Fix tracking of DCE-RPC context identifier mappings

This adds previously-missing support for "Alter Context"
request/response PDUs (initial patch contributed by Mark Fernandez).

Also, context ID arguments were added to dce_rpc_bind, dce_rpc_request,
and dce_rpc_response in order to properly track what endpoint/operation
a given opnum maps to.

scripts/base/protocols/dce-rpc/main.bro

@@ -37,6 +37,7 @@ export {
 	type State: record {
 		uuid       : string &optional;
 		named_pipe : string &optional;
+		ctx_to_uuid: table[count] of string &optional;
 	};
 
 	# This is to store the log and state information
@@ -100,11 +101,30 @@ function set_session(c: connection, fid: count)
 	set_state(c, state_x);
 	}
 
-event dce_rpc_bind(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
+event dce_rpc_bind(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
 	{
 	set_session(c, fid);
 
 	local uuid_str = uuid_to_string(uuid);
+
+	if ( ! c$dce_rpc_state?$ctx_to_uuid )
+		c$dce_rpc_state$ctx_to_uuid = table();
+
+	c$dce_rpc_state$ctx_to_uuid[ctx_id] = uuid_str;
+	c$dce_rpc_state$uuid = uuid_str;
+	c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
+	}
+
+event dce_rpc_alter_context(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
+	{
+	set_session(c, fid);
+
+	local uuid_str = uuid_to_string(uuid);
+
+	if ( ! c$dce_rpc_state?$ctx_to_uuid )
+		c$dce_rpc_state$ctx_to_uuid = table();
+
+	c$dce_rpc_state$ctx_to_uuid[ctx_id] = uuid_str;
 	c$dce_rpc_state$uuid = uuid_str;
 	c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
 	}
@@ -120,7 +140,12 @@ event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string) &priority=5
 		}
 	}
 
-event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
+event dce_rpc_alter_context_resp(c: connection, fid: count) &priority=5
+	{
+	set_session(c, fid);
+	}
+
+event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=5
 	{
 	set_session(c, fid);
 
@@ -130,7 +155,7 @@ event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count)
 		}
 	}
 
-event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=5
 	{
 	set_session(c, fid);
 
@@ -146,15 +171,26 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
 			}
 		}
 
-	if ( c?$dce_rpc && c$dce_rpc?$endpoint )
+	if ( c?$dce_rpc )
 		{
-		c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
-		if ( c$dce_rpc$ts != network_time() )
-			c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
+		if ( c$dce_rpc?$endpoint )
+			{
+			c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
+			if ( c$dce_rpc$ts != network_time() )
+				c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
+			}
+
+		if ( c$dce_rpc_state?$ctx_to_uuid &&
+		     ctx_id in c$dce_rpc_state$ctx_to_uuid )
+			{
+			local u = c$dce_rpc_state$ctx_to_uuid[ctx_id];
+			c$dce_rpc$endpoint = uuid_endpoint_map[u];
+			c$dce_rpc$operation = operations[u, opnum];
+			}
 		}
 	}
 
-event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=-5
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=-5
 	{
 	if ( c?$dce_rpc )
 		{