Merge remote-tracking branch 'origin/master' into topic/seth/smb

# Conflicts:
#	scripts/base/protocols/dce-rpc/main.bro
#	scripts/base/protocols/ntlm/main.bro
#	scripts/policy/protocols/smb/smb1-main.bro
#	src/analyzer/protocol/smb/smb-common.pac
#	src/analyzer/protocol/smb/smb-strings.pac
#	src/analyzer/protocol/smb/smb1-com-locking-andx.pac
#	src/analyzer/protocol/smb/smb1-com-logoff-andx.pac
#	src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
#	src/analyzer/protocol/smb/smb1-com-open-andx.pac
#	src/analyzer/protocol/smb/smb1-com-read-andx.pac
#	src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
#	src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
#	src/analyzer/protocol/smb/smb1-com-transaction.pac
#	src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
#	src/analyzer/protocol/smb/smb1-com-write-andx.pac
#	src/analyzer/protocol/smb/smb1-protocol.pac

scripts/base/frameworks/files/magic/general.sig

@@ -93,7 +93,7 @@ signature file-ini {
 # Microsoft LNK files
 signature file-lnk {
 	file-mime "application/x-ms-shortcut", 49
-	file-magic /^\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x10\x00\x00\x00\x46/
+	file-magic /^\x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46/
 }
 
 # Microsoft Registry policies
@@ -310,4 +310,4 @@ signature file-elf-sharedlib {
 signature file-elf-coredump {
 	file-mime "application/x-coredump", 50
 	file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
-}
+}

scripts/base/init-bare.bro

@@ -2380,83 +2380,508 @@ type ntp_msg: record {
 };
 
 
-## Maps SMB command numbers to descriptive names.
-global samba_cmds: table[count] of string &redef
-			&default = function(c: count): string
-				{ return fmt("samba-unknown-%d", c); };
+module NTLM;
 
-## An SMB command header.
-##
-## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
-##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
-##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
-##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
-##    smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
-##    smb_com_write_andx smb_error smb_get_dfs_referral smb_message
-type smb_hdr : record {
-	command: count;	##< The command number (see :bro:see:`samba_cmds`).
-	status: count;	##< The status code.
-	flags: count;	##< Flag set 1.
-	flags2: count;	##< Flag set 2.
-	tid: count;	##< TODO.
-	pid: count;	##< Process ID.
-	uid: count;	##< User ID.
-	mid: count;	##< TODO.
-};
+export {
+	type NTLM::Version: record {
+		## The major version of the Windows operating system in use
+		major   : count;
+		## The minor version of the Windows operating system in use
+		minor   : count;
+		## The build number of the Windows operating system in use
+		build   : count;
+		## The current revision of NTLMSSP in use
+		ntlmssp : count;
+	};
 
-## An SMB transaction.
-##
-## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
-##    smb_com_transaction smb_com_transaction2
-type smb_trans : record {
-	word_count: count;	##< TODO.
-	total_param_count: count;	##< TODO.
-	total_data_count: count;	##< TODO.
-	max_param_count: count;	##< TODO.
-	max_data_count: count;	##< TODO.
-	max_setup_count: count;	##< TODO.
-#	flags: count;
-#	timeout: count;
-	param_count: count;	##< TODO.
-	param_offset: count;	##< TODO.
-	data_count: count;	##< TODO.
-	data_offset: count;	##< TODO.
-	setup_count: count;	##< TODO.
-	setup0: count;	##< TODO.
-	setup1: count;	##< TODO.
-	setup2: count;	##< TODO.
-	setup3: count;	##< TODO.
-	byte_count: count;	##< TODO.
-	parameters: string;	##< TODO.
-};
+	type NTLM::NegotiateFlags: record {
+		## If set, requires 56-bit encryption
+		negotiate_56               : bool;
+		## If set, requests an explicit key exchange
+		negotiate_key_exch         : bool;
+		## If set, requests 128-bit session key negotiation
+		negotiate_128              : bool;
+		## If set, requests the protocol version number
+		negotiate_version          : bool;
+		## If set, indicates that the TargetInfo fields in the
+		## CHALLENGE_MESSAGE are populated
+		negotiate_target_info      : bool;
+		## If set, requests the usage of the LMOWF function
+		request_non_nt_session_key : bool;
+		## If set, requests and identify level token
+		negotiate_identify         : bool;
+		## If set, requests usage of NTLM v2 session security
+		## Note: NTML v2 session security is actually NTLM v1
+		negotiate_extended_sessionsecurity : bool;
+		## If set, TargetName must be a server name
+		target_type_server         : bool;
+		## If set, TargetName must be a domain name
+		target_type_domain         : bool;
+
+		## If set, requests the presence of a signature block
+		## on all messages
+		negotiate_always_sign              : bool;
+		## If set, the workstation name is provided
+		negotiate_oem_workstation_supplied : bool;
+		## If set, the domain name is provided
+		negotiate_oem_domain_supplied      : bool;
+		## If set, the connection should be anonymous
+		negotiate_anonymous_connection     : bool;
+		## If set, requests usage of NTLM v1
+		negotiate_ntlm                     : bool;
+
+		## If set, requests LAN Manager session key computation
+		negotiate_lm_key       : bool;
+		## If set, requests connectionless authentication
+		negotiate_datagram     : bool;
+		## If set, requests session key negotiation for message 
+		## confidentiality
+		negotiate_seal         : bool;
+		## If set, requests session key negotiation for message
+		## signatures
+		negotiate_sign         : bool;
+		## If set, the TargetName field is present
+		request_target         : bool;
+
+		## If set, requests OEM character set encoding
+		negotiate_oem          : bool;
+		## If set, requests Unicode character set encoding
+		negotiate_unicode      : bool;
+	};
+
+	type NTLM::Negotiate: record {
+		## The negotiate flags
+		flags       : NTLM::NegotiateFlags;
+		## The domain name of the client, if known
+		domain_name : string &optional;
+		## The machine name of the client, if known
+		workstation : string &optional;
+		## The Windows version information, if supplied
+		version     : NTLM::Version &optional;
+	};
+
+	type NTLM::AVs: record {
+		## The server's NetBIOS computer name
+		nb_computer_name  : string;
+		## The server's NetBIOS domain name
+		nb_domain_name    : string;
+		## The FQDN of the computer
+		dns_computer_name : string &optional;
+		## The FQDN of the domain
+		dns_domain_name   : string &optional;
+		## The FQDN of the forest
+		dns_tree_name     : string &optional;
+
+		## Indicates to the client that the account
+		## authentication is constrained
+		constrained_auth  : bool &optional;
+		## The associated timestamp, if present
+		timestamp         : time &optional;
+		## Indicates that the client is providing
+		## a machine ID created at computer startup to
+		## identify the calling machine
+		single_host_id    : count &optional;
+
+		## The SPN of the target server
+		target_name       : string &optional;
+	};
+
+	type NTLM::Challenge: record {
+		## The negotiate flags
+		flags       : NTLM::NegotiateFlags;
+		## The server authentication realm. If the server is
+		## domain-joined, the name of the domain. Otherwise
+		## the server name. See flags.target_type_domain
+		## and flags.target_type_server
+		target_name : string &optional;
+		## The Windows version information, if supplied
+		version     : NTLM::Version &optional;
+		## Attribute-value pairs specified by the server
+		target_info : NTLM::AVs &optional;
+	};
+
+	type NTLM::Authenticate: record {
+		## The negotiate flags
+		flags       : NTLM::NegotiateFlags;
+		## The domain or computer name hosting the account
+		domain_name : string;
+		## The name of the user to be authenticated.
+		user_name   : string;
+		## The name of the computer to which the user was logged on.
+		workstation : string;
+		## The Windows version information, if supplied
+		version     : NTLM::Version &optional;
+	};
+}
+
+module SMB;
+
+export {
+	## MAC times for a file.
+	type SMB::MACTimes: record {
+		modified : time &log;
+		accessed : time &log;
+		created  : time &log;
+		changed  : time &log;
+	} &log;
+}
+
+module SMB1;
+
+export {
+	## An SMB1 header.
+	## 
+	## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+	##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+	##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+	##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
+	##    smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
+	##    smb_com_write_andx smb_error smb_get_dfs_referral smb_message
+	type SMB1::Header : record {
+		command: count; ##< The command number
+		status: count;  ##< The status code.
+		flags: count;   ##< Flag set 1.
+		flags2: count;  ##< Flag set 2.
+		tid: count;     ##< Tree ID.
+		pid: count;     ##< Process ID.
+		uid: count;     ##< User ID.
+		mid: count;     ##< Multiplex ID.
+	};
+
+	type SMB1::NegotiateRawMode: record {
+		## Read raw supported
+		read_raw	: bool;
+		## Write raw supported
+		write_raw	: bool;
+	};
+
+	type SMB1::NegotiateCapabilities: record {
+		## The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW
+		raw_mode	   : bool;
+		## The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX
+		mpx_mode	   : bool;
+		## The server supports unicode strings
+		unicode		   : bool;
+		## The server supports large files with 64 bit offsets
+		large_files	   : bool;
+		## The server supports the SMBs particilar to the NT LM 0.12 dialect. Implies nt_find.
+		nt_smbs		   : bool;
+
+		## The server supports remote admin API requests via DCE-RPC
+		rpc_remote_apis	   : bool;
+		## The server can respond with 32 bit status codes in Status.Status
+		status32	   : bool;
+		## The server supports level 2 oplocks
+		level_2_oplocks	   : bool;
+		## The server supports SMB_COM_LOCK_AND_READ
+		lock_and_read	   : bool;
+		## Reserved
+		nt_find		   : bool;
+
+		## The server is DFS aware
+		dfs		   : bool;
+		## The server supports NT information level requests passing through
+		infolevel_passthru : bool;
+		## The server supports large SMB_COM_READ_ANDX (up to 64k)
+		large_readx	   : bool;
+		## The server supports large SMB_COM_WRITE_ANDX (up to 64k)
+		large_writex	   : bool;
+		## The server supports CIFS Extensions for UNIX
+		unix		   : bool;
+
+		## The server supports SMB_BULK_READ, SMB_BULK_WRITE
+		## Note: No known implementations support this
+		bulk_transfer	   : bool;
+		## The server supports compressed data transfer. Requires bulk_transfer.
+		## Note: No known implementations support this
+		compressed_data	   : bool;
+		## The server supports extended security exchanges	
+		extended_security  : bool;
+	};
+
+	type SMB1::NegotiateResponseSecurity: record {
+		## This indicates whether the server, as a whole, is operating under
+		## Share Level or User Level security.
+		user_level	  : bool;
+		## This indicates whether or not the server supports Challenge/Response
+		## authentication. If the bit is false, then plaintext passwords must
+		## be used.
+		challenge_response: bool;
+		## This indicates if the server is capable of performing MAC message
+		## signing. Note: Requires NT LM 0.12 or later.
+		signatures_enabled: bool &optional;
+		## This indicates if the server is requiring the use of a MAC in each
+		## packet. If false, message signing is optional. Note: Requires NT LM 0.12
+		## or later.
+		signatures_required: bool &optional;
+	};
+
+	type SMB1::NegotiateResponseCore: record {
+		## Index of selected dialect
+		dialect_index	: count;
+	};
+
+	type SMB1::NegotiateResponseLANMAN: record {
+		## Count of parameter words (should be 13)
+		word_count	     : count;
+		## Index of selected dialect
+		dialect_index	     : count;
+		## Security mode
+		security_mode	     : SMB1::NegotiateResponseSecurity;
+		## Max transmit buffer size (>= 1024)
+		max_buffer_size	     : count;
+		## Max pending multiplexed requests
+		max_mpx_count	     : count;
+
+		## Max number of virtual circuits (VCs - transport-layer connections)
+		## between client and server
+		max_number_vcs	     : count;
+		## Raw mode
+		raw_mode	     : SMB1::NegotiateRawMode;
+		## Unique token identifying this session
+		session_key	     : count;
+		## Current date and time at server
+		server_time	     : time;
+		## The challenge encryption key
+		encryption_key	     : string;
+
+		## The server's primary domain
+		primary_domain	     : string;
+	};
+
+	type SMB1::NegotiateResponseNTLM: record {
+		## Count of parameter words (should be 17)
+		word_count	: count;
+		## Index of selected dialect
+		dialect_index	: count;
+		## Security mode
+		security_mode	: SMB1::NegotiateResponseSecurity;
+		## Max transmit buffer size
+		max_buffer_size	: count;
+		## Max pending multiplexed requests
+		max_mpx_count	: count;
+
+		## Max number of virtual circuits (VCs - transport-layer connections)
+		## between client and server
+		max_number_vcs	: count;
+		## Max raw buffer size
+		max_raw_size	: count;
+		## Unique token identifying this session
+		session_key	: count;
+		## Server capabilities
+		capabilities	: SMB1::NegotiateCapabilities;
+		## Current date and time at server
+		server_time	: time;
+
+		## The challenge encryption key.
+		## Present only for non-extended security (i.e. capabilities$extended_security = F)
+		encryption_key	: string &optional;
+		## The name of the domain.
+		## Present only for non-extended security (i.e. capabilities$extended_security = F)
+		domain_name	: string &optional;
+		## A globally unique identifier assigned to the server.
+		## Present only for extended security (i.e. capabilities$extended_security = T)
+		guid		: string &optional;
+		## Opaque security blob associated with the security package if capabilities$extended_security = T
+		## Otherwise, the challenge for challenge/response authentication.
+		security_blob	: string;
+	};
+
+	type SMB1::NegotiateResponse: record {
+		## If the server does not understand any of the dialect strings, or if 
+		## PC NETWORK PROGRAM 1.0 is the chosen dialect.
+		core	: SMB1::NegotiateResponseCore 	&optional;
+		## If the chosen dialect is greater than core up to and including
+		## LANMAN 2.1.
+		lanman  : SMB1::NegotiateResponseLANMAN  &optional;
+		## If the chosen dialect is NT LM 0.12.
+		ntlm	: SMB1::NegotiateResponseNTLM    &optional;
+	};
+
+	type SMB1::SessionSetupAndXCapabilities: record {
+		## The client can use unicode strings
+		unicode         : bool;
+		## The client can deal with files having 64 bit offsets
+		large_files     : bool;
+		## The client understands the SMBs introduced with NT LM 0.12
+		## Implies nt_find
+		nt_smbs         : bool;
+		## The client can receive 32 bit errors encoded in Status.Status
+		status32        : bool;
+		## The client understands Level II oplocks
+		level_2_oplocks : bool;
+		## Reserved. Implied by nt_smbs.
+		nt_find		: bool;
+	};
+
+	type SMB1::SessionSetupAndXRequest: record {
+		## Count of parameter words
+		##    - 10 for pre NT LM 0.12
+		##    - 12 for NT LM 0.12 with extended security
+		##    - 13 for NT LM 0.12 without extended security
+		word_count		  : count;
+		## Client maximum buffer size
+		max_buffer_size		  : count;
+		## Actual maximum multiplexed pending request
+		max_mpx_count		  : count;
+		## Virtual circuit number. First VC == 0
+		vc_number		  : count;
+		## Session key (valid iff vc_number > 0)
+		session_key		  : count;
+
+		## Client's native operating system
+		native_os		  : string;
+		## Client's native LAN Manager type
+		native_lanman		  : string;
+		## Account name
+		## Note: not set for NT LM 0.12 with extended security
+		account_name		  : string &optional;
+		## If challenge/response auth is not being used, this is the password.
+		## Otherwise, it's the response to the server's challenge.
+		## Note: Only set for pre NT LM 0.12
+		account_password	  : string &optional;		
+		## Client's primary domain, if known
+		## Note: not set for NT LM 0.12 with extended security
+		primary_domain		  : string &optional;
+
+		## Case insensitive password
+		## Note: only set for NT LM 0.12 without extended security
+		case_insensitive_password : string &optional;
+		## Case sensitive password
+		## Note: only set for NT LM 0.12 without extended security
+		case_sensitive_password	  : string &optional;
+		## Security blob
+		## Note: only set for NT LM 0.12 with extended security
+		security_blob		  : string &optional;
+		## Client capabilities
+		## Note: only set for NT LM 0.12
+		capabilities		  : SMB1::SessionSetupAndXCapabilities &optional;
+	};
+	
+	type SMB1::SessionSetupAndXResponse: record {
+		## Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)
+		word_count	: count;
+		## Were we logged in as a guest user?
+		is_guest	: bool &optional;
+		## Server's native operating system
+		native_os 	: string &optional;
+		## Server's native LAN Manager type
+		native_lanman	: string &optional;
+		## Server's primary domain
+		primary_domain	: string &optional;
+		## Security blob if NTLM
+		security_blob	: string &optional;
+	};
+
+	type SMB1::Find_First2_Request_Args: record {
+		## File attributes to apply as a constraint to the search
+		search_attrs		: count;
+		## Max search results
+		search_count		: count;
+		## Misc. flags for how the server should manage the transaction
+		## once results are returned
+		flags				: count;
+		## How detailed the information returned in the results should be
+		info_level			: count;
+		## Specify whether to search for directories or files
+		search_storage_type	: count;
+		## The string to serch for (note: may contain wildcards)
+		file_name			: string;
+	};
+
+	type SMB1::Find_First2_Response_Args: record {
+		## The server generated search identifier
+		sid				: count;
+		## Number of results returned by the search
+		search_count	: count;
+		## Whether or not the search can be continued using
+		## the TRANS2_FIND_NEXT2 transaction
+		end_of_search	: bool;
+		## An extended attribute name that couldn't be retrieved
+		ext_attr_error	: string &optional;
+	};
 
 
-## SMB transaction data.
-##
-## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
-##    smb_com_transaction smb_com_transaction2
-##
-## .. todo:: Should this really be a record type?
-type smb_trans_data : record {
-	data : string;	##< The transaction's data.
-};
+}
 
-## Deprecated.
-##
-## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
-##    else.
-type smb_tree_connect : record {
-	flags: count;
-	password: string;
-	path: string;
-	service: string;
-};
+module SMB2;
 
-## Deprecated.
-##
-## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
-##    else.
-type smb_negotiate : table[count] of string;
+export {
+	type SMB2::Header: record {
+		credit_charge: count;
+		status: count;
+		command: count;
+		credits: count;
+		flags: count;
+		message_id: count;
+		process_id: count;
+		tree_id: count;
+		session_id: count;
+		signature: string;
+	};
+
+	type SMB2::GUID: record {
+		persistent: count;
+		volatile: count;
+	};
+
+	type SMB2::FileAttrs: record {
+		read_only: bool;
+		hidden: bool;
+		system: bool;
+		directory: bool;
+		archive: bool;
+		normal: bool;
+		temporary: bool;
+		sparse_file: bool;
+		reparse_point: bool;
+		compressed: bool;
+		offline: bool;
+		not_content_indexed: bool;
+		encrypted: bool;
+		integrity_stream: bool;
+		no_scrub_data: bool;
+	};
+
+	type SMB2::CloseResponse: record {
+		alloc_size : count;
+		eof        : count;
+		times      : SMB::MACTimes;
+		attrs      : SMB2::FileAttrs;
+	};
+
+	type SMB2::NegotiateResponse: record {
+		dialect_revision  : count;
+		security_mode     : count;
+		server_guid       : string;
+		system_time       : time;
+		server_start_time : time;
+	};
+
+	type SMB2::SessionSetupRequest: record {
+		security_mode: count;
+	};
+
+	type SMB2::SessionSetupFlags: record {
+		guest: bool;
+		anonymous: bool;
+		encrypt: bool;
+	};
+
+	type SMB2::SessionSetupResponse: record {
+		flags: SMB2::SessionSetupFlags;
+	};
+
+	type SMB2::SetInfoRequest: record {
+		eof: count;
+	};
+
+	type SMB2::TreeConnectResponse: record {
+		share_type: count;
+	};
+}
+
+module GLOBAL;
 
 ## A list of router addresses offered by a DHCP server.
 ##

scripts/base/init-default.bro

@@ -43,6 +43,7 @@
 @load base/frameworks/netcontrol
 
 @load base/protocols/conn
+@load base/protocols/dce-rpc
 @load base/protocols/dhcp
 @load base/protocols/dnp3
 @load base/protocols/dns
@@ -53,12 +54,16 @@
 @load base/protocols/krb
 @load base/protocols/modbus
 @load base/protocols/mysql
+@load base/protocols/ntlm
 @load base/protocols/pop3
 @load base/protocols/radius
 @load base/protocols/rdp
 @load base/protocols/rfb
 @load base/protocols/sip
 @load base/protocols/snmp
+# This DOES NOT enable the SMB analyzer.  It's just some base support 
+# for other protocols.
+@load base/protocols/smb
 @load base/protocols/smtp
 @load base/protocols/socks
 @load base/protocols/ssh

scripts/base/protocols/dce-rpc/__load__.bro

@@ -0,0 +1,4 @@
+@load ./consts
+@load ./main
+
+@load-sigs ./dpd.sig

scripts/base/protocols/dce-rpc/dpd.sig

@@ -0,0 +1,6 @@
+
+signature dpd_dce_rpc {
+	ip-proto == tcp
+	payload /^\x05[\x00\x01][\x00-\x13]\x03/
+	enable "DCE_RPC"
+}

scripts/base/protocols/dce-rpc/main.bro

@@ -0,0 +1,204 @@
+@load ./consts
+
+module DCE_RPC;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts         : time     &log;
+		## Unique ID for the connection.
+		uid        : string   &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id         : conn_id  &log;
+		## Round trip time from the request to the response.
+		## If either the request or response wasn't seen, 
+		## this will be null.
+		rtt        : interval &log &optional;
+
+		## Remote pipe name.
+		named_pipe : string   &log &optional;
+		## Endpoint name looked up from the uuid.
+		endpoint   : string   &log &optional;
+		## Operation seen in the call.
+		operation  : string   &log &optional;
+	};
+
+	## These are DCE-RPC operations that are ignored, typically due 
+	## the operations being noisy and low valueon most networks.
+	const ignored_operations: table[string] of set[string] = {
+		["winreg"] = set("BaseRegCloseKey", "BaseRegGetVersion", "BaseRegOpenKey", "BaseRegQueryValue", "BaseRegDeleteKeyEx", "OpenLocalMachine", "BaseRegEnumKey", "OpenClassesRoot"),
+		["spoolss"] = set("RpcSplOpenPrinter", "RpcClosePrinter"),
+		["wkssvc"] = set("NetrWkstaGetInfo"),
+	} &redef;
+}
+
+type State: record {
+	uuid       : string &optional;
+	named_pipe : string &optional;
+};
+
+# This is to store the log and state information 
+# for multiple DCE/RPC bindings over a single TCP connection (named pipes).
+type BackingState: record {
+	info: Info;
+	state: State;
+};
+
+redef record connection += {
+	dce_rpc: Info &optional;
+	dce_rpc_state: State &optional;
+	dce_rpc_backing: table[count] of BackingState &optional;
+};
+
+const ports = { 135/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc"]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports);
+	}
+
+function normalize_named_pipe_name(pn: string): string
+	{
+	local parts = split_string(pn, /\\[pP][iI][pP][eE]\\/);
+	if ( 1 in parts )
+		return to_lower(parts[1]);
+	else
+		return to_lower(pn);
+	}
+
+function set_state(c: connection, state_x: BackingState)
+	{
+	c$dce_rpc = state_x$info;
+	c$dce_rpc_state = state_x$state;
+
+	if ( c$dce_rpc_state?$uuid )
+		c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid];
+	if ( c$dce_rpc_state?$named_pipe )
+		c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe;
+	}
+
+function set_session(c: connection, fid: count)
+	{
+	if ( ! c?$dce_rpc_backing )
+		{
+		c$dce_rpc_backing = table();
+		}
+	if ( fid !in c$dce_rpc_backing )
+		{
+		local info = Info($ts=network_time(),$id=c$id,$uid=c$uid);
+		c$dce_rpc_backing[fid] = BackingState($info=info, $state=State());
+		}
+
+	local state_x = c$dce_rpc_backing[fid];
+	set_state(c, state_x);
+	}
+
+event dce_rpc_bind(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
+	{
+	set_session(c, fid);
+
+	local uuid_str = uuid_to_string(uuid);
+	c$dce_rpc_state$uuid = uuid_str;
+	c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
+	}
+
+event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string) &priority=5
+	{
+	set_session(c, fid);
+
+	if ( sec_addr != "" )
+		{
+		c$dce_rpc_state$named_pipe = sec_addr;
+		c$dce_rpc$named_pipe = sec_addr;
+		}
+	}
+
+event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
+	{
+	set_session(c, fid);
+
+	if ( c?$dce_rpc )
+		{
+		c$dce_rpc$ts = network_time();
+		}
+	}
+
+event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
+	{
+	set_session(c, fid);
+
+	# In the event that the binding wasn't seen, but the pipe
+	# name is known, go ahead and see if we have a pipe name to
+	# uuid mapping...
+	if ( ! c$dce_rpc?$endpoint && c$dce_rpc?$named_pipe )
+		{
+		local npn = normalize_named_pipe_name(c$dce_rpc$named_pipe);
+		if ( npn in pipe_name_to_common_uuid )
+			{
+			c$dce_rpc_state$uuid = pipe_name_to_common_uuid[npn];
+			}
+		}
+
+	if ( c?$dce_rpc && c$dce_rpc?$endpoint )
+		{
+		c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
+		if ( c$dce_rpc$ts != network_time() )
+			c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
+		}
+	}
+
+event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=-5
+	{
+	if ( c?$dce_rpc )
+		{
+		# If there is not an endpoint, there isn't much reason to log.
+		# This can happen if the request isn't seen.
+		if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
+		     || 
+		     (c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
+		      c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
+		      "*" !in ignored_operations[c$dce_rpc$endpoint]) )
+			{
+			Log::write(LOG, c$dce_rpc);
+			}
+		delete c$dce_rpc;
+		}
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( ! c?$dce_rpc )
+		return;
+
+	# TODO: Go through any remaining dce_rpc requests that haven't been processed with replies.
+	for ( i in c$dce_rpc_backing )
+		{
+		local x = c$dce_rpc_backing[i];
+		set_state(c, x);
+
+		# In the event that the binding wasn't seen, but the pipe
+		# name is known, go ahead and see if we have a pipe name to
+		# uuid mapping...
+		if ( ! c$dce_rpc?$endpoint && c$dce_rpc?$named_pipe )
+			{
+			local npn = normalize_named_pipe_name(c$dce_rpc$named_pipe);
+			if ( npn in pipe_name_to_common_uuid )
+				{
+				c$dce_rpc_state$uuid = pipe_name_to_common_uuid[npn];
+				}
+			}
+
+		if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
+		     || 
+		     (c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
+		      c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
+		      "*" !in ignored_operations[c$dce_rpc$endpoint]) )
+			{
+			Log::write(LOG, c$dce_rpc);
+			}
+		}
+	}

scripts/base/protocols/ntlm/__load__.bro

@@ -0,0 +1 @@
+@load ./main

scripts/base/protocols/ntlm/main.bro

@@ -0,0 +1,127 @@
+@load base/protocols/smb
+
+module NTLM;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts         : time     &log;
+		## Unique ID for the connection.
+		uid        : string   &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id         : conn_id  &log;
+
+		## Username given by the client.
+		username   : string   &log &optional;
+		## Hostname given by the client.
+		hostname   : string   &log &optional;
+		## Domainname given by the client.
+		domainname : string   &log &optional;
+
+		## Indicate whether or not the authentication was successful.
+		success    : bool     &log &optional;
+		## A string representation of the status code that was 
+		## returned in response to the authentication attempt.
+		status     : string   &log &optional;
+
+		## Internally used field to indicate if the login attempt 
+		## has already been logged.
+		done: bool  &default=F;
+	};
+
+	## DOS and NT status codes that indicate authentication failure.
+	const auth_failure_statuses: set[count] = {
+		0x052e0001, # logonfailure
+		0x08c00002, # badClient
+		0x08c10002, # badLogonTime
+		0x08c20002, # passwordExpired
+		0xC0000022, # ACCESS_DENIED
+		0xC000006A, # WRONG_PASSWORD
+		0xC000006F, # INVALID_LOGON_HOURS
+		0xC0000070, # INVALID_WORKSTATION
+		0xC0000071, # PASSWORD_EXPIRED
+		0xC0000072, # ACCOUNT_DISABLED
+	} &redef;
+}
+
+redef record connection += {
+	ntlm: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]);
+	}
+
+event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5
+	{
+	}
+
+event ntlm_challenge(c: connection, challenge: NTLM::Challenge) &priority=5
+	{
+	}
+
+event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
+	{
+	c$ntlm = NTLM::Info($ts=network_time(), $uid=c$uid, $id=c$id);
+	if ( request?$domain_name )
+		c$ntlm$domainname = request$domain_name;
+	if ( request?$workstation )
+		c$ntlm$hostname = request$workstation;
+	if ( request?$user_name )
+		c$ntlm$username = request$user_name;
+	}
+
+event gssapi_neg_result(c: connection, state: count) &priority=3
+	{
+	if ( c?$ntlm )
+		c$ntlm$success = (state == 0);
+	}
+
+event gssapi_neg_result(c: connection, state: count) &priority=-3
+	{
+	if ( c?$ntlm && ! c$ntlm$done )
+		{
+		if ( c$ntlm?$username || c$ntlm?$hostname )
+			{
+			Log::write(NTLM::LOG, c$ntlm);
+			c$ntlm$done = T;
+			}
+		}
+	}
+
+event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=3
+	{
+	if ( c?$ntlm && ! c$ntlm$done &&
+	     ( c$ntlm?$username || c$ntlm?$hostname ) )
+		{
+		c$ntlm$success = (hdr$status !in auth_failure_statuses);
+		c$ntlm$status = SMB::statuses[hdr$status]$id;
+
+		Log::write(NTLM::LOG, c$ntlm);
+		c$ntlm$done = T;
+		}
+	}
+
+event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=3
+	{
+	if ( c?$ntlm && ! c$ntlm$done &&
+	     ( c$ntlm?$username || c$ntlm?$hostname ) )
+		{
+		c$ntlm$success = (hdr$status !in auth_failure_statuses);
+		c$ntlm$status = SMB::statuses[hdr$status]$id;
+
+		Log::write(NTLM::LOG, c$ntlm);
+		c$ntlm$done = T;
+		}
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$ntlm && ! c$ntlm$done )
+		{
+		Log::write(NTLM::LOG, c$ntlm);
+		}
+	}

scripts/base/protocols/smb/__load__.bro

@@ -0,0 +1,3 @@
+@load ./consts
+@load ./const-dos-error
+@load ./const-nt-status

scripts/base/protocols/smb/const-dos-error.bro

@@ -0,0 +1,132 @@
+# DOS error codes.
+@load ./consts
+
+module SMB;
+
+redef SMB::statuses += {
+	[0x00010001] = [$id="badfunc", $desc="Incorrect function."],
+	[0x00010002] = [$id="error", $desc="Incorrect function."],
+	[0x00020001] = [$id="badfile", $desc="The system cannot find the file specified."],
+	[0x00020002] = [$id="badpw", $desc="Bad password."],
+	[0x00030001] = [$id="badpath", $desc="The system cannot find the path specified."],
+	[0x00030002] = [$id="badtype", $desc="reserved"],
+	[0x00040001] = [$id="nofids", $desc="The system cannot open the file."],
+	[0x00040002] = [$id="access", $desc="The client does not have the necessary access rights to perform the requested function."],
+	[0x00050001] = [$id="noaccess", $desc="Access is denied."],
+	[0x00050002] = [$id="invnid", $desc="The TID specified was invalid."],
+	[0x00060001] = [$id="badfid", $desc="The handle is invalid."],
+	[0x00060002] = [$id="invnetname", $desc="The network name cannot be found."],
+	[0x00070001] = [$id="badmcb", $desc="The storage control blocks were destroyed."],
+	[0x00070002] = [$id="invdevice", $desc="The device specified is invalid."],
+	[0x00080001] = [$id="nomem", $desc="Not enough storage is available to process this command."],
+	[0x00090001] = [$id="badmem", $desc="The storage control block address is invalid."],
+	[0x000a0001] = [$id="badenv", $desc="The environment is incorrect."],
+	[0x000c0001] = [$id="badaccess", $desc="The access code is invalid."],
+	[0x000d0001] = [$id="baddata", $desc="The data is invalid."],
+	[0x000e0001] = [$id="res", $desc="reserved"],
+	[0x000f0001] = [$id="baddrive", $desc="The system cannot find the drive specified."],
+	[0x00100001] = [$id="remcd", $desc="The directory cannot be removed."],
+	[0x00110001] = [$id="diffdevice", $desc="The system cannot move the file to a different disk drive."],
+	[0x00120001] = [$id="nofiles", $desc="There are no more files."],
+	[0x00130003] = [$id="nowrite", $desc="The media is write protected."],
+	[0x00140003] = [$id="badunit", $desc="The system cannot find the device specified."],
+	[0x00150003] = [$id="notready", $desc="The device is not ready."],
+	[0x00160002] = [$id="unknownsmb", $desc="The device does not recognize the command."],
+	[0x00160003] = [$id="badcmd", $desc="The device does not recognize the command."],
+	[0x00170003] = [$id="data", $desc="Data error (cyclic redundancy check)."],
+	[0x00180003] = [$id="badreq", $desc="The program issued a command but the command length is incorrect."],
+	[0x00190003] = [$id="seek", $desc="The drive cannot locate a specific area or track on the disk."],
+	[0x001a0003] = [$id="badmedia", $desc="The specified disk or diskette cannot be accessed."],
+	[0x001b0003] = [$id="badsector", $desc="The drive cannot find the sector requested."],
+	[0x001c0003] = [$id="nopaper", $desc="The printer is out of paper."],
+	[0x001d0003] = [$id="write", $desc="The system cannot write to the specified device."],
+	[0x001e0003] = [$id="read", $desc="The system cannot read from the specified device."],
+	[0x001f0001] = [$id="general", $desc="A device attached to the system is not functioning."],
+	[0x001f0003] = [$id="general", $desc="A device attached to the system is not functioning."],
+	[0x00200001] = [$id="badshare", $desc="The process cannot access the file because it is being used by another process."],
+	[0x00200003] = [$id="badshare", $desc="The process cannot access the file because it is being used by another process."],
+	[0x00210001] = [$id="lock", $desc="The process cannot access the file because another process has locked a portion of the file."],
+	[0x00210003] = [$id="lock", $desc="The process cannot access the file because another process has locked a portion of the file."],
+	[0x00220003] = [$id="wrongdisk", $desc="The wrong diskette is in the drive."],
+	[0x00230003] = [$id="FCBunavail", $desc="No FCBs are available to process the request."],
+	[0x00240003] = [$id="sharebufexc", $desc="A sharing buffer has been exceeded."],
+	[0x00270003] = [$id="diskfull", $desc="The disk is full."],
+	[0x00310002] = [$id="qfull", $desc="The print queue is full."],
+	[0x00320001] = [$id="unsup", $desc="The network request is not supported."],
+	[0x00320002] = [$id="qtoobig", $desc="The queued item too big."],
+	[0x00340002] = [$id="invpfid", $desc="The print file FID is invalid."],
+	[0x00340001] = [$id="dupname", $desc="A duplicate name exists on the network."],
+	[0x00400001] = [$id="netnamedel", $desc="The specified network name is no longer available."],
+	[0x00400002] = [$id="smbcmd", $desc="The server did not recognize the command received."],
+	[0x00410002] = [$id="srverror", $desc="The server encountered an internal error."],
+	[0x00420001] = [$id="noipc", $desc="The network resource type is not correct."],
+	[0x00430001] = [$id="nosuchshare", $desc="The network name cannot be found."],
+	[0x00430002] = [$id="filespecs", $desc="The specified FID and pathname combination is invalid."],
+	[0x00440002] = [$id="badlink", $desc="reserved"],
+	[0x00450002] = [$id="badpermits", $desc="The access permissions specified for a file or directory are not a valid combination."],
+	[0x00460002] = [$id="badpid", $desc="reserved"],
+	[0x00470001] = [$id="nomoreconn", $desc="nomoreconn."],
+	[0x00470002] = [$id="setattrmode", $desc="The attribute mode specified is invalid."],
+	[0x00500001] = [$id="filexists", $desc="The file exists."],
+	[0x00510002] = [$id="paused", $desc="The message server is paused."],
+	[0x00520002] = [$id="msgoff", $desc="Not receiving messages."],
+	[0x00530002] = [$id="noroom", $desc="No room to buffer message."],
+	[0x00570001] = [$id="invalidparam", $desc="The parameter is incorrect."],
+	[0x00570002] = [$id="rmuns", $desc="Too many remote usernames."],
+	[0x00580002] = [$id="timeout", $desc="Operation timed out."],
+	[0x00590002] = [$id="noresource", $desc="No resources currently available for request."],
+	[0x005a0002] = [$id="toomanyuids", $desc="Too many Uids active on this session."],
+	[0x005b0002] = [$id="baduid", $desc="The Uid is not known as a valid user identifier on this session."],
+	[0x006d0001] = [$id="brokenpipe", $desc="The pipe has been ended."],
+	[0x006e0001] = [$id="cannotopen", $desc="The system cannot open the device or file specified."],
+	[0x007a0001] = [$id="insufficientbuffer", $desc="The data area passed to a system call is too small."],
+	[0x007b0001] = [$id="invalidname", $desc="The filename, directory name, or volume label syntax is incorrect."],
+	[0x007c0001] = [$id="unknownlevel", $desc="The system call level is not correct."],
+	[0x00910001] = [$id="notempty", $desc="The directory is not empty."],
+	[0x009e0001] = [$id="notlocked", $desc="The segment is already unlocked."],
+	[0x00b70001] = [$id="rename", $desc="Cannot create a file when that file already exists."],
+	[0x00e60001] = [$id="badpipe", $desc="The pipe state is invalid."],
+	[0x00e70001] = [$id="pipebusy", $desc="All pipe instances are busy."],
+	[0x00e80001] = [$id="pipeclosing", $desc="The pipe is being closed."],
+	[0x00e90001] = [$id="notconnected", $desc="No process is on the other end of the pipe."],
+	[0x00ea0001] = [$id="moredata", $desc="More data is available."],
+	[0x00fa0002] = [$id="usempx", $desc="Temporarily unable to support Raw, use Mpx mode."],
+	[0x00fb0002] = [$id="usestd", $desc="Temporarily unable to support Raw, use standard read/write."],
+	[0x00fc0002] = [$id="contmpx", $desc="Continue in MPX mode."],
+	[0x00fe0002] = [$id="badPassword", $desc="reserved"],
+	[0x01030001] = [$id="nomoreitems", $desc="No more data is available."],
+	[0x010b0001] = [$id="baddirectory", $desc="The directory name is invalid."],
+	[0x011a0001] = [$id="easnotsupported", $desc="The mounted file system does not support extended attributes."],
+	[0x04000002] = [$id="_NOTIFY_ENUM_DIR", $desc="Too many files have changed since the last time an NT_TRANSACT_NOTIFY_CHANGE was issued."],
+	[0x052e0001] = [$id="logonfailure", $desc="Logon failure: unknown user name or bad password."],
+	[0x07030001] = [$id="driveralreadyinstalled", $desc="The specified printer driver is already installed."],
+	[0x07040001] = [$id="unknownprinterport", $desc="The specified port is unknown."],
+	[0x07050001] = [$id="unknownprinterdriver", $desc="The printer driver is unknown."],
+	[0x07060001] = [$id="unknownprintprocessor", $desc="The print processor is unknown."],
+	[0x07070001] = [$id="invalidseparatorfile", $desc="The specified separator file is invalid."],
+	[0x07080001] = [$id="invalidjobpriority", $desc="The specified priority is invalid."],
+	[0x07090001] = [$id="invalidprintername", $desc="The printer name is invalid."],
+	[0x070a0001] = [$id="printeralreadyexists", $desc="The printer already exists."],
+	[0x070b0001] = [$id="invalidprintercommand", $desc="The printer command is invalid."],
+	[0x070c0001] = [$id="invaliddatatype", $desc="The specified datatype is invalid."],
+	[0x070d0001] = [$id="invalidenvironment", $desc="The Environment specified is invalid."],
+	[0x084b0001] = [$id="buftoosmall", $desc="The API return buffer is too small."],
+	[0x085e0001] = [$id="unknownipc", $desc="The requested API is not supported on the remote server."],
+	[0x08670001] = [$id="nosuchprintjob", $desc="The print job does not exist."],
+	[0x08bf0002] = [$id="accountExpired", $desc="This user account has expired."],
+	[0x08c00002] = [$id="badClient", $desc="The user is not allowed to log on from this workstation."],
+	[0x08c10002] = [$id="badLogonTime", $desc="The user is not allowed to log on at this time."],
+	[0x08c20002] = [$id="passwordExpired", $desc="The password of this user has expired."],
+	[0x09970001] = [$id="invgroup", $desc="invgroup"],
+	[0x0bb80001] = [$id="unknownprintmonitor", $desc="The specified print monitor is unknown."],
+	[0x0bb90001] = [$id="printerdriverinuse", $desc="The specified printer driver is currently in use."],
+	[0x0bba0001] = [$id="spoolfilenotfound", $desc="The spool file was not found."],
+	[0x0bbb0001] = [$id="nostartdoc", $desc="A StartDocPrinter call was not issued."],
+	[0x0bbc0001] = [$id="noaddjob", $desc="An AddJob call was not issued."],
+	[0x0bbd0001] = [$id="printprocessoralreadyinstalled", $desc="The specified print processor has already been installed."],
+	[0x0bbe0001] = [$id="printmonitoralreadyinstalled", $desc="The specified print monitor has already been installed."],
+	[0x0bbf0001] = [$id="invalidprintmonitor", $desc="The specified print monitor does not have the required functions."],
+	[0x0bc00001] = [$id="printmonitorinuse", $desc="The specified print monitor is currently in use."],
+	[0x0bc10001] = [$id="printerhasjobsqueued", $desc="The requested operation is not allowed when there are jobs queued to the printer."],
+	[0xffff0002] = [$id="nosupport", $desc="Function not supported."],
+};

scripts/base/protocols/smb/consts.bro

@@ -0,0 +1,271 @@
+module SMB;
+
+export {
+	type StatusCode: record {
+		id: string;
+		desc: string;
+	};
+
+	const statuses: table[count] of StatusCode = {
+		[0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."],
+	} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; };
+
+	## These are files names that are used for special 
+	## cases by the file system and would not be 
+	## considered "normal" files.
+	const pipe_names: set[string] = {
+		"\\netdfs",
+		"\\spoolss",
+		"\\NETLOGON",
+		"\\winreg",
+		"\\lsarpc",
+		"\\samr",
+		"\\srvsvc",
+		"srvsvc",
+		"MsFteWds",
+		"\\wkssvc",
+	};
+
+	## The UUIDs used by the various RPC endpoints
+	const rpc_uuids: table[string] of string = {
+		["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "Server Service",
+		["6bffd098-a112-3610-9833-46c3f87e345a"] = "Workstation Service",
+	} &redef &default=function(i: string):string { return fmt("unknown-uuid-%s", i); };
+
+	## Server service sub commands
+	const srv_cmds: table[count] of string = {
+		[8]  = "NetrConnectionEnum",
+		[9]  = "NetrFileEnum",
+		[10] = "NetrFileGetInfo",
+		[11] = "NetrFileClose",
+		[12] = "NetrSessionEnum",
+		[13] = "NetrSessionDel",
+		[14] = "NetrShareAdd",
+		[15] = "NetrShareEnum",
+		[16] = "NetrShareGetInfo",
+		[17] = "NetrShareSetInfo",
+		[18] = "NetrShareDel",
+		[19] = "NetrShareDelSticky",
+		[20] = "NetrShareCheck",
+		[21] = "NetrServerGetInfo",
+		[22] = "NetrServerSetInfo",
+		[23] = "NetrServerDiskEnum",
+		[24] = "NetrServerStatisticsGet",
+		[25] = "NetrServerTransportAdd",
+		[26] = "NetrServerTransportEnum",
+		[27] = "NetrServerTransportDel",
+		[28] = "NetrRemoteTOD",
+		[30] = "NetprPathType",
+		[31] = "NetprPathCanonicalize",
+		[32] = "NetprPathCompare",
+		[33] = "NetprNameValidate",
+		[34] = "NetprNameCanonicalize",
+		[35] = "NetprNameCompare",
+		[36] = "NetrShareEnumSticky",
+		[37] = "NetrShareDelStart",
+		[38] = "NetrShareDelCommit",
+		[39] = "NetrGetFileSecurity",
+		[40] = "NetrSetFileSecurity",
+		[41] = "NetrServerTransportAddEx",
+		[43] = "NetrDfsGetVersion",
+		[44] = "NetrDfsCreateLocalPartition",
+		[45] = "NetrDfsDeleteLocalPartition",
+		[46] = "NetrDfsSetLocalVolumeState",
+		[48] = "NetrDfsCreateExitPoint",
+		[49] = "NetrDfsDeleteExitPoint",
+		[50] = "NetrDfsModifyPrefix",
+		[51] = "NetrDfsFixLocalVolume",
+		[52] = "NetrDfsManagerReportSiteInfo",
+		[53] = "NetrServerTransportDelEx",
+		[54] = "NetrServerAliasAdd",
+		[55] = "NetrServerAliasEnum",
+		[56] = "NetrServerAliasDel",
+		[57] = "NetrShareDelEx",
+	} &redef &default=function(i: count):string { return fmt("unknown-srv-command-%d", i); };
+
+	## Workstation service sub commands
+	const wksta_cmds: table[count] of string = {
+		[0]  = "NetrWkstaGetInfo",
+		[1]  = "NetrWkstaSetInfo",
+		[2]  = "NetrWkstaUserEnum",
+		[5]  = "NetrWkstaTransportEnum",
+		[6]  = "NetrWkstaTransportAdd",
+		[7]  = "NetrWkstaTransportDel",
+		[8]  = "NetrUseAdd",
+		[9]  = "NetrUseGetInfo",
+		[10] = "NetrUseDel",
+		[11] = "NetrUseEnum",
+		[13] = "NetrWorkstationStatisticsGet",
+		[20] = "NetrGetJoinInformation",
+		[22] = "NetrJoinDomain2",
+		[23] = "NetrUnjoinDomain2",
+		[24] = "NetrRenameMachineInDomain2",
+		[25] = "NetrValidateName2",
+		[26] = "NetrGetJoinableOUs2",
+		[27] = "NetrAddAlternateComputerName",
+		[28] = "NetrRemoveAlternateComputerName",
+		[29] = "NetrSetPrimaryComputerName",
+		[30] = "NetrEnumerateComputerNames",
+	} &redef &default=function(i: count):string { return fmt("unknown-wksta-command-%d", i); };
+
+	type rpc_cmd_table: table[count] of string;
+	
+	## The subcommands for RPC endpoints
+	const rpc_sub_cmds: table[string] of rpc_cmd_table = {
+		["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = srv_cmds,
+		["6bffd098-a112-3610-9833-46c3f87e345a"] = wksta_cmds,	
+	} &redef &default=function(i: string):rpc_cmd_table { return table() &default=function(j: string):string { return fmt("unknown-uuid-%s", j); }; };
+	
+}
+
+module SMB1;
+
+export {
+	const commands: table[count] of string = {
+		[0x00] = "CREATE_DIRECTORY",
+		[0x01] = "DELETE_DIRECTORY",
+		[0x02] = "OPEN",
+		[0x03] = "CREATE",
+		[0x04] = "CLOSE",
+		[0x05] = "FLUSH",
+		[0x06] = "DELETE",
+		[0x07] = "RENAME",
+		[0x08] = "QUERY_INFORMATION",
+		[0x09] = "SET_INFORMATION",
+		[0x0A] = "READ",
+		[0x0B] = "WRITE",
+		[0x0C] = "LOCK_BYTE_RANGE",
+		[0x0D] = "UNLOCK_BYTE_RANGE",
+		[0x0E] = "CREATE_TEMPORARY",
+		[0x0F] = "CREATE_NEW",
+		[0x10] = "CHECK_DIRECTORY",
+		[0x11] = "PROCESS_EXIT",
+		[0x12] = "SEEK",
+		[0x13] = "LOCK_AND_READ",
+		[0x14] = "WRITE_AND_UNLOCK",
+		[0x1A] = "READ_RAW",
+		[0x1B] = "READ_MPX",
+		[0x1C] = "READ_MPX_SECONDARY",
+		[0x1D] = "WRITE_RAW",
+		[0x1E] = "WRITE_MPX",
+		[0x1F] = "WRITE_MPX_SECONDARY",
+		[0x20] = "WRITE_COMPLETE",
+		[0x21] = "QUERY_SERVER",
+		[0x22] = "SET_INFORMATION2",
+		[0x23] = "QUERY_INFORMATION2",
+		[0x24] = "LOCKING_ANDX",
+		[0x25] = "TRANSACTION",
+		[0x26] = "TRANSACTION_SECONDARY",
+		[0x27] = "IOCTL",
+		[0x28] = "IOCTL_SECONDARY",
+		[0x29] = "COPY",
+		[0x2A] = "MOVE",
+		[0x2B] = "ECHO",
+		[0x2C] = "WRITE_AND_CLOSE",
+		[0x2D] = "OPEN_ANDX",
+		[0x2E] = "READ_ANDX",
+		[0x2F] = "WRITE_ANDX",
+		[0x30] = "NEW_FILE_SIZE",
+		[0x31] = "CLOSE_AND_TREE_DISC",
+		[0x32] = "TRANSACTION2",
+		[0x33] = "TRANSACTION2_SECONDARY",
+		[0x34] = "FIND_CLOSE2",
+		[0x35] = "FIND_NOTIFY_CLOSE",
+		[0x70] = "TREE_CONNECT",
+		[0x71] = "TREE_DISCONNECT",
+		[0x72] = "NEGOTIATE",
+		[0x73] = "SESSION_SETUP_ANDX",
+		[0x74] = "LOGOFF_ANDX",
+		[0x75] = "TREE_CONNECT_ANDX",
+		[0x80] = "QUERY_INFORMATION_DISK",
+		[0x81] = "SEARCH",
+		[0x82] = "FIND",
+		[0x83] = "FIND_UNIQUE",
+		[0x84] = "FIND_CLOSE",
+		[0xA0] = "NT_TRANSACT",
+		[0xA1] = "NT_TRANSACT_SECONDARY",
+		[0xA2] = "NT_CREATE_ANDX",
+		[0xA4] = "NT_CANCEL",
+		[0xA5] = "NT_RENAME",
+		[0xC0] = "OPEN_PRINT_FILE",
+		[0xC1] = "WRITE_PRINT_FILE",
+		[0xC2] = "CLOSE_PRINT_FILE",
+		[0xC3] = "GET_PRINT_QUEUE",
+		[0xD8] = "READ_BULK",
+		[0xD9] = "WRITE_BULK",
+		[0xDA] = "WRITE_BULK_DATA",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	const trans2_sub_commands: table[count] of string = {
+		[0x00] = "OPEN2",	
+		[0x01] = "FIND_FIRST2",	
+		[0x02] = "FIND_NEXT2",	
+		[0x03] = "QUERY_FS_INFORMATION",	
+		[0x04] = "SET_FS_INFORMATION",	
+		[0x05] = "QUERY_PATH_INFORMATION",	
+		[0x06] = "SET_PATH_INFORMATION",	
+		[0x07] = "QUERY_FILE_INFORMATION",	
+		[0x08] = "SET_FILE_INFORMATION",	
+		[0x09] = "FSCTL",	
+		[0x0A] = "IOCTL",	
+		[0x0B] = "FIND_NOTIFY_FIRST",	
+		[0x0C] = "FIND_NOTIFY_NEXT",	
+		[0x0D] = "CREATE_DIRECTORY",	
+		[0x0E] = "SESSION_SETUP",	
+		[0x10] = "GET_DFS_REFERRAL",	
+		[0x11] = "REPORT_DFS_INCONSISTENCY",	
+	} &default=function(i: count):string { return fmt("unknown-trans2-sub-cmd-%d", i); };
+
+	const trans_sub_commands: table[count] of string = {
+		[0x01] = "SET_NMPIPE_STATE",	
+		[0x11] = "RAW_READ_NMPIPE",	
+		[0x21] = "QUERY_NMPIPE_STATE",	
+		[0x22] = "QUERY_NMPIPE_INFO",	
+		[0x23] = "PEEK_NMPIPE",	
+		[0x26] = "TRANSACT_NMPIPE",	
+		[0x31] = "RAW_WRITE_NMPIPE",	
+		[0x36] = "READ_NMPIPE",	
+		[0x37] = "WRITE_NMPIPE",	
+		[0x53] = "WAIT_NMPIPE",	
+		[0x54] = "CALL_NMPIPE",	
+	} &default=function(i: count):string { return fmt("unknown-trans-sub-cmd-%d", i); };
+}
+
+module SMB2;
+
+export {
+	const commands: table[count] of string = {
+		[0]  = "NEGOTIATE_PROTOCOL",
+		[1]  = "SESSION_SETUP",
+		[2]  = "LOGOFF",
+		[3]  = "TREE_CONNECT",
+		[4]  = "TREE_DISCONNECT",
+		[5]  = "CREATE",
+		[6]  = "CLOSE",
+		[7]  = "FLUSH",
+		[8]  = "READ",
+		[9]  = "WRITE",
+		[10] = "LOCK",
+		[11] = "IOCTL",
+		[12] = "CANCEL",
+		[13] = "ECHO",
+		[14] = "QUERY_DIRECTORY",
+		[15] = "CHANGE_NOTIFY",
+		[16] = "QUERY_INFO",
+		[17] = "SET_INFO",
+		[18] = "OPLOCK_BREAK"
+	} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+	const dialects: table[count] of string = {
+		[0x0202] = "2.002",
+		[0x0210] = "2.1",
+		[0x0300] = "3.0",
+		[0x0302] = "3.02",
+	} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+	const share_types: table[count] of string = {
+		[1] = "DISK",
+		[2] = "PIPE",
+		[3] = "PRINT",
+	} &default=function(i: count): string { return fmt("unknown-%d", i); };
+}