diff --git a/CHANGES b/CHANGES index 5978307740..da80c4ca99 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,16 @@ +2.5-147 | 2017-05-22 20:32:32 -0500 + + * Add nfs unittest. (Julien Wallior) + + * Added nfs_proc_rename event to rpc/nfs protocol analyzer. + (Roberto Del Valle Rodriguez) + + * Expand parsing of RPC Call packets to add Uid, Gid, Stamp, MachineName + and AuxGIDs (Julien Wallior) + + * Fix NFS protocol parser. (Julien Wallior) + 2.5-142 | 2017-05-22 00:08:52 -0500 * Add gzip log writing to the ascii writer. diff --git a/VERSION b/VERSION index 957e8c6e12..1babd71178 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-142 +2.5-147 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b5bf5d298d..84fca683ea 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2142,6 +2142,16 @@ export { rep_dur: interval; ## The length in bytes of the reply. rep_len: count; + ## The user id of the reply. + rpc_uid: count; + ## The group id of the reply. + rpc_gid: count; + ## The stamp of the reply. + rpc_stamp: count; + ## The machine name of the reply. + rpc_machine_name: string; + ## The auxiliary ids of the reply. + rpc_auxgids: index_vec; }; ## NFS file attributes. Field names are based on RFC 1813. @@ -2172,6 +2182,16 @@ export { fname: string; ##< The name of the file we are interested in. }; + ## NFS *rename* arguments. + ## + ## .. bro:see:: nfs_proc_rename + type renameopargs_t : record { + src_dirfh : string; + src_fname : string; + dst_dirfh : string; + dst_fname : string; + }; + ## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the ## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr* ## may be set. @@ -2264,6 +2284,16 @@ export { dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir. }; + ## NFS reply for *rename*. Corresponds to *wcc_data* in the spec. + ## + ## .. bro:see:: nfs_proc_rename + type renameobj_reply_t: record { + src_dir_pre_attr: wcc_attr_t; + src_dir_post_attr: fattr_t; + dst_dir_pre_attr: wcc_attr_t; + dst_dir_post_attr: fattr_t; + }; + ## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*. ## ## .. bro:see:: nfs_proc_readdir diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 8a2620e2e5..03cd91e573 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -1,6 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. #include +#include #include "bro-config.h" @@ -68,6 +69,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) callarg = nfs3_diropargs(buf, n); break; + case BifEnum::NFS3::PROC_RENAME: + callarg = nfs3_renameopargs(buf, n); + break; + case BifEnum::NFS3::PROC_READDIR: callarg = nfs3_readdirargs(false, buf, n); break; @@ -196,6 +201,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, event = nfs_proc_rmdir; break; + case BifEnum::NFS3::PROC_RENAME: + reply = nfs3_renameobj_reply(buf, n); + event = nfs_proc_rename; + break; + case BifEnum::NFS3::PROC_READDIR: reply = nfs3_readdir_reply(false, buf, n, nfs_status); event = nfs_proc_readdir; @@ -250,8 +260,9 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, analyzer->ConnectionEvent(event, vl); } + else + Unref(reply); - Unref(reply); return 1; } @@ -288,6 +299,10 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s // These are the first parameters for each nfs_* event ... val_list *vl = new val_list; vl->append(analyzer->BuildConnVal()); + VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); + + for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) + auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT)); RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t); info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status)); @@ -298,6 +313,11 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s info->Assign(5, new Val(rep_start_time, TYPE_TIME)); info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL)); info->Assign(7, new Val(reply_len, TYPE_COUNT)); + info->Assign(8, new Val(c->Uid(), TYPE_COUNT)); + info->Assign(9, new Val(c->Gid(), TYPE_COUNT)); + info->Assign(10, new Val(c->Stamp(), TYPE_COUNT)); + info->Assign(11, new StringVal(c->MachineName())); + info->Assign(12, auxgids); vl->append(info); return vl; @@ -374,6 +394,17 @@ RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n) return diropargs; } +RecordVal *NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n) + { + RecordVal *renameopargs = new RecordVal(BifType::Record::NFS3::renameopargs_t); + + renameopargs->Assign(0, nfs3_fh(buf, n)); + renameopargs->Assign(1, nfs3_filename(buf, n)); + renameopargs->Assign(2, nfs3_fh(buf, n)); + renameopargs->Assign(3, nfs3_filename(buf, n)); + + return renameopargs; + } RecordVal* NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n) { @@ -558,6 +589,19 @@ RecordVal* NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n) return rep; } +RecordVal* NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n) + { + RecordVal *rep = new RecordVal(BifType::Record::NFS3::renameobj_reply_t); + + // wcc_data + rep->Assign(0, nfs3_pre_op_attr(buf, n)); + rep->Assign(1, nfs3_post_op_attr(buf, n)); + rep->Assign(2, nfs3_pre_op_attr(buf, n)); + rep->Assign(3, nfs3_post_op_attr(buf, n)); + + return rep; + } + RecordVal* NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n) { RecordVal *args = new RecordVal(BifType::Record::NFS3::readdirargs_t); @@ -646,7 +690,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n) NFS_Analyzer::NFS_Analyzer(Connection* conn) - : RPC_Analyzer("RPC", conn, new NFS_Interp(this)) + : RPC_Analyzer("NFS", conn, new NFS_Interp(this)) { orig_rpc = resp_rpc = 0; } diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h index ba6cab38e2..85fb10ab49 100644 --- a/src/analyzer/protocol/rpc/NFS.h +++ b/src/analyzer/protocol/rpc/NFS.h @@ -37,6 +37,7 @@ protected: EnumVal* nfs3_ftype(const u_char*& buf, int& n); RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n); RecordVal* nfs3_diropargs(const u_char*&buf, int &n); + RecordVal* nfs3_renameopargs(const u_char*&buf, int &n); StringVal* nfs3_filename(const u_char*& buf, int& n); StringVal* nfs3_nfspath(const u_char*& buf, int& n) { @@ -54,6 +55,7 @@ protected: RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status); RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status); RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n); + RecordVal* nfs3_renameobj_reply(const u_char*& buf, int& n); StringVal* nfs3_post_op_fh(const u_char*& buf, int& n); RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n); RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status); diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index aff6bfefc0..6ccd8008b8 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -40,7 +40,19 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar prog = extract_XDR_uint32(buf, n); vers = extract_XDR_uint32(buf, n); proc = extract_XDR_uint32(buf, n); - cred_flavor = skip_XDR_opaque_auth(buf, n); + cred_flavor = extract_XDR_uint32(buf, n); + int cred_opaque_n, machinename_n; + const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n); + stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n); + const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n); + machinename = std::string(reinterpret_cast(tmp), machinename_n); + uid = extract_XDR_uint32(cred_opaque, cred_opaque_n); + gid = extract_XDR_uint32(cred_opaque, cred_opaque_n); + size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n); + + for ( auto i = 0u; i < number_of_gids; ++i ) + auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n)); + verf_flavor = skip_XDR_opaque_auth(buf, n); header_len = call_n - n; diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h index e87f8afa95..ab7b3968c7 100644 --- a/src/analyzer/protocol/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -62,6 +62,11 @@ public: uint32 Program() const { return prog; } uint32 Version() const { return vers; } uint32 Proc() const { return proc; } + uint32 Uid() const { return uid; } + uint32 Gid() const { return gid; } + uint32 Stamp() const { return stamp; } + const std::string& MachineName() const { return machinename; } + const std::vector& AuxGIDs() const { return auxgids; } double StartTime() const { return start_time; } void SetStartTime(double t) { start_time = t; } @@ -78,8 +83,12 @@ public: protected: uint32 xid, rpc_version, prog, vers, proc; - uint32 cred_flavor, verf_flavor; + uint32 cred_flavor, stamp; + uint32 uid, gid; + std::vector auxgids; + uint32 verf_flavor; u_char* call_buf; // copy of original call buffer + std::string machinename; double start_time; double last_time; int rpc_len; // size of the full RPC call, incl. xid and msg_type diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif index fc42aac6a6..881faface1 100644 --- a/src/analyzer/protocol/rpc/events.bif +++ b/src/analyzer/protocol/rpc/events.bif @@ -274,6 +274,34 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## register a port for it or add a DPD payload signature. event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); +## Generated for NFSv3 request/reply dialogues of type *rename*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write +## nfs_reply_status rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%); + ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is ## generated once we have either seen both the request and its corresponding ## reply, or an unanswered request has timed out. diff --git a/src/types.bif b/src/types.bif index 500c8c9851..20995ef105 100644 --- a/src/types.bif +++ b/src/types.bif @@ -30,7 +30,7 @@ enum proc_t %{ # NFSv3 procedures PROC_MKNOD = 11, # not implemented PROC_REMOVE = 12, # done PROC_RMDIR = 13, # done - PROC_RENAME = 14, # not implemented + PROC_RENAME = 14, # done PROC_LINK = 15, # not implemented PROC_READDIR = 16, # done PROC_READDIRPLUS = 17, # done @@ -101,6 +101,7 @@ enum createmode_t %{ type info_t: record; type fattr_t: record; type diropargs_t: record; +type renameopargs_t: record; type lookup_reply_t: record; type readargs_t: record; type read_reply_t: record; @@ -110,6 +111,7 @@ type wcc_attr_t: record; type write_reply_t: record; type newobj_reply_t: record; type delobj_reply_t: record; +type renameobj_reply_t: record; type readdirargs_t: record; type direntry_t: record; type direntry_vec_t: vector; diff --git a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout new file mode 100644 index 0000000000..58d51a773a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout @@ -0,0 +1,24 @@ +nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=425, state=3, num_pkts=5, num_bytes_ip=624, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=520, state=3, num_pkts=3, num_bytes_ip=516, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.972795, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.564809, req_dur=0.0, req_len=124, rep_start=1495059608.56485, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS +nfs_proc_create, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=581, state=3, num_pkts=6, num_bytes_ip=820, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=792, state=3, num_pkts=4, num_bytes_ip=680, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.97641, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.565064, req_dur=0.0, req_len=144, rep_start=1495059608.568465, rep_dur=0.0, rep_len=260, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile], [fh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\w\x1ew\x01]\xb6\x00=, obj_attr=[ftype=NFS3::FTYPE_REG, mode=32768, nlink=1, uid=1628, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=24583799, atime=2044592128.0, mtime=51501766.0, ctime=1495059608.558778], dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]] +nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=745, state=3, num_pkts=7, num_bytes_ip=1024, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=940, state=3, num_pkts=5, num_bytes_ip=992, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.982349, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.568646, req_dur=0.0, req_len=152, rep_start=1495059608.574404, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_SETATTR +nfs_proc_lookup, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1185, state=3, num_pkts=10, num_bytes_ip=1584, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1388, state=3, num_pkts=8, num_bytes_ip=1588, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.989157, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1495059608.581163, req_dur=0.0, req_len=136, rep_start=1495059608.581212, rep_dur=0.0, rep_len=108, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]] +nfs_proc_rename, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1377, state=3, num_pkts=11, num_bytes_ip=1816, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1652, state=3, num_pkts=9, num_bytes_ip=1748, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.991291, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.581412, req_dur=0.0, req_len=180, rep_start=1495059608.583346, rep_dur=0.0, rep_len=252, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [src_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, src_fname=testfile, dst_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, dst_fname=testfile2], [src_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778], dst_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778]] +nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1777, state=3, num_pkts=14, num_bytes_ip=2336, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2008, state=3, num_pkts=12, num_bytes_ip=2364, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.993098, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.585126, req_dur=0.0, req_len=124, rep_start=1495059608.585153, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS +nfs_proc_remove, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1925, state=3, num_pkts=16, num_bytes_ip=2564, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2156, state=3, num_pkts=13, num_bytes_ip=2528, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.813823, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.400145, req_dur=0.0, req_len=136, rep_start=1495059609.405878, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [dir_pre_attr=[size=0, atime=1495059608.574778, mtime=1495059608.574778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059609.398797, ctime=1495059609.398797]] +nfs_proc_rmdir, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=2057, state=3, num_pkts=18, num_bytes_ip=2776, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2304, state=3, num_pkts=14, num_bytes_ip=2716, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.818272, service={ + +}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.407676, req_dur=0.0, req_len=120, rep_start=1495059609.410327, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x00\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\, fname=test], [dir_pre_attr=[size=4096, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=44, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=128, atime=0.0, mtime=1495059609.402797, ctime=1495059609.402797]] diff --git a/testing/btest/Traces/nfs/nfs_base.pcap b/testing/btest/Traces/nfs/nfs_base.pcap new file mode 100644 index 0000000000..1707107c83 Binary files /dev/null and b/testing/btest/Traces/nfs/nfs_base.pcap differ diff --git a/testing/btest/scripts/base/protocols/nfs/basic.test b/testing/btest/scripts/base/protocols/nfs/basic.test new file mode 100755 index 0000000000..4940c095a5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/nfs/basic.test @@ -0,0 +1,66 @@ +# @TEST-EXEC: bro -b -r $TRACES/nfs/nfs_base.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef; +redef ignore_checksums = T; + +event bro_init() + { + Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports); + } + +event nfs_proc_lookup(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::lookup_reply_t ) + { + print "nfs_proc_lookup", c, info, req, rep; + } + +event nfs_proc_read(c: connection , info: NFS3::info_t , req: NFS3::readargs_t , rep: NFS3::read_reply_t ) + { + print "nfs_proc_read", c, info, req, rep; + } + +event nfs_proc_readlink(c: connection , info: NFS3::info_t , fh: string , rep: NFS3::readlink_reply_t ) + { + print "nfs_proc_readlink", c, info, fh, rep; + } + +event nfs_proc_write(c: connection , info: NFS3::info_t , req: NFS3::writeargs_t , rep: NFS3::write_reply_t ) + { + print "nfs_proc_write", c, info, req, rep; + } + +event nfs_proc_create(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t ) + { + print "nfs_proc_create", c, info, req, rep; + } + +event nfs_proc_mkdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t ) + { + print "nfs_proc_mkdir", c, info, req, rep; + } + +event nfs_proc_remove(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t ) + { + print "nfs_proc_remove", c, info, req, rep; + } + +event nfs_proc_rmdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t ) + { + print "nfs_proc_rmdir", c, info, req, rep; + } + +event nfs_proc_readdir(c: connection , info: NFS3::info_t , req: NFS3::readdirargs_t , rep: NFS3::readdir_reply_t ) + { + print "nfs_proc_readdir", c, info, req, rep; + } + +event nfs_proc_rename(c: connection , info: NFS3::info_t , req: NFS3::renameopargs_t , rep: NFS3::renameobj_reply_t ) + { + print "nfs_proc_rename", c, info, req, rep; + } + +event nfs_proc_not_implemented(c: connection , info: NFS3::info_t , proc: NFS3::proc_t ) + { + print "nfs_proc_not_implemented", c, info, proc; + } +