Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Smb log configurable 7620 v1.1 #12795

Closed
wants to merge 2 commits into from
Closed

Smb log configurable 7620 v1.1 #12795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
03df87e
conf: extend API for rust
catenacyber Mar 20, 2025
f39195e
smb/log: configuration option for types logging
catenacyber Mar 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions doc/userguide/output/eve/eve-json-format.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1143,6 +1143,21 @@ SMB Fields
* "response.native_os" (string): SMB1 native OS string
* "response.native_lm" (string): SMB1 native Lan Manager string

One can restrict which transactions are logged by using the "types" field in the
suricata.yaml file. If this field is not specified, all transactions types are logged.
9 values can be specified with this field as shown below:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: ten


Configuration::

- eve-log:
enabled: yes
type: file
filename: eve.json
types:
- smb:
types: [file, tree_connect, negotiate, dcerpc, create,
session_setup, ioctl, rename, set_file_path_info, generic]

Examples of SMB logging:

Pipe open::
Expand Down
42 changes: 41 additions & 1 deletion rust/src/conf.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,17 @@ use nom7::{
};

/// cbindgen:ignore
extern {
extern "C" {
fn ConfGet(key: *const c_char, res: *mut *const c_char) -> i8;
fn ConfGetChildValue(conf: *const c_void, key: *const c_char,
vptr: *mut *const c_char) -> i8;
fn ConfGetChildValueBool(conf: *const c_void, key: *const c_char,
vptr: *mut c_int) -> i8;
fn ConfGetNode(key: *const c_char) -> *const c_void;
fn ConfNodeLookupChild(conf: *const c_void, key: *const c_char) -> *const c_void;
pub fn ConfGetFirstNode(parent: *const c_void) -> *const c_void;
pub fn ConfGetNextNode(parent: *const c_void) -> *const c_void;
pub fn ConfGetValueNode(node: *const c_void) -> *const c_char;
}

pub fn conf_get_node(key: &str) -> Option<ConfNode> {
Expand Down Expand Up @@ -101,6 +105,42 @@ impl ConfNode {
return Self { conf }
}

pub fn get_child_node(&self, key: &str) -> Option<ConfNode> {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jasonish thoughts about this commit ? (wrt to bindgen)

It looks to me that we do not want to have C struct ConfNode exported to rust, but instead just have an opaque pointer and some rust-style functions to handle it, so I went this way

let node = unsafe {
let s = CString::new(key).unwrap();
ConfNodeLookupChild(self.conf, s.as_ptr())
};
if node.is_null() {
None
} else {
Some(ConfNode::wrap(node))
}
}

pub fn first(&self) -> Option<ConfNode> {
let node = unsafe { ConfGetFirstNode(self.conf) };
if node.is_null() {
None
} else {
Some(ConfNode::wrap(node))
}
}

pub fn next(&self) -> Option<ConfNode> {
let node = unsafe { ConfGetNextNode(self.conf) };
if node.is_null() {
None
} else {
Some(ConfNode::wrap(node))
}
}

pub fn value(&self) -> &str {
let vptr = unsafe { ConfGetValueNode(self.conf) };
let value = std::str::from_utf8(unsafe { CStr::from_ptr(vptr).to_bytes() }).unwrap();
return value;
}

pub fn get_child_value(&self, key: &str) -> Option<&str> {
let mut vptr: *const c_char = ptr::null_mut();

Expand Down
133 changes: 123 additions & 10 deletions rust/src/smb/log.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,17 @@
use std::str;
use std::string::String;
use uuid;
use crate::conf::ConfNode;
use crate::jsonbuilder::{JsonBuilder, JsonError};
use crate::smb::smb::*;
use crate::smb::smb1::*;
use crate::smb::smb2::*;
use crate::dcerpc::dcerpc::*;
use crate::smb::funcs::*;
use crate::smb::smb_status::*;
use std::error::Error;
use std::ffi::c_void;
use std::fmt;

#[cfg(not(feature = "debug"))]
fn debug_add_progress(_js: &mut JsonBuilder, _tx: &SMBTransaction) -> Result<(), JsonError> { Ok(()) }
Expand Down Expand Up @@ -65,8 +69,36 @@ fn guid_to_string(guid: &[u8]) -> String {
}
}

fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransaction) -> Result<(), JsonError>
{
// Wrapping error for either jsonbuilder error or our own custom error if
// tx is not to be logged due to config
#[derive(Debug)]
enum SmbLogError {
SkippedByConf,
Json(JsonError),
}

impl Error for SmbLogError {}

impl fmt::Display for SmbLogError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
SmbLogError::SkippedByConf => {
write!(f, "skipped by configuration")
}
SmbLogError::Json(j) => j.fmt(f),
}
}
}

impl From<JsonError> for SmbLogError {
fn from(err: JsonError) -> SmbLogError {
SmbLogError::Json(err)
}
}

fn smb_common_header(
jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransaction, flags: u64,
) -> Result<(), SmbLogError> {
jsb.set_uint("id", tx.id)?;

if state.dialect != 0 {
Expand Down Expand Up @@ -144,6 +176,9 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio

match tx.type_data {
Some(SMBTransactionTypeData::SESSIONSETUP(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_SESSIONSETUP) == 0 {
return Err(SmbLogError::SkippedByConf);
}
if let Some(ref ntlmssp) = x.ntlmssp {
jsb.open_object("ntlmssp")?;
let domain = String::from_utf8_lossy(&ntlmssp.domain);
Expand Down Expand Up @@ -191,6 +226,9 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
}
},
Some(SMBTransactionTypeData::CREATE(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_CREATE) == 0 {
return Err(SmbLogError::SkippedByConf);
}
let mut name_raw = x.filename.to_vec();
name_raw.retain(|&i|i != 0x00);
if !name_raw.is_empty() {
Expand Down Expand Up @@ -230,6 +268,9 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
jsb.set_string("fuid", &gs)?;
},
Some(SMBTransactionTypeData::NEGOTIATE(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_NEGOTIATE) == 0 {
return Err(SmbLogError::SkippedByConf);
}
if x.smb_ver == 1 {
jsb.open_array("client_dialects")?;
for d in &x.dialects {
Expand Down Expand Up @@ -260,6 +301,9 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
}
},
Some(SMBTransactionTypeData::TREECONNECT(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_TREECONNECT) == 0 {
return Err(SmbLogError::SkippedByConf);
}
let share_name = String::from_utf8_lossy(&x.share_name);
if x.is_pipe {
jsb.set_string("named_pipe", &share_name)?;
Expand Down Expand Up @@ -292,6 +336,9 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
}
},
Some(SMBTransactionTypeData::FILE(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_FILE) == 0 {
return Err(SmbLogError::SkippedByConf);
}
let file_name = String::from_utf8_lossy(&x.file_name);
jsb.set_string("filename", &file_name)?;
let share_name = String::from_utf8_lossy(&x.share_name);
Expand All @@ -300,6 +347,9 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
jsb.set_string("fuid", &gs)?;
},
Some(SMBTransactionTypeData::RENAME(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_RENAME) == 0 {
return Err(SmbLogError::SkippedByConf);
}
if tx.vercmd.get_version() == 2 {
jsb.open_object("set_info")?;
jsb.set_string("class", "FILE_INFO")?;
Expand All @@ -317,6 +367,9 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
jsb.set_string("fuid", &gs)?;
},
Some(SMBTransactionTypeData::DCERPC(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_DCERPC) == 0 {
return Err(SmbLogError::SkippedByConf);
}
jsb.open_object("dcerpc")?;
if x.req_set {
jsb.set_string("request", &dcerpc_type_string(x.req_cmd))?;
Expand Down Expand Up @@ -400,9 +453,15 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
jsb.close()?;
}
Some(SMBTransactionTypeData::IOCTL(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_IOCTL) == 0 {
return Err(SmbLogError::SkippedByConf);
}
jsb.set_string("function", &fsctl_func_to_string(x.func))?;
},
Some(SMBTransactionTypeData::SETFILEPATHINFO(ref x)) => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_SETFILEPATHINFO) == 0 {
return Err(SmbLogError::SkippedByConf);
}
let mut name_raw = x.filename.to_vec();
name_raw.retain(|&i|i != 0x00);
if !name_raw.is_empty() {
Expand Down Expand Up @@ -439,20 +498,74 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
let gs = fuid_to_string(&x.fid);
jsb.set_string("fuid", &gs)?;
},
_ => { },
None => {
if flags != SMB_LOG_DEFAULT_ALL && (flags & SMB_LOG_TYPE_GENERIC) == 0 {
return Err(SmbLogError::SkippedByConf);
}
},
}
return Ok(());
}

#[no_mangle]
pub extern "C" fn rs_smb_log_json_request(jsb: &mut JsonBuilder, state: &mut SMBState, tx: &SMBTransaction) -> bool
{
smb_common_header(jsb, state, tx).is_ok()
pub extern "C" fn rs_smb_log_json_response(
jsb: &mut JsonBuilder, state: &mut SMBState, tx: &SMBTransaction, flags: u64,
) -> bool {
smb_common_header(jsb, state, tx, flags).is_ok()
}

#[no_mangle]
pub extern "C" fn rs_smb_log_json_response(jsb: &mut JsonBuilder, state: &mut SMBState, tx: &SMBTransaction) -> bool
{
smb_common_header(jsb, state, tx).is_ok()
// Flag constants for logging types
const SMB_LOG_TYPE_FILE: u64 = BIT_U64!(0);
const SMB_LOG_TYPE_TREECONNECT: u64 = BIT_U64!(1);
const SMB_LOG_TYPE_NEGOTIATE: u64 = BIT_U64!(2);
const SMB_LOG_TYPE_DCERPC: u64 = BIT_U64!(3);
const SMB_LOG_TYPE_CREATE: u64 = BIT_U64!(4);
const SMB_LOG_TYPE_SESSIONSETUP: u64 = BIT_U64!(5);
const SMB_LOG_TYPE_IOCTL: u64 = BIT_U64!(6);
const SMB_LOG_TYPE_RENAME: u64 = BIT_U64!(7);
const SMB_LOG_TYPE_SETFILEPATHINFO: u64 = BIT_U64!(8);
const SMB_LOG_TYPE_GENERIC: u64 = BIT_U64!(9);
const SMB_LOG_DEFAULT_ALL: u64 = 0;

fn get_smb_log_type_from_str(s: &str) -> Option<u64> {
match s {
"file" => Some(SMB_LOG_TYPE_FILE),
"tree_connect" => Some(SMB_LOG_TYPE_TREECONNECT),
"negotiate" => Some(SMB_LOG_TYPE_NEGOTIATE),
"dcerpc" => Some(SMB_LOG_TYPE_DCERPC),
"create" => Some(SMB_LOG_TYPE_CREATE),
"session_setup" => Some(SMB_LOG_TYPE_SESSIONSETUP),
"ioctl" => Some(SMB_LOG_TYPE_IOCTL),
"rename" => Some(SMB_LOG_TYPE_RENAME),
"set_file_path_info" => Some(SMB_LOG_TYPE_SETFILEPATHINFO),
"generic" => Some(SMB_LOG_TYPE_GENERIC),
_ => None,
}
}

#[no_mangle]
pub extern "C" fn SCSmbLogParseConfig(conf: *const c_void) -> u64 {
let conf = ConfNode::wrap(conf);
if let Some(node) = conf.get_child_node("types") {
// iterate smb.types list of types
let mut r = SMB_LOG_DEFAULT_ALL;
let mut node = node.first();
loop {
if node.is_none() {
break;
}
let nodeu = node.unwrap();
if let Some(f) = get_smb_log_type_from_str(nodeu.value()) {
r |= f;
} else {
SCLogWarning!("unknown type for smb logging: {}", nodeu.value());
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By the way, this should be done for DNS (warn when an unknown type is configured)

}
node = nodeu.next();
}
if r == SMB_LOG_DEFAULT_ALL {
SCLogWarning!("empty types list for smb is interpreted as logging all");
}
return r;
}
return SMB_LOG_DEFAULT_ALL;
}
15 changes: 15 additions & 0 deletions src/conf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,21 @@ ConfNode *ConfGetNode(const char *name)
return node;
}

ConfNode *ConfGetFirstNode(const ConfNode *parent)
{
return TAILQ_FIRST(&parent->head);
}

ConfNode *ConfGetNextNode(const ConfNode *node)
{
return TAILQ_NEXT(node, next);
}

const char *ConfGetValueNode(const ConfNode *node)
{
return node->val;
}

/**
* \brief Get the root configuration node.
*/
Expand Down
4 changes: 4 additions & 0 deletions src/conf.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,10 @@ void ConfNodePrune(ConfNode *node);
int ConfRemove(const char *name);
bool ConfNodeHasChildren(const ConfNode *node);

ConfNode *ConfGetFirstNode(const ConfNode *parent);
ConfNode *ConfGetNextNode(const ConfNode *node);
const char *ConfGetValueNode(const ConfNode *node);

ConfNode *ConfGetChildWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name);
ConfNode *ConfNodeLookupKeyValue(const ConfNode *base, const char *key, const char *value);
int ConfGetChildValue(const ConfNode *base, const char *name, const char **vptr);
Expand Down
Loading
Loading