Added rename event to rpc/nfs protocol analyzer.

This event identifies and reports information about nfs/rpc calls and replies of the type rename.
2025-10-04 07:38:19 +00:00 · 2017-02-28 16:49:35 -05:00 · 2017-02-28 16:49:35 -05:00 · 1ee9610b77
commit 1ee9610b77
parent e69bb37cc7
5 changed files with 86 additions and 1 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2182,6 +2182,16 @@ export {
 		fname: string;	##< The name of the file we are interested in.
 	};

+	## NFS *rename* arguments.
+	##
+	## .. bro:see:: nfs_proc_rename
+	type renameopargs_t : record {
+		src_dirfh : string;
+		src_fname : string;
+		dst_dirfh : string;
+		dst_fname : string;
+	};
+
 	## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the
 	## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr*
 	## may be set.
@ -2274,6 +2284,16 @@ export {
 		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
 	};

+	## NFS reply for *rename*. Corresponds to *wcc_data* in the spec.
+	##
+	## .. bro:see:: nfs_rename
+	type renameobj_reply_t: record {
+		src_dir_pre_attr: wcc_attr_t;
+		src_dir_post_attr: fattr_t;
+		dst_dir_pre_attr: wcc_attr_t;
+		dst_dir_post_attr: fattr_t;
+	};
+
 	## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
 	##
 	## .. bro:see:: nfs_proc_readdir
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@ -69,6 +69,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_diropargs(buf, n);
 		break;

+	case BifEnum::NFS3::PROC_RENAME:
+		callarg = nfs3_renameopargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		callarg = nfs3_readdirargs(false, buf, n);
 		break;
@ -197,6 +201,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_rmdir;
 		break;

+	case BifEnum::NFS3::PROC_RENAME:
+		reply = nfs3_renameobj_reply(buf, n);
+		event = nfs_proc_rename;
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		reply = nfs3_readdir_reply(false, buf, n, nfs_status);
 		event = nfs_proc_readdir;
@ -384,6 +393,17 @@ RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
 	return diropargs;
 	}

+RecordVal *NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
+	{
+	RecordVal *renameopargs = new RecordVal(BifType::Record::NFS3::renameopargs_t);
+
+	renameopargs->Assign(0, nfs3_fh(buf, n));
+	renameopargs->Assign(1, nfs3_filename(buf, n));
+	renameopargs->Assign(2, nfs3_fh(buf, n));
+	renameopargs->Assign(3, nfs3_filename(buf, n));
+
+	return renameopargs;
+	}

 RecordVal* NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
 	{
@ -568,6 +588,19 @@ RecordVal* NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
 	return rep;
 	}

+RecordVal* NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::renameobj_reply_t);
+
+        // wcc_data
+	rep->Assign(0, nfs3_pre_op_attr(buf, n));
+	rep->Assign(1, nfs3_post_op_attr(buf, n));
+	rep->Assign(2, nfs3_pre_op_attr(buf, n));
+	rep->Assign(3, nfs3_post_op_attr(buf, n));
+
+	return rep;
+	}
+
 RecordVal* NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
 	{
 	RecordVal *args = new RecordVal(BifType::Record::NFS3::readdirargs_t);
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@ -37,6 +37,7 @@ protected:
 	EnumVal* nfs3_ftype(const u_char*& buf, int& n);
 	RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n);
 	RecordVal* nfs3_diropargs(const u_char*&buf, int &n);
+	RecordVal* nfs3_renameopargs(const u_char*&buf, int &n);
 	StringVal* nfs3_filename(const u_char*& buf, int& n);
 	StringVal* nfs3_nfspath(const u_char*& buf, int& n)
 		{
@ -54,6 +55,7 @@ protected:
 	RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n);
+	RecordVal* nfs3_renameobj_reply(const u_char*& buf, int& n);
 	StringVal* nfs3_post_op_fh(const u_char*& buf, int& n);
 	RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
 	RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@ -274,6 +274,34 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);

+## Generated for NFSv3 request/reply dialogues of type *rename*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req: TODO.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
+##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
--- a/src/types.bif
+++ b/src/types.bif
@ -30,7 +30,7 @@ enum proc_t %{	# NFSv3 procedures
 	PROC_MKNOD    = 11,	# not implemented
 	PROC_REMOVE   = 12,	# done
 	PROC_RMDIR    = 13,	# done
-	PROC_RENAME   = 14,	# not implemented
+	PROC_RENAME   = 14,	# done
 	PROC_LINK     = 15,	# not implemented
 	PROC_READDIR  = 16,	# done
 	PROC_READDIRPLUS  = 17,	# done
@ -101,6 +101,7 @@ enum createmode_t %{
 type info_t: record;
 type fattr_t: record;
 type diropargs_t: record;
+type renameopargs_t: record;
 type lookup_reply_t: record;
 type readargs_t: record;
 type read_reply_t: record;
@ -110,6 +111,7 @@ type wcc_attr_t: record;
 type write_reply_t: record;
 type newobj_reply_t: record;
 type delobj_reply_t: record;
+type renameobj_reply_t: record;
 type readdirargs_t: record;
 type direntry_t: record;
 type direntry_vec_t: vector;