Bug #181: SMB protocol detection issues (was: stream reassembly not working) - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Bug #181

closed

SMB protocol detection issues (was: stream reassembly not working)

Added by Anoop Saldanha over 14 years ago. Updated over 13 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Anoop Saldanha

Target version:

1.1beta3

Affected Versions:

Effort:

Difficulty:

Label:

Description

I have a pcap for which stream isn't getting reassembled.

I think it would happen for cases, where you have some app payload which isn't supported by our engine(this is before we have detected the alproto for the flow), whose length exceeds AlpProtoDetectCtx.toserver.max_len.

For example, in case of the smb pcap, we start with the netbios payload, whose length is 72 bytes which exceeds the 64 byte max depth within which our engine currently searches for all app layer protos in the payload. Since we don't have a match here, we get ALPROTO_UNKNOWN and also the StreamMsg data length is greater than AlpProtoDetectCtx.toserver.max_len, because of which we set the no_stream_reassembly flag. You can have a look at app-layer.c:164.

The pcap is 5580-0-test.pcap

History
Notes
Property changes

Actions

Copy link

Updated by Victor Julien over 14 years ago

We should have a match on the smb part of the stream, right? Is that not happening?

Can you attach (part of) the pcap?

Actions

Copy link

Updated by Anoop Saldanha over 14 years ago

Victor Julien wrote:

We should have a match on the smb part of the stream, right? Is that not happening?

Can you attach (part of) the pcap?

Frame 4, we receive a netbios header without the smb data. The subsequent frames which have smb, have the netbios section(4 bytes) as well. But it is this first frame with the netbios header and without the smb part, that is setting the no_reassembly flag.

Actions

Copy link

Updated by Gurvinder Singh over 14 years ago

Hey Anoop,

Can you send me the pcap, so that I can look in to the issue.

Actions

Copy link

Updated by Anoop Saldanha over 14 years ago

pcap mailed privately to Gurvinder

Actions

Copy link

Updated by Victor Julien about 14 years ago

Target version set to 1.1beta1

What is the status of this bug?

Actions

Copy link

Updated by Gurvinder Singh about 14 years ago

The 72 bytes Netbios packet is sent by the client in the start of the session. This makes the sig for SMB proto detection to fail and also as the max_len for the proto detection is 64, it passes that limit too and result in ALPROTO_UNKNOWN and also no reassembly flag has been set.

I changed the sig for SMB detection as

@ -412,8 +407,8 @ void AppLayerDetectProtoThreadInit(void) {
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_JABBER, "xmlns='jabber|3A|client'", 74, 53, STREAM_TOSERVER);

/** SMB */
-    AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOCLIENT);
-    AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 8, 4, STREAM_TOSERVER);
+    AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 100, 4, STREAM_TOCLIENT);
+    AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB, "|ff|SMB", 100, 4, STREAM_TOSERVER);

/** SMB2 */
     AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT);

and engine detects the SMB protocol fine and engine start to work normally. As shown below in the snippet from log

[9579] 5/9/2010 -- 17:12:28 - (stream.c:109) <Debug> (StreamMsgDequeue) -- Returning pointer 0xb33a84b8 of type StreamMsg ... <<
[9579] 5/9/2010 -- 17:12:28 - (stream-tcp-reassemble.c:2133) <Debug> (StreamTcpReassembleProcessAppLayer) -- smsg 0xb33a84b8, next (nil), prev (nil), flow 0x8e2f2a8, q->len 0
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:118) <Debug> (AppLayerHandleMsg) -- Entering ... >>
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:123) <Debug> (AppLayerHandleMsg) -- smsg 0xb33a84b8
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:148) <Debug> (AppLayerHandleMsg) -- Stream initializer (len 172 (2048))
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:440) <Debug> (AppLayerDetectGetProto) -- Entering ... >>
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:492) <Debug> (AppLayerDetectGetProto) -- search cnt 1
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:501) <Debug> (AppLayerDetectGetProto) -- array count is 1 patid 37
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:163) <Debug> (AlpProtoMatchSignature) -- Entering ... >>
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:185) <Debug> (AlpProtoMatchSignature) -- s->co->offset (4) s->co->depth (100)
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:193) <Debug> (AlpProtoMatchSignature) -- Returning: 10 ... <<
[9579] 5/9/2010 -- 17:12:28 - (app-layer-detect-proto.c:581) <Debug> (AppLayerDetectGetProto) -- Returning: 10 ... <<
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:187) <Debug> (AppLayerHandleMsg) -- app layer proto has been detected
[9579] 5/9/2010 -- 17:12:28 - (stream.c:123) <Debug> (StreamMsgReturnToPool) -- s 0xb33a84b8
[9579] 5/9/2010 -- 17:12:28 - (app-layer.c:198) <Debug> (AppLayerHandleMsg) -- Returning: 0 ... <<
[9579] 5/9/2010 -- 17:12:28 - (stream-tcp-reassemble.c:2147) <Debug> (StreamTcpReassembleProcessAppLayer) -- Returning: 0 ... <<

So I guess Kirby can suggest the exact modification needed for the SMB session detection in such a scenario. As far as stream reassembly is in question, it works fine.

Actions

Copy link

Updated by Victor Julien almost 14 years ago

Target version changed from 1.1beta1 to 1.1beta2

Anoop/Gurvinder, can you resend me the pcap?

Actions

Copy link

Updated by Victor Julien over 13 years ago

Subject changed from stream reassembly not working to SMB protocol detection issues (was: stream reassembly not working)
Due date set to 04/15/2011
Status changed from New to Assigned
Assignee changed from OISF Dev to Anoop Saldanha
Estimated time set to 0.00 h