Fix tracking of DCE-RPC context identifier mappings

This adds previously-missing support for "Alter Context" request/response PDUs (initial patch contributed by Mark Fernandez). Also, context ID arguments were added to dce_rpc_bind, dce_rpc_request, and dce_rpc_response in order to properly track what endpoint/operation a given opnum maps to.
2025-10-13 03:58:20 +00:00 · 2018-08-23 15:11:38 -05:00 · 2018-08-23 15:11:38 -05:00 · 620cd671ba
commit 620cd671ba
parent 45338b1942
9 changed files with 210 additions and 27 deletions
--- a/testing/btest/scripts/base/protocols/dce-rpc/context.bro
+++ b/testing/btest/scripts/base/protocols/dce-rpc/context.bro
@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff dce_rpc.log
+
+@load base/protocols/dce-rpc
+
+event dce_rpc_bind(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
+	{
+	print fmt("dce_rpc_bind :: fid  == %s", fid);
+	print fmt("dce_rpc_bind :: ctx_id  == %s", ctx_id);
+	print fmt("dce_rpc_bind :: uuid == %s", uuid_to_string(uuid));
+	}
+
+event dce_rpc_alter_context(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
+	{
+	print fmt("dce_rpc_alter_context :: fid  == %s", fid);
+	print fmt("dce_rpc_alter_context :: ctx_id  == %s", ctx_id);
+	print fmt("dce_rpc_alter_context :: uuid == %s", uuid_to_string(uuid));
+	}
+
+
+event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string) &priority=5
+	{
+	print fmt("dce_rpc_bind_ack :: fid      == %s", fid);
+	print fmt("dce_rpc_bind_ack :: sec_addr == %s", sec_addr);
+	}
+
+event dce_rpc_alter_context_resp(c: connection, fid: count) &priority=5
+	{
+	print fmt("dce_rpc_alter_context_resp :: fid      == %s", fid);
+	}