smb: New keyword smb.cmd v8

[zer1t0]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
• I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5069

Describe changes:

• New keyword smb.cmd added, which allows to match the command value in smb message header. It works for smb1 and smb2.
• Documentation for the keyword added (created SMB keyword documentation)

Example of rule alert smb any any -> any any (msg: "Smb command rule"; smb.cmd: 10; sid: 1;) . More examples in documentation.

suricata-verify-pr: 733

[codecov]

Codecov Report

Merging #7404 (688226c) into master (b6407c4) will decrease coverage by 0.13%.
The diff coverage is 76.74%.

@@            Coverage Diff             @@
##           master    #7404      +/-   ##
==========================================
- Coverage   75.94%   75.80%   -0.14%     
==========================================
  Files         656      657       +1     
  Lines      189916   189956      +40     
==========================================
- Hits       144233   144004     -229     
- Misses      45683    45952     +269     

Flag	Coverage Δ
fuzzcorpus	60.29% <30.76%> (-0.35%)	⬇️
suricata-verify	51.86% <82.50%> (-0.04%)	⬇️
unittests	61.07% <33.33%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[victorjulien]

can we have a extra column instead of the double rows per value? So something like

SMB2 command name                    code short name
==================================== ==== =========
SMB2_COMMAND_NEGOTIATE_PROTOCOL      0x00 negotiate

[victorjulien]

what is the logic here? A command can only be one thing, so it matches as if 10 or create or 0x4?

[victorjulien]

One concern I have is around expectations of matching each record on the wire vs the "transaction" representation we have in Suricata, that are not necessarily a 1 on 1 mapping with records. So a rule writer will look at a pcap and then expect this keyword to match on each smb record, but it won't.

Maybe this would make more sense to use the new (and in development) frames API. This is designed to work on the record/frame level, w/o the higher level TX abstraction overhead. Currently you could do a smb.cmd frame, which would be for each record but currently won't offer the more elaborate keyword options. It would just be smb.cmd; content:"|00|";.

[victorjulien]

Closing due to inactivity. If you're interested in picking this back up, please open a new PR addressing the comments. Thanks!