Initial import of svn+ssh:://svn.icir.org/bro/trunk/bro as of r7088

2025-10-07 17:18:20 +00:00 · 2010-09-27 20:42:30 -07:00 · 2010-09-27 20:42:30 -07:00 · 61757ac78b
commit 61757ac78b
1383 changed files with 380824 additions and 0 deletions
--- a/src/DCE_RPC.h
+++ b/src/DCE_RPC.h
@ -0,0 +1,189 @@
+// $Id: DCE_RPC.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef dce_rpc_h
+#define dce_rpc_h
+
+// NOTE: This is a somewhat crude analyzer for DCE/RPC (used on Microsoft
+// Windows systems) and shouldn't be considered as stable.
+
+#include "NetVar.h"
+#include "TCP.h"
+
+#include "dce_rpc_simple_pac.h"
+
+class UUID {
+public:
+	UUID();
+	UUID(const u_char data[16]);
+	UUID(const binpac::bytestring &uuid);
+	UUID(const char* s);
+
+	const char* to_string() const	{ return s.c_str(); }
+	const string& str() const	{ return s; }
+	bool operator==(const UUID& u) const
+		{ return s == u.str(); }
+	bool operator<(const UUID& u) const
+		{ return s < u.str(); }
+
+protected:
+	u_char data[16];
+	string s;
+};
+
+const char* uuid_to_string(const u_char* uuid_data);
+
+struct dce_rpc_endpoint_addr {
+	// All fields are in host byteorder.
+	uint32 addr;
+	u_short port;
+	TransportProto proto;
+
+	dce_rpc_endpoint_addr()
+		{
+		addr = 0;
+		port = 0;
+		proto = TRANSPORT_UNKNOWN;
+		}
+
+	bool is_valid_addr() const
+		{ return addr != 0 && port != 0 && proto != TRANSPORT_UNKNOWN; }
+
+	bool operator<(dce_rpc_endpoint_addr const &e) const
+		{
+		if ( addr != e.addr )
+			return addr < e.addr;
+		if ( proto != e.proto )
+			return proto < e.proto;
+		if ( port != e.port )
+			return port < e.port;
+
+		return false;
+		}
+
+	string to_string() const
+		{
+		static char buf[128];
+		snprintf(buf, sizeof(buf), "%s/%d/%s",
+			dotted_addr(htonl(addr)), port,
+			proto == TRANSPORT_TCP ? "tcp" :
+			(proto == TRANSPORT_UDP ? "udp" : "?"));
+
+		return string(buf);
+		}
+};
+
+/*
+enum DCE_RPC_PTYPE {
+	DCE_RPC_REQUEST, DCE_RPC_PING, DCE_RPC_RESPONSE, DCE_RPC_FAULT,
+	DCE_RPC_WORKING, DCE_RPC_NOCALL, DCE_RPC_REJECT, DCE_RPC_ACK,
+	DCE_RPC_CL_CANCEL, DCE_RPC_FACK, DCE_RPC_CANCEL_ACK, DCE_RPC_BIND,
+	DCE_RPC_BIND_ACK, DCE_RPC_BIND_NAK, DCE_RPC_ALTER_CONTEXT,
+	DCE_RPC_ALTER_CONTEXT_RESP, DCE_RPC_SHUTDOWN, DCE_RPC_CO_CANCEL,
+	DCE_RPC_ORPHANED,
+};
+*/
+
+#define DCE_RPC_HEADER_LENGTH 16
+
+class DCE_RPC_Header {
+public:
+	DCE_RPC_Header(Analyzer* a, const u_char* bytes);
+
+	BroEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
+	int FragLen() const		{ return frag_len; }
+	int LittleEndian() const	{ return bytes[4] >> 4; }
+	bool Fragmented() const		{ return fragmented; }
+
+	void Weird(const char* msg)	{ analyzer->Weird(msg); }
+	void SetBytes(const u_char* b)	{ bytes = b; }
+
+protected:
+	Analyzer* analyzer;
+	const u_char* bytes;
+	BroEnum::dce_rpc_ptype ptype;
+	int frag_len;
+	bool fragmented;
+};
+
+// Create a general DCE_RPC_Session class so that it can be used in
+// case the RPC conversation is tunneled through other connections,
+// e.g. through an SMB session.
+
+class DCE_RPC_Session {
+public:
+	DCE_RPC_Session(Analyzer* a);
+	virtual ~DCE_RPC_Session() {}
+	virtual void DeliverPDU(int is_orig, int len, const u_char* data);
+
+	static bool LooksLikeRPC(int len, const u_char* msg);
+	static bool any_dce_rpc_event()
+		{ return dce_rpc_message || dce_rpc_bind || dce_rpc_request; }
+
+protected:
+	void DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu);
+	void DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu);
+	void DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu);
+
+	void DeliverEpmapperRequest(
+			const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+			const binpac::DCE_RPC_Simple::DCE_RPC_Request* req);
+	void DeliverEpmapperResponse(
+			const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+			const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp);
+	void DeliverEpmapperMapResponse(
+			const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+			const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp);
+
+	Analyzer* analyzer;
+	UUID if_uuid;
+	BroEnum::dce_rpc_if_id if_id;
+	int opnum;
+	struct {
+		dce_rpc_endpoint_addr addr;
+		UUID uuid;
+	} mapped;
+};
+
+class Contents_DCE_RPC_Analyzer : public TCP_SupportAnalyzer {
+public:
+	Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session,
+		bool speculative);
+	~Contents_DCE_RPC_Analyzer();
+
+protected:
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void DeliverPDU(int len, const u_char* data);
+
+	void InitState();
+
+	int speculation;
+	u_char* msg_buf;
+	int msg_len;
+	int buf_n;	// number of bytes in msg_buf
+	int buf_len;	// size off msg_buf
+	DCE_RPC_Header* hdr;
+
+	bool ParseHeader();
+
+	DCE_RPC_Session* session;
+};
+
+class DCE_RPC_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	DCE_RPC_Analyzer(Connection* conn, bool speculative = false);
+	~DCE_RPC_Analyzer();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new DCE_RPC_Analyzer(conn); }
+
+	static bool Available()
+		{ return DCE_RPC_Session::any_dce_rpc_event(); }
+
+protected:
+	DCE_RPC_Session* session;
+	bool speculative;
+};
+
+#endif /* dce_rpc_h */