diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index dfaf5b8edc..64cf7ff836 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -1423,5 +1423,18 @@ export { ["e1af8308-5d1f-11c9-91a4-08002b14a0fa",0x06] = "ept_mgmt_delete", ["e1af8308-5d1f-11c9-91a4-08002b14a0fa",0x07] = "ept_map_auth", ["e1af8308-5d1f-11c9-91a4-08002b14a0fa",0x08] = "ept_map_auth_async", + + # exchange_mapi + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x00] = "EcDoConnect", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x01] = "EcDoDisconnect", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x02] = "EcDoRpc", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x03] = "EcGetMoreRpc", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x04] = "EcRRegisterPushNotification", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x05] = "EcRUnregisterPushNotification", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x06] = "EcDummyRpc", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x07] = "EcRGetDCName", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x08] = "EcRNetGetDCName", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x09] = "EcDoRpcExt", + } &redef &default=function(uuid: string, i: count): string { return fmt("unknown-%d", i); }; } diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac index 0317978f78..d776f6fec2 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac @@ -14,8 +14,16 @@ refine connection DCE_RPC_Conn += { %} %cleanup{ - delete gssapi; - delete ntlm; + if ( gssapi ) + { + gssapi->Done(); + delete gssapi; + } + if ( ntlm ) + { + ntlm->Done(); + delete ntlm; + } %} function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log new file mode 100644 index 0000000000..93b8b0d602 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log @@ -0,0 +1,21 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dce_rpc +#open 2016-07-07-17-12-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p rtt named_pipe endpoint operation +#types time string addr port addr port interval string string string +1056991898.891148 CCvvfg3TEfuqmmG4bh 192.168.0.173 1066 192.168.0.2 135 0.000375 135 epmapper ept_map +1056991898.895146 CsRx2w45OKnoww6xl4 192.168.0.173 1067 192.168.0.2 4997 0.000749 4997 nspi NspiBind +1056991898.902393 CRJuHdVW0XPVINV8a 192.168.0.173 1068 192.168.0.2 4997 0.026606 4997 nspi NspiBind +1056991898.931248 CPbrpk1qSsw6ESzHV4 192.168.0.173 1069 192.168.0.2 135 0.000500 135 epmapper ept_lookup +1056991899.586840 C6pKV8GSxOnSLghOa 192.168.0.173 1072 192.168.0.2 135 0.000374 135 epmapper ept_map +1056991899.594336 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 0.031980 1032 exchange_mapi EcDoConnect +1056991899.626566 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 0.024359 1032 exchange_mapi EcDoRpc +1056991899.652798 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 0.001374 1032 exchange_mapi EcDoRpc +1056991899.655922 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 0.000999 1032 exchange_mapi EcDoRpc +1056991899.658670 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 0.001624 1032 exchange_mapi EcDoRpc +1056991899.660794 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 0.003998 1032 exchange_mapi EcRRegisterPushNotification +1056991899.707516 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 0.003998 1032 exchange_mapi EcRRegisterPushNotification +#close 2016-07-07-17-12-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log new file mode 100644 index 0000000000..a1e0834365 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ntlm +#open 2016-07-07-17-09-16 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username hostname domainname success status +#types time string addr port addr port string string string bool string +1056991898.902392 CRJuHdVW0XPVINV8a 192.168.0.173 1068 192.168.0.2 4997 ALeonard ALEONARD-XP CNAMIS - - +1056991899.594334 CIPOse170MGiRM1Qf4 192.168.0.173 1073 192.168.0.2 1032 ALeonard ALEONARD-XP CNAMIS - - +#close 2016-07-07-17-09-16 diff --git a/testing/btest/Traces/dce-rpc/mapi.pcap b/testing/btest/Traces/dce-rpc/mapi.pcap new file mode 100644 index 0000000000..f5b94b8089 Binary files /dev/null and b/testing/btest/Traces/dce-rpc/mapi.pcap differ diff --git a/testing/btest/scripts/base/protocols/dce-rpc/mapi.test b/testing/btest/scripts/base/protocols/dce-rpc/mapi.test new file mode 100644 index 0000000000..97431bb005 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dce-rpc/mapi.test @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -b -r $TRACES/dce-rpc/mapi.pcap %INPUT +# @TEST-EXEC: btest-diff dce_rpc.log +# @TEST-EXEC: btest-diff ntlm.log + +@load base/protocols/dce-rpc +@load base/protocols/ntlm