diff --git a/CHANGES b/CHANGES index c7ea8e0a95..0c64e86467 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +3.1.0-dev.75 | 2019-08-27 10:04:43 -0700 + + * Fix parsing of smb3 negotiate context (Pavel Ershov) + 3.1.0-dev.73 | 2019-08-26 14:57:45 -0700 * Close down SSL/sqlite at shutdown even if net_run not used (Tim Wojtulewicz, Corelight) diff --git a/VERSION b/VERSION index 8598164a16..aaaaa2af1f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.1.0-dev.73 +3.1.0-dev.75 diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac index 41175fcfdd..175d8e9642 100644 --- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac @@ -115,7 +115,6 @@ type SMB2_negotiate_request(header: SMB2_Header) = record { }; type NegotiateContextList(len: uint16) = record { - pad : padding align 8; vals : SMB3_negotiate_context_value[len]; } @@ -134,8 +133,8 @@ type SMB2_negotiate_response(header: SMB2_Header) = record { security_offset : uint16; security_length : uint16; negotiate_context_offset : uint32; - pad1 : padding to security_offset - header.head_length; security_blob : bytestring &length=security_length; + pad1 : padding to (dialect_revision == 0x0311 ? negotiate_context_offset - header.head_length : 0); negotiate_context_list : case dialect_revision of { 0x0311 -> smb3_ncl : NegotiateContextList(negotiate_context_count); default -> unknown : empty; diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout new file mode 100644 index 0000000000..40a6276dca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout @@ -0,0 +1,2 @@ +[dialect_revision=767, security_mode=1, server_guid=[persistent=7021797314968118638, volatile=25959], system_time=1566489002.205089, server_start_time=-1.164447e+10, negotiate_context_count=0, negotiate_context_values=[]] +[dialect_revision=785, security_mode=1, server_guid=[persistent=7021797314968118638, volatile=25959], system_time=1566489002.208084, server_start_time=-1.164447e+10, negotiate_context_count=2, negotiate_context_values=[[context_type=1, data_length=38, preauth_info=[hash_alg_count=1, salt_length=32, hash_alg=[1], salt=\x0d&\xc9\xca\xf2\xd8\xfc\x87\xa7\x10\x9c\x04W\x82p\x09T8Rl\xed\xe0\x84\x10\xca4\xaa\x87B\xb9Z\x80], encryption_info=, compression_info=, netname=], [context_type=2, data_length=4, preauth_info=, encryption_info=[cipher_count=1, ciphers=[1]], compression_info=, netname=]]] diff --git a/testing/btest/Traces/smb/smb3_negotiate_context.pcap b/testing/btest/Traces/smb/smb3_negotiate_context.pcap new file mode 100644 index 0000000000..d705500e7a Binary files /dev/null and b/testing/btest/Traces/smb/smb3_negotiate_context.pcap differ diff --git a/testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test b/testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test new file mode 100644 index 0000000000..05f246e4ca --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test @@ -0,0 +1,9 @@ +# @TEST-EXEC: zeek -b -r $TRACES/smb/smb3_negotiate_context.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +event smb2_negotiate_response(c: connection , hdr: SMB2::Header , response: SMB2::NegotiateResponse ) + { + print response; + }