Skip to content

Fix/smb2/multi record dce/v4#3498

Merged
inliniac merged 4 commits intoOISF:masterfrom
victorjulien:fix/smb2/multi-record-dce/v4
Oct 11, 2018
Merged

Fix/smb2/multi record dce/v4#3498
inliniac merged 4 commits intoOISF:masterfrom
victorjulien:fix/smb2/multi-record-dce/v4

Conversation

@victorjulien
Copy link
Member

@victorjulien victorjulien commented Oct 8, 2018

Describe changes:

  • fix handling of DCERPC records passed in multiple SMB records w/o being fragged
  • pick up DCERPC by probing it when we've missed the tree connect
  • allow logging of partial DCERPC transactions

PRScript output (if applicable):

@victorjulien
smb2: skip rest of READ response if status is not success
9dd7c38
@victorjulien
smb2/dcerpc: probe if response data is dcerpc
ac4e888 
If we missed the tree connect we can't know for sure if we're
reading from a (DCERPC) PIPE or not. In this case probe the data
to see if it looks like DCERPC.

If the detection succeeds, use a special 'suricata::dcerpc' service
in the TX.

Simplify handling of DCERPC records that cross records

Update logging for the response only TXs.
@victorjulien
smb/dcerpc: clean up and unify DCERPC probe logic
4d04448
@victorjulien
smb/dcerpc: remove now unused ssn2maxsize_map
4d50242
@victorjulien victorjulien requested a review from jasonish as a code owner October 8, 2018 06:46
@victorjulien victorjulien mentioned this pull request Oct 8, 2018
Closed
@inliniac inliniac merged commit 4d50242 into OISF:master Oct 11, 2018
@victorjulien victorjulien deleted the fix/smb2/multi-record-dce/v4 branch October 15, 2018 06:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@victorjulien @inliniac