suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

smb: New keyword smb.cmd v8

Open zer1t0 opened this issue 2 years ago • 2 comments

Make sure these boxes are signed before submitting your Pull Request -- thank you.

  • [X] I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
  • [X] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
  • [X] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5069

Describe changes:

  • New keyword smb.cmd added, which allows to match the command value in smb message header. It works for smb1 and smb2.
  • Documentation for the keyword added (created SMB keyword documentation)

Example of rule alert smb any any -> any any (msg: "Smb command rule"; smb.cmd: 10; sid: 1;) . More examples in documentation.

suricata-verify-pr: 733

zer1t0 avatar May 12 '22 07:05 zer1t0

Codecov Report

Merging #7404 (688226c) into master (b6407c4) will decrease coverage by 0.13%. The diff coverage is 76.74%.

@@            Coverage Diff             @@
##           master    #7404      +/-   ##
==========================================
- Coverage   75.94%   75.80%   -0.14%     
==========================================
  Files         656      657       +1     
  Lines      189916   189956      +40     
==========================================
- Hits       144233   144004     -229     
- Misses      45683    45952     +269
Flag Coverage Δ
fuzzcorpus 60.29% <30.76%> (-0.35%) :arrow_down:
suricata-verify 51.86% <82.50%> (-0.04%) :arrow_down:
unittests 61.07% <33.33%> (+<0.01%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar May 12 '22 07:05 codecov[bot]

One concern I have is around expectations of matching each record on the wire vs the "transaction" representation we have in Suricata, that are not necessarily a 1 on 1 mapping with records. So a rule writer will look at a pcap and then expect this keyword to match on each smb record, but it won't.

Maybe this would make more sense to use the new (and in development) frames API. This is designed to work on the record/frame level, w/o the higher level TX abstraction overhead. Currently you could do a smb.cmd frame, which would be for each record but currently won't offer the more elaborate keyword options. It would just be smb.cmd; content:"|00|";.

victorjulien avatar May 12 '22 10:05 victorjulien

Closing due to inactivity. If you're interested in picking this back up, please open a new PR addressing the comments. Thanks!

victorjulien avatar May 05 '23 09:05 victorjulien