Redo DCE/RPC code.

scripts/base/protocols/smb/consts.bro

@@ -26,6 +26,96 @@ export {
 		"\\wkssvc",
 	};
 
+	## The UUIDs used by the various RPC endpoints
+	const rpc_uuids: table[string] of string = {
+		["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "Server Service",
+		["6bffd098-a112-3610-9833-46c3f87e345a"] = "Workstation Service",
+	} &redef &default=function(i: string):string { return fmt("unknown-uuid-%s", i); };
+
+	## Server service sub commands
+	const srv_cmds: table[count] of string = {
+		[8]  = "NetrConnectionEnum",
+		[9]  = "NetrFileEnum",
+		[10] = "NetrFileGetInfo",
+		[11] = "NetrFileClose",
+		[12] = "NetrSessionEnum",
+		[13] = "NetrSessionDel",
+		[14] = "NetrShareAdd",
+		[15] = "NetrShareEnum",
+		[16] = "NetrShareGetInfo",
+		[17] = "NetrShareSetInfo",
+		[18] = "NetrShareDel",
+		[19] = "NetrShareDelSticky",
+		[20] = "NetrShareCheck",
+		[21] = "NetrServerGetInfo",
+		[22] = "NetrServerSetInfo",
+		[23] = "NetrServerDiskEnum",
+		[24] = "NetrServerStatisticsGet",
+		[25] = "NetrServerTransportAdd",
+		[26] = "NetrServerTransportEnum",
+		[27] = "NetrServerTransportDel",
+		[28] = "NetrRemoteTOD",
+		[30] = "NetprPathType",
+		[31] = "NetprPathCanonicalize",
+		[32] = "NetprPathCompare",
+		[33] = "NetprNameValidate",
+		[34] = "NetprNameCanonicalize",
+		[35] = "NetprNameCompare",
+		[36] = "NetrShareEnumSticky",
+		[37] = "NetrShareDelStart",
+		[38] = "NetrShareDelCommit",
+		[39] = "NetrGetFileSecurity",
+		[40] = "NetrSetFileSecurity",
+		[41] = "NetrServerTransportAddEx",
+		[43] = "NetrDfsGetVersion",
+		[44] = "NetrDfsCreateLocalPartition",
+		[45] = "NetrDfsDeleteLocalPartition",
+		[46] = "NetrDfsSetLocalVolumeState",
+		[48] = "NetrDfsCreateExitPoint",
+		[49] = "NetrDfsDeleteExitPoint",
+		[50] = "NetrDfsModifyPrefix",
+		[51] = "NetrDfsFixLocalVolume",
+		[52] = "NetrDfsManagerReportSiteInfo",
+		[53] = "NetrServerTransportDelEx",
+		[54] = "NetrServerAliasAdd",
+		[55] = "NetrServerAliasEnum",
+		[56] = "NetrServerAliasDel",
+		[57] = "NetrShareDelEx",
+	} &redef &default=function(i: count):string { return fmt("unknown-srv-command-%d", i); };
+
+	## Workstation service sub commands
+	const wksta_cmds: table[count] of string = {
+		[0]  = "NetrWkstaGetInfo",
+		[1]  = "NetrWkstaSetInfo",
+		[2]  = "NetrWkstaUserEnum",
+		[5]  = "NetrWkstaTransportEnum",
+		[6]  = "NetrWkstaTransportAdd",
+		[7]  = "NetrWkstaTransportDel",
+		[8]  = "NetrUseAdd",
+		[9]  = "NetrUseGetInfo",
+		[10] = "NetrUseDel",
+		[11] = "NetrUseEnum",
+		[13] = "NetrWorkstationStatisticsGet",
+		[20] = "NetrGetJoinInformation",
+		[22] = "NetrJoinDomain2",
+		[23] = "NetrUnjoinDomain2",
+		[24] = "NetrRenameMachineInDomain2",
+		[25] = "NetrValidateName2",
+		[26] = "NetrGetJoinableOUs2",
+		[27] = "NetrAddAlternateComputerName",
+		[28] = "NetrRemoveAlternateComputerName",
+		[29] = "NetrSetPrimaryComputerName",
+		[30] = "NetrEnumerateComputerNames",
+	} &redef &default=function(i: count):string { return fmt("unknown-wksta-command-%d", i); };
+
+	type rpc_cmd_table: table[count] of string;
+	
+	## The subcommands for RPC endpoints
+	const rpc_sub_cmds: table[string] of rpc_cmd_table = {
+		["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = srv_cmds,
+		["6bffd098-a112-3610-9833-46c3f87e345a"] = wksta_cmds,	
+	} &redef &default=function(i: string):rpc_cmd_table { return table() &default=function(j: string):string { return fmt("unknown-uuid-%s", j); }; };
+	
 }
 
 module SMB1;

scripts/base/protocols/smb/main.bro

@@ -128,6 +128,8 @@ export {
 		tid_map     : table[count] of TreeInfo  &optional;
 		## User map to retrieve user name based on the user ID.
 		uid_map		: table[count] of string	&optional;
+		## Pipe map to retrieve UUID based on the file ID of a pipe.
+		pipe_map	: table[count] of string	&optional;
 	};
 	
 	redef record connection += {
@@ -139,6 +141,7 @@ export {
 	## Some commands shouldn't be logged by the smb1_message event
 	const deferred_logging_cmds: set[string] = {
 		"NEGOTIATE",
+		"READ_ANDX",
 		"SESSION_SETUP_ANDX",
 		"TREE_CONNECT_ANDX",
 	};
@@ -152,10 +155,13 @@ export {
 
 redef record FileInfo += {
 	## ID referencing this file.
-	fid            : count   &optional;
+	fid	: count   &optional;
 
 	## Maintain a reference to the file record.
-	f              : fa_file &optional;
+	f	: fa_file &optional;
+
+	## UUID referencing this file if DCE/RPC
+	uuid: string &optional;
 };
 
 const ports = { 139/tcp, 445/tcp };

scripts/base/protocols/smb/smb1-main.bro

@@ -13,6 +13,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
 		state$fid_map = table();
 		state$tid_map = table();
 		state$uid_map = table();
+		state$pipe_map = table();
 		state$pending_cmds = table();
 		c$smb_state = state;
 		}
@@ -180,21 +181,25 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o
 	{
 	if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path )
 		c$smb_state$current_file$path = c$smb_state$current_tree$path;
-	
+
 	# TODO - Why is this commented out?
 	#write_file_log(c$smb_state$current_file);
 	}
 	
-#event smb1_read_andx_response(c: connection, hdr: SMB1::Header, data_len: count) &priority=5
-#	{
-#	# TODO - determine what to do here
-#	}
+event smb1_read_andx_response(c: connection, hdr: SMB1::Header, data_len: count) &priority=5
+	{
+	if ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
+		{
+		Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+		}
+	}
 
 event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=5
 	{
 	SMB::set_current_file(c$smb_state, file_id);
 	c$smb_state$current_file$action = SMB::FILE_WRITE;
-	c$smb_state$current_cmd$argument = c$smb_state$current_file$name;
+	if ( !c$smb_state$current_cmd?$argument )
+		c$smb_state$current_cmd$argument = c$smb_state$current_file$name;
 	}
 	
 event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=-5
@@ -312,4 +317,37 @@ event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLM
 event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
-	}
+	}
+
+event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count)
+	{
+	c$smb_state$pipe_map[file_id] = c$smb_state$current_file$uuid;
+	}
+
+event smb_pipe_bind_ack_response(c: connection, hdr: SMB1::Header)
+	{
+	c$smb_state$current_cmd$sub_command = "RPC_BIND_ACK";
+	c$smb_state$current_cmd$argument = SMB::rpc_uuids[c$smb_state$current_file$uuid];	
+	}
+	
+event smb_pipe_bind_request(c: connection, hdr: SMB1::Header, uuid: string, version: string)
+	{
+	c$smb_state$current_cmd$sub_command = "RPC_BIND";
+	c$smb_state$current_file$uuid = uuid;
+	c$smb_state$current_cmd$argument = fmt("%s v%s", SMB::rpc_uuids[uuid], version);
+	}
+
+event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)
+	{
+	c$smb_state$current_cmd$argument = fmt("%s: %s", SMB::rpc_uuids[c$smb_state$current_file$uuid],
+									   				 SMB::rpc_sub_cmds[c$smb_state$current_file$uuid][op_num]);
+	}
+	
+#event smb1_transaction_setup(c: connection, hdr: SMB1::Header, op_code: count, file_id: count)
+#	{
+#	local uuid = SMB::rpc_uuids[c$smb_state$pipe_map[file_id]];
+#	if ( uuid in SMB::rpc_uuids )
+#		{
+#		print fmt("smb1_transaction_setup %s", SMB::rap_cmds[op_code]);
+#		}
+#	}