General

Profile

BT b1 tg

  • Login: b1tg
  • Registered on: 01/12/2023
  • Last sign in: 01/03/2024

Issues

open closed Total
Assigned issues 1 1 2
Reported issues 1 2 3

Projects

Project Roles Registered on
Suricata Developer 01/12/2023
Suricata-Update Developer 01/12/2023

Activity

11/14/2023

BT 09:07 AM Suricata Feature #2695: websocket support

websocket pcaps found on malware-traffic-analysis.net:
* https://www.malware-traffic-analysis.net/2018/09/04/2018-09-04-Emotet-infection-with-IcedID.pcap.zip
* https://www.malware-traffic-analysis.net/2023/01/03/2023-01-03-Rhadaman... b1 tg

05/17/2023

BT 02:04 AM Suricata Bug #6008: smb: wrong offset when parse SMB_COM_WRITE_ANDX record
Pcap to show padding bug:
In the origin packet, data_length == bcc == 20, if we use a proxy to change data_length to 17, Windows still accept it and write 17 bytes to file, but the original `parse_smb1_write_andx_request_record` will ta... b1 tg

05/15/2023

BT 11:31 AM Suricata Bug #6008: smb: wrong offset when parse SMB_COM_WRITE_ANDX record
Add pcap for test windows behaviour on handling data_offset of smb1 write_andx_request b1 tg

04/19/2023

BT 03:44 AM Suricata Bug #6008: smb: wrong offset when parse SMB_COM_WRITE_ANDX record

pcap: https://www.malware-traffic-analysis.net/2018/04/30/2018-04-30-Trickbot-goes-from-client-to-domain-controller.pcap.zip
wireshark filter: (smb.cmd == 0x2f) && (smb.flags.response == 0) no.5923 b1 tg
BT 03:38 AM Suricata Bug #6008 (Closed): smb: wrong offset when parse SMB_COM_WRITE_ANDX record

In function parse_smb1_write_andx_request_record, when wct == 12, offset should use 32-bits value rather than stay 0.
Bug location: https://github.com/OISF/suricata/blob/a94ca4462093c0b41f87a7d8433801a0abbb4390/rust/src/smb/smb1_rec... b1 tg

02/01/2023

BT 10:42 AM Suricata Bug #5783: smb: wrong endian conversion when parse NTLM Negotiate Flags
add .pcap file for reference in suricata-verify b1 tg

01/13/2023

BT 06:07 AM Suricata Optimization #5785 (New): smb: use u32.to_be_bytes to replace function u32_as_bytes

I think use std function here is more straightforward.
u32_as_bytes implement: https://github.com/OISF/suricata/blob/55c4834e4e9b14a441b735f84d8d35b4eb151702/rust/src/smb/smb.rs#L670-L676
to_be_bytes document: https://doc.rust-l... b1 tg

01/12/2023

BT 02:56 PM Suricata Bug #5783 (Closed): smb: wrong endian conversion when parse NTLM Negotiate Flags

NTLM Negotiate Flags value in follow image is 0xe2888215, function parse_ntlm_auth_nego_flags return version_set_flag = 0 on this, which is wrong. This bug can cause NTLM Auth Version be ignored.
!clipboard-202301122235-jl69q.png!... b1 tg

Also available in: Atom