Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixes to DCE_RPC analysis

Browse source 
- Previously there was an (incorrect) assumption that a TCP conneciton
   would only ever have one DCE_RPC binding.  That assumption was
   incorrect and with named pipes over SMB there can be multiple
   concurrent DCE_RPC bindings.  This commit fixes that assumption by
   dynamically creating a new DCE_RPC analyzer whenever a new, unknown
   binding is created.
 - There is a crash fix in how string handling in the bind_ack message
   was done.
 - Named pipe handling over SMB1 is still not working quite right
   and problems will show up with multiplexed DCE_RPC bindings.
This commit is contained in:
Seth Hall 2016-04-06 12:37:09 -04:00
parent caa28bc3c5
commit 003b32f904
13 changed files with 171 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -70,7 +70,7 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
SMB_UNKNOWN -> unknown : bytestring &restofdata &transient;
default -> data : bytestring &restofdata &transient;
} &let {
pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, is_orig) &if(trans_type == SMB_PIPE);
pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
};
type SMB1_transaction_setup(header: SMB_Header) = record {