Merge remote-tracking branch 'origin/master' into topic/dnthayer/ticket1963

2025-10-15 04:58:21 +00:00 · 2018-08-24 16:06:05 -05:00 · 2018-08-24 16:06:05 -05:00 · 8b0b7d3304
commit 8b0b7d3304
parent 01a899255e 1eeecf5fcc
79 changed files with 1627 additions and 121 deletions
--- a/scripts/base/protocols/dce-rpc/main.bro
+++ b/scripts/base/protocols/dce-rpc/main.bro
@ -37,6 +37,7 @@ export {
 	type State: record {
 		uuid       : string &optional;
 		named_pipe : string &optional;
+		ctx_to_uuid: table[count] of string &optional;
 	};

 	# This is to store the log and state information
@ -100,11 +101,30 @@ function set_session(c: connection, fid: count)
 	set_state(c, state_x);
 	}

-event dce_rpc_bind(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
+event dce_rpc_bind(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
 	{
 	set_session(c, fid);

 	local uuid_str = uuid_to_string(uuid);
+
+	if ( ! c$dce_rpc_state?$ctx_to_uuid )
+		c$dce_rpc_state$ctx_to_uuid = table();
+
+	c$dce_rpc_state$ctx_to_uuid[ctx_id] = uuid_str;
+	c$dce_rpc_state$uuid = uuid_str;
+	c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
+	}
+
+event dce_rpc_alter_context(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
+	{
+	set_session(c, fid);
+
+	local uuid_str = uuid_to_string(uuid);
+
+	if ( ! c$dce_rpc_state?$ctx_to_uuid )
+		c$dce_rpc_state$ctx_to_uuid = table();
+
+	c$dce_rpc_state$ctx_to_uuid[ctx_id] = uuid_str;
 	c$dce_rpc_state$uuid = uuid_str;
 	c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
 	}
@ -120,7 +140,12 @@ event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string) &priority=5
 		}
 	}

-event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
+event dce_rpc_alter_context_resp(c: connection, fid: count) &priority=5
+	{
+	set_session(c, fid);
+	}
+
+event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=5
 	{
 	set_session(c, fid);

@ -130,7 +155,7 @@ event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count)
 		}
 	}

-event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=5
 	{
 	set_session(c, fid);

@ -146,15 +171,26 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
 			}
 		}

-	if ( c?$dce_rpc && c$dce_rpc?$endpoint )
+	if ( c?$dce_rpc )
 		{
-		c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
-		if ( c$dce_rpc$ts != network_time() )
-			c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
+		if ( c$dce_rpc?$endpoint )
+			{
+			c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
+			if ( c$dce_rpc$ts != network_time() )
+				c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
+			}
+
+		if ( c$dce_rpc_state?$ctx_to_uuid &&
+		     ctx_id in c$dce_rpc_state$ctx_to_uuid )
+			{
+			local u = c$dce_rpc_state$ctx_to_uuid[ctx_id];
+			c$dce_rpc$endpoint = uuid_endpoint_map[u];
+			c$dce_rpc$operation = operations[u, opnum];
+			}
 		}
 	}

-event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=-5
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=-5
 	{
 	if ( c?$dce_rpc )
 		{
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -199,7 +199,7 @@ event http_request(c: connection, method: string, original_URI: string,
 	c$http$uri = unescaped_URI;

 	if ( method !in http_methods )
-		event conn_weird("unknown_HTTP_method", c, method);
+		Reporter::conn_weird("unknown_HTTP_method", c, method);
 	}

 event http_reply(c: connection, version: string, code: count, reason: string) &priority=5
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@ -168,7 +168,7 @@ event sip_request(c: connection, method: string, original_URI: string, version:
 	c$sip$uri = original_URI;

 	if ( method !in sip_methods )
-		event conn_weird("unknown_SIP_method", c, method);
+		Reporter::conn_weird("unknown_SIP_method", c, method);
 	}

 event sip_reply(c: connection, version: string, code: count, reason: string) &priority=5
--- a/scripts/base/protocols/smb/smb1-main.bro
+++ b/scripts/base/protocols/smb/smb1-main.bro
@ -309,7 +309,7 @@ event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)
 	if ( ! f?$uuid )
 		{
 		# TODO: figure out why this is happening.
-		event conn_weird("smb_pipe_request_missing_uuid", c, "");
+		Reporter::conn_weird("smb_pipe_request_missing_uuid", c, "");
 		return;
 		}
 	local arg = fmt("%s: %s",
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -263,7 +263,7 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
 		{
 		c$ssl$server_name = names[0];
 		if ( |names| > 1 )
-			event conn_weird("SSL_many_server_names", c, cat(names));
+			Reporter::conn_weird("SSL_many_server_names", c, cat(names));
 		}
 	}