forked from OISF/suricata
-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
rust/smb: import NT status code for Microsoft doc
This patch updates the NT status code definition to use the status definition used on Microsoft documentation website. A first python script is building JSON object with code definition. ``` import json from bs4 import BeautifulSoup import requests ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55') ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser') ntstatus_parsed = ntstatus_parsed.find('tbody') ntstatus_dict = {} for item in ntstatus_parsed.find_all('tr'): cell = item.find_all('td') if len(cell) == 0: continue code = cell[0].find_all('p') description_ps = cell[1].find_all('p') description_list = [] if len(description_ps): for desc in description_ps: if not desc.string is None: description_list.append(desc.string.replace('\n ', '')) else: description_list = ['Description not available'] if not code[0].string.lower() in ntstatus_dict: ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)} print(json.dumps(ntstatus_dict)) ``` The second one is generating the code that is ready to be inserted into the source file: ``` import json ntstatus_file = open('ntstatus.json', 'r') ntstatus = json.loads(ntstatus_file.read()) declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n' resolution_format = ' SMB_NT%s%s=> "%s",\n' declaration = "" resolution = "" text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len)) for code in ntstatus.keys(): text = ntstatus[code]['text'] text_spaces = ' ' * (4 + text_max - len(text)) declaration += declaration_format % (text, text_spaces, code) resolution += resolution_format % (text, text_spaces, text) print(declaration) print('\n') print(''' pub fn smb_ntstatus_string(c: u32) -> String { match c { ''') print(resolution) print(''' _ => { return (c).to_string(); }, }.to_string() } ''') ``` Bug OISF#5412.
- Loading branch information
Showing
10 changed files
with
3,677 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
SMB Keywords | ||
============== | ||
|
||
SMB keywords used in both SMB1 and SMB2 protocols. | ||
|
||
smb.named_pipe | ||
-------------- | ||
|
||
Match on SMB named pipe in tree connect. | ||
|
||
Examples:: | ||
|
||
smb.named_pipe; content:"IPC"; endswith; | ||
smb.named_pipe; content:"strange"; nocase; pcre:"/really$/"; | ||
|
||
``smb.named_pipe`` is a 'sticky buffer'. | ||
|
||
``smb.named_pipe`` can be used as ``fast_pattern``. | ||
|
||
smb.share | ||
--------- | ||
|
||
Match on SMB share name in tree connect. | ||
|
||
Examples:: | ||
|
||
smb.share; content:"shared"; endswith; | ||
smb.share; content:"strange"; nocase; pcre:"/really$/"; | ||
|
||
``smb.share`` is a 'sticky buffer'. | ||
|
||
``smb.share`` can be used as ``fast_pattern``. | ||
|
||
smb.ntlmssp_user | ||
---------------- | ||
|
||
Match on SMB ntlmssp user in session setup. | ||
|
||
Examples:: | ||
|
||
smb.ntlmssp_user; content:"doe"; endswith; | ||
smb.ntlmssp_user; content:"doe"; nocase; pcre:"/j(ohn|ane).*doe$/"; | ||
|
||
``smb.ntlmssp_user`` is a 'sticky buffer'. | ||
|
||
``smb.ntlmssp_user`` can be used as ``fast_pattern``. | ||
|
||
smb.ntlmssp_domain | ||
------------------ | ||
|
||
Match on SMB ntlmssp domain in session setup. | ||
|
||
Examples:: | ||
|
||
smb.ntlmssp_domain; content:"home"; endswith; | ||
smb.ntlmssp_domain; content:"home"; nocase; pcre:"/home(sweet)*$/"; | ||
|
||
``smb.ntlmssp_domain`` is a 'sticky buffer'. | ||
|
||
``smb.ntlmssp_domain`` can be used as ``fast_pattern``. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.