diff --git a/aux/btest b/aux/btest index 17d1c15476..625dbecfd6 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 17d1c1547678bfd54ef1202db5415bc85c7ae794 +Subproject commit 625dbecfd63022d79a144b9651085e68cdf99ce4 diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index e238ad55e4..62cef37646 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -7,8 +7,8 @@ export { ## a weird and skip further input. const max_cmd_reassembly = 20 &redef; - ## The maximum number of fragmented bytes that will be tolerated - ## on a command before the analyzer will generate a weird and + ## The maximum number of fragmented bytes that will be tolerated + ## on a command before the analyzer will generate a weird and ## skip further input. const max_frag_data = 30000 &redef; @@ -100,15 +100,15 @@ export { ["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi", } &redef &default=function(uuid: string): string { return fmt("unknown-%s", uuid); }; - ## This table is to map pipe names to the most common - ## service used over that pipe. It helps in cases + ## This table is to map pipe names to the most common + ## service used over that pipe. It helps in cases ## where the pipe binding wasn't seen. const pipe_name_to_common_uuid: table[string] of string = { ["winreg"] = "338cd001-2244-31f1-aaaa-900038001003", ["spoolss"] = "12345678-1234-abcd-ef00-0123456789ab", ["srvsvc"] = "4b324fc8-1670-01d3-1278-5a47bf6ee188", } &redef; - + const operations: table[string,count] of string = { # atsvc ["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd", @@ -1470,7 +1470,7 @@ export { ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x14] = "DRSAddSidHistory", ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x15] = "DRSGetMemberships2", ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x16] = "DRSReplicaVerifyObjects", - ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence", + ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence", ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x18] = "DRSQuerySitesByCost", # winspipe diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt index c7f9a940e0..959e6ac87c 100644 --- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt +++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt @@ -7,7 +7,7 @@ bro_plugin_begin(Bro DCE_RPC) bro_plugin_cc(DCE_RPC.cc Plugin.cc) bro_plugin_bif(consts.bif types.bif events.bif) bro_plugin_pac( - dce_rpc.pac + dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac dce_rpc-auth.pac diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index 129bb11626..921b4ba51f 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -182,12 +182,21 @@ flow DCE_RPC_Flow(is_orig: bool) { %{ if ( ${header.firstfrag} ) { + if ( fb.count(${header.call_id}) > 0 ) + { + // We already had a first frag earlier. + reporter->Weird(connection()->bro_analyzer()->Conn(), + "multiple_first_fragments_in_dce_rpc_reassembly"); + connection()->bro_analyzer()->SetSkip(true); + return false; + } + if ( ${header.lastfrag} ) { // all-in-one packet return true; } - else + else { // first frag, but not last so we start a flowbuffer fb[${header.call_id}] = std::unique_ptr(new FlowBuffer()); @@ -196,14 +205,14 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( fb.size() > BifConst::DCE_RPC::max_cmd_reassembly ) { - reporter->Weird(connection()->bro_analyzer()->Conn(), + reporter->Weird(connection()->bro_analyzer()->Conn(), "too_many_dce_rpc_msgs_in_reassembly"); connection()->bro_analyzer()->SetSkip(true); } - if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) + if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data ) { - reporter->Weird(connection()->bro_analyzer()->Conn(), + reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); connection()->bro_analyzer()->SetSkip(true); } @@ -216,9 +225,9 @@ flow DCE_RPC_Flow(is_orig: bool) { // not the first frag, but we have a flow buffer so add to it fb[${header.call_id}]->BufferData(frag.begin(), frag.end()); - if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data ) + if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data ) { - reporter->Weird(connection()->bro_analyzer()->Conn(), + reporter->Weird(connection()->bro_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); connection()->bro_analyzer()->SetSkip(true); } @@ -244,7 +253,7 @@ flow DCE_RPC_Flow(is_orig: bool) { bd = const_bytestring(fb[${h.call_id}]->begin(), fb[${h.call_id}]->end()); fb.erase(${h.call_id}); } - + return bd; %} };