags |= DCE2_SMB_SSN_STATE__FP_SERVER;
425 }
426
427 static inline bool DCE2_SmbFingerprintedServer(DCE2_SmbSsnData *ssd)
428 {
429 return ssd->ssn_state_flags & DCE2_SMB_SSN_STATE__FP_SERVER;
430 }
431
432 static inline bool DCE2_SmbFileDirUnknown(DCE2_SmbFileDirection dir)
433 {
434 return dir == DCE2_SMB_FILE_DIRECTION__UNKNOWN;
435 }
436
437 static inline bool DCE2_SmbFileUpload(DCE2_SmbFileDirection dir)
438 {
439 return dir == DCE2_SMB_FILE_DIRECTION__UPLOAD;
440 }
441
442 static inline bool DCE2_SmbFileDownload(DCE2_SmbFileDirection dir)
443 {
444 return dir == DCE2_SMB_FILE_DIRECTION__DOWNLOAD;
445 }
446
447 #endif /* _DCE2_SMB_H_ */
448