Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 20:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch '555-smb3-negotiate-context-fix' of https://github.com/mad/zeek

Browse source 
- Fixed the context list padding to only be used for dialect 0x0311.
  The new test case includes an example where parsing the optional
  padding would fail for another dialect.

* '555-smb3-negotiate-context-fix' of https://github.com/mad/zeek:
  Fix for smb3 negotiate context
This commit is contained in:
Jon Siwek 2019-08-27 10:04:43 -07:00
commit 289a1e2e8e
6 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
3.1.0-dev.75 | 2019-08-27 10:04:43 -0700
* Fix parsing of smb3 negotiate context (Pavel Ershov)
3.1.0-dev.73 | 2019-08-26 14:57:45 -0700
* Close down SSL/sqlite at shutdown even if net_run not used (Tim Wojtulewicz, Corelight)

2
VERSION
View file

@ -1 +1 @@
3.1.0-dev.73
3.1.0-dev.75

3
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -115,7 +115,6 @@ type SMB2_negotiate_request(header: SMB2_Header) = record {
};
type NegotiateContextList(len: uint16) = record {
pad : padding align 8;
vals : SMB3_negotiate_context_value[len];
}
@ -134,8 +133,8 @@ type SMB2_negotiate_response(header: SMB2_Header) = record {
security_offset : uint16;
security_length : uint16;
negotiate_context_offset : uint32;
pad1 : padding to security_offset - header.head_length;
security_blob : bytestring &length=security_length;
pad1 : padding to (dialect_revision == 0x0311 ? negotiate_context_offset - header.head_length : 0);
negotiate_context_list : case dialect_revision of {
0x0311 -> smb3_ncl : NegotiateContextList(negotiate_context_count);
default -> unknown : empty;

2
testing/btest/Baseline/scripts.base.protocols.smb.smb3-negotiate-context/.stdout Normal file
View file

@ -0,0 +1,2 @@
[dialect_revision=767, security_mode=1, server_guid=[persistent=7021797314968118638, volatile=25959], system_time=1566489002.205089, server_start_time=-1.164447e+10, negotiate_context_count=0, negotiate_context_values=[]]
[dialect_revision=785, security_mode=1, server_guid=[persistent=7021797314968118638, volatile=25959], system_time=1566489002.208084, server_start_time=-1.164447e+10, negotiate_context_count=2, negotiate_context_values=[[context_type=1, data_length=38, preauth_info=[hash_alg_count=1, salt_length=32, hash_alg=[1], salt=\x0d&\xc9\xca\xf2\xd8\xfc\x87\xa7\x10\x9c\x04W\x82p\x09T8Rl\xed\xe0\x84\x10\xca4\xaa\x87B\xb9Z\x80], encryption_info=<uninitialized>, compression_info=<uninitialized>, netname=<uninitialized>], [context_type=2, data_length=4, preauth_info=<uninitialized>, encryption_info=[cipher_count=1, ciphers=[1]], compression_info=<uninitialized>, netname=<uninitialized>]]]

BIN
testing/btest/Traces/smb/smb3_negotiate_context.pcap Normal file
View file

Binary file not shown.

9
testing/btest/scripts/base/protocols/smb/smb3-negotiate-context.test Normal file
View file

@ -0,0 +1,9 @@
# @TEST-EXEC: zeek -b -r $TRACES/smb/smb3_negotiate_context.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/smb
event smb2_negotiate_response(c: connection , hdr: SMB2::Header , response: SMB2::NegotiateResponse )
{
print response;
}