Project

General

Profile

Actions

Bug #181

closed

SMB protocol detection issues (was: stream reassembly not working)

Added by Anoop Saldanha over 11 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I have a pcap for which stream isn't getting reassembled.

I think it would happen for cases, where you have some app payload which isn't supported by our engine(this is before we have detected the alproto for the flow), whose length exceeds AlpProtoDetectCtx.toserver.max_len.

For example, in case of the smb pcap, we start with the netbios payload, whose length is 72 bytes which exceeds the 64 byte max depth within which our engine currently searches for all app layer protos in the payload. Since we don't have a match here, we get ALPROTO_UNKNOWN and also the StreamMsg data length is greater than AlpProtoDetectCtx.toserver.max_len, because of which we set the no_stream_reassembly flag. You can have a look at app-layer.c:164.

The pcap is 5580-0-test.pcap

Actions #1

Updated by Victor Julien over 11 years ago

We should have a match on the smb part of the stream, right? Is that not happening?

Can you attach (part of) the pcap?

Actions #2

Updated by Anoop Saldanha over 11 years ago

Victor Julien wrote:

We should have a match on the smb part of the stream, right? Is that not happening?

Can you attach (part of) the pcap?

Frame 4, we receive a netbios header without the smb data. The subsequent frames which have smb, have the netbios section(4 bytes) as well. But it is this first frame with the netbios header and without the smb part, that is setting the no_reassembly flag.

Actions #3

Updated by Gurvinder Singh over 11 years ago

Hey Anoop,

Can you send me the pcap, so that I can look in to the issue.

Actions #4

Updated by Anoop Saldanha over 11 years ago

pcap mailed privately to Gurvinder

Actions #5

Updated by Victor Julien about 11 years ago

  • Target version set to 1.1beta1

What is the status of this bug?

Actions #6

Updated by Gurvinder Singh about 11 years ago

The 72 bytes Netbios packet is sent by the client in the start of the session. This makes the sig for SMB proto detection to fail and also as the max_len for the proto detection is 64, it passes that limit too and result in ALPROTO_UNKNOWN and also no reassembly flag has been set.

I changed the sig for SMB detection as

@ -412,8 +407,8 @ void AppLayerDetectProtoThreadInit(void) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);

/** SMB */
- AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT);
- AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);
+ AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 100, 4, STREAM_TOCLIENT);
+ AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 100, 4, STREAM_TOSERVER);
/** SMB2 */
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT);

and engine detects the SMB protocol fine and engine start to work normally. As shown below in the snippet from log

[9579] 5/9/2010 -- 17:12:28 - (stream.c:109) <Debug> (StreamMsgDequeue) -- Returning pointer 0xb33a84b8 of type StreamMsg ... <<
[9579] 5/9/2010 -- 17:12:28 - (stream-tcp-reassemble.c:2133) <Debug> (StreamTcpReassembleProcessAppLayer) -- smsg 0xb33a84b8, next (nil), prev (nil), flow 0x8e2f2a8, q->len 0
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:118) <Debug> (AppLayerHandleMsg) -- Entering ... >>
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:123) <Debug> (AppLayerHandleMsg) -- smsg 0xb33a84b8
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:148) <Debug> (AppLayerHandleMsg) -- Stream initializer (len 172 (2048))
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:440) <Debug> (AppLayerDetectGetProto) -- Entering ... >>
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:492) <Debug> (AppLayerDetectGetProto) -- search cnt 1
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:501) <Debug> (AppLayerDetectGetProto) -- array count is 1 patid 37
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:163) <Debug> (AlpProtoMatchSignature) -- Entering ... >>
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:185) <Debug> (AlpProtoMatchSignature) -- s->co->offset (4) s->co->depth (100)
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:193) <Debug> (AlpProtoMatchSignature) -- Returning: 10 ... <<
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:581) <Debug> (AppLayerDetectGetProto) -- Returning: 10 ... <<
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:187) <Debug> (AppLayerHandleMsg) -- app layer proto has been detected
[9579] 5/9/2010 -- 17:12:28 - (stream.c:123) <Debug> (StreamMsgReturnToPool) -- s 0xb33a84b8
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:198) <Debug> (AppLayerHandleMsg) -- Returning: 0 ... <<
[9579] 5/9/2010 -- 17:12:28 - (stream-tcp-reassemble.c:2147) <Debug> (StreamTcpReassembleProcessAppLayer) -- Returning: 0 ... <<

So I guess Kirby can suggest the exact modification needed for the SMB session detection in such a scenario. As far as stream reassembly is in question, it works fine.

Actions #7

Updated by Victor Julien almost 11 years ago

  • Target version changed from 1.1beta1 to 1.1beta2

Anoop/Gurvinder, can you resend me the pcap?

Actions #8

Updated by Victor Julien over 10 years ago

  • Subject changed from stream reassembly not working to SMB protocol detection issues (was: stream reassembly not working)
  • Due date set to 04/15/2011
  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Anoop Saldanha
  • Estimated time set to 0.00 h

The problem seems to be in a weakness of our protocol detection engine design. Tasks written for this.

Actions #9

Updated by Victor Julien over 10 years ago

  • Target version changed from 1.1beta2 to 1.1beta3
Actions #10

Updated by Victor Julien over 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Fixed in the current master.

Actions

Also available in: Atom PDF