Merge remote-tracking branch 'origin/topic/seth/smb' into topic/robin/smb-merge

scripts/base/protocols/dce-rpc/consts.bro

@@ -1423,5 +1423,18 @@ export {
 		["e1af8308-5d1f-11c9-91a4-08002b14a0fa",0x06] = "ept_mgmt_delete",
 		["e1af8308-5d1f-11c9-91a4-08002b14a0fa",0x07] = "ept_map_auth",
 		["e1af8308-5d1f-11c9-91a4-08002b14a0fa",0x08] = "ept_map_auth_async",
+
+		# exchange_mapi
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x00] = "EcDoConnect",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x01] = "EcDoDisconnect",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x02] = "EcDoRpc",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x03] = "EcGetMoreRpc",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x04] = "EcRRegisterPushNotification",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x05] = "EcRUnregisterPushNotification",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x06] = "EcDummyRpc",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x07] = "EcRGetDCName",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x08] = "EcRNetGetDCName",
+		["a4f1db00-ca47-1067-b31f-00dd010662da",0x09] = "EcDoRpcExt",
+
 	} &redef &default=function(uuid: string, i: count): string { return fmt("unknown-%d", i); };
 }

src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac

@@ -14,8 +14,16 @@ refine connection DCE_RPC_Conn += {
 	%}
 
 	%cleanup{
+		if ( gssapi )
+			{
+			gssapi->Done();
 			delete gssapi;
+			}
+		if ( ntlm )
+			{
+			ntlm->Done();
 			delete ntlm;
+			}
 	%}
 
 	function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool

testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log

@@ -0,0 +1,21 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dce_rpc
+#open	2016-07-07-17-12-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	rtt	named_pipe	endpoint	operation
+#types	time	string	addr	port	addr	port	interval	string	string	string
+1056991898.891148	CCvvfg3TEfuqmmG4bh	192.168.0.173	1066	192.168.0.2	135	0.000375	135	epmapper	ept_map
+1056991898.895146	CsRx2w45OKnoww6xl4	192.168.0.173	1067	192.168.0.2	4997	0.000749	4997	nspi	NspiBind
+1056991898.902393	CRJuHdVW0XPVINV8a	192.168.0.173	1068	192.168.0.2	4997	0.026606	4997	nspi	NspiBind
+1056991898.931248	CPbrpk1qSsw6ESzHV4	192.168.0.173	1069	192.168.0.2	135	0.000500	135	epmapper	ept_lookup
+1056991899.586840	C6pKV8GSxOnSLghOa	192.168.0.173	1072	192.168.0.2	135	0.000374	135	epmapper	ept_map
+1056991899.594336	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	0.031980	1032	exchange_mapi	EcDoConnect
+1056991899.626566	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	0.024359	1032	exchange_mapi	EcDoRpc
+1056991899.652798	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	0.001374	1032	exchange_mapi	EcDoRpc
+1056991899.655922	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	0.000999	1032	exchange_mapi	EcDoRpc
+1056991899.658670	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	0.001624	1032	exchange_mapi	EcDoRpc
+1056991899.660794	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
+1056991899.707516	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
+#close	2016-07-07-17-12-27

testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntlm
+#open	2016-07-07-17-09-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	success	status
+#types	time	string	addr	port	addr	port	string	string	string	bool	string
+1056991898.902392	CRJuHdVW0XPVINV8a	192.168.0.173	1068	192.168.0.2	4997	ALeonard	ALEONARD-XP	CNAMIS	-	-
+1056991899.594334	CIPOse170MGiRM1Qf4	192.168.0.173	1073	192.168.0.2	1032	ALeonard	ALEONARD-XP	CNAMIS	-	-
+#close	2016-07-07-17-09-16

testing/btest/scripts/base/protocols/dce-rpc/mapi.test

@@ -0,0 +1,6 @@
+# @TEST-EXEC: bro -b -r $TRACES/dce-rpc/mapi.pcap %INPUT
+# @TEST-EXEC: btest-diff dce_rpc.log
+# @TEST-EXEC: btest-diff ntlm.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm