Adding more dcerpc operations and fixing a bug with how log records are handled.

2025-10-04 15:48:19 +00:00 · 2016-04-01 10:16:02 -04:00 · 2016-04-01 10:16:02 -04:00 · 086519e851
commit 086519e851
parent e70a528ad6
2 changed files with 44 additions and 2 deletions
--- a/scripts/base/protocols/dce-rpc/consts.bro
+++ b/scripts/base/protocols/dce-rpc/consts.bro
@ -1369,6 +1369,41 @@ export {
 		["2f5f3220-c126-1076-b549-074d078619da",0x10] = "NDdeTrustedShareEnumW",
 		["2f5f3220-c126-1076-b549-074d078619da",0x12] = "NDdeSpecialCommand",

+		# BackupKey
 		["3dde7c30-165d-11d1-ab8f-00805f14db40",0x00] = "bkrp_BackupKey",
+
+		# wkssvc
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x00] = "NetrWkstaGetInfo",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x01] = "NetrWkstaSetInfo",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x02] = "NetrWkstaUserEnum",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x03] = "NetrWkstaUserGetInfo",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x04] = "NetrWkstaUserSetInfo",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x05] = "NetrWkstaTransportEnum",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x06] = "NetrWkstaTransportAdd",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x07] = "NetrWkstaTransportDel",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x08] = "NetrUseAdd",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x09] = "NetrUseGetInfo",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x0a] = "NetrUseDel",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x0b] = "NetrUseEnum",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x0c] = "NetrMessageBufferSend",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x0d] = "NetrWorkstationStatisticsGet",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x0e] = "NetrLogonDomainNameAdd",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x0f] = "NetrLogonDomainNameDel",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x10] = "NetrJoinDomain",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x11] = "NetrUnjoinDomain",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x12] = "NetrValidateName",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x13] = "NetrRenameMachineInDomain",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x14] = "NetrGetJoinInformation",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x15] = "NetrGetJoinableOUs",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x16] = "NetrJoinDomain2",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x17] = "NetrUnjoinDomain2",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x18] = "NetrRenameMachineInDomain2",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x19] = "NetrValidateName2",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x1a] = "NetrGetJoinableOUs2",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x1b] = "NetrAddAlternateComputerName",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x1c] = "NetrRemoveAlternateComputerName",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x1d] = "NetrSetPrimaryComputerName",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x1e] = "NetrEnumerateComputerNames",
+		["6bffd098-a112-3610-9833-46c3f87e345a",0x1f] = "NetrWorkstationResetDfsCache",
 	} &redef &default=function(uuid: string, i: count): string { return fmt("unknown-%d", i); };
 }
--- a/scripts/base/protocols/dce-rpc/main.bro
+++ b/scripts/base/protocols/dce-rpc/main.bro
@ -80,9 +80,9 @@ event dce_rpc_request(c: connection, opnum: count, stub: string) &priority=5
 	{
 	set_session(c);

-	if ( c?$dce_rpc && c$dce_rpc?$endpoint )
+	if ( c?$dce_rpc  )
 		{
-
+		c$dce_rpc$ts = network_time();
 		}
 	}

@ -95,8 +95,15 @@ event dce_rpc_response(c: connection, opnum: count, stub: string) &priority=5
 		c$dce_rpc$operation = operations[c$dce_rpc$uuid, opnum];
 		if ( c$dce_rpc$ts != network_time() )
 			c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
+		}
+	}

+event dce_rpc_response(c: connection, opnum: count, stub: string) &priority=-5
+	{
+	if ( c?$dce_rpc )
+		{
 		Log::write(LOG, c$dce_rpc);
+		delete c$dce_rpc;
 		}
 	}