mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Redo DCE/RPC code.
This commit is contained in:
Vlad Grigorescu
parent
c4eb7e2377
commit
9a73033b19
16 changed files with 1036 additions and 79 deletions
|
|
@ -14,12 +14,21 @@ refine connection SMB_Conn += {
|
|||
smb_string2stringval(${val.name}), ${val.sub_cmd});
|
||||
return true;
|
||||
%}
|
||||
|
||||
function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
|
||||
%{
|
||||
//printf("transaction_response\n");
|
||||
return true;
|
||||
%}
|
||||
|
||||
function proc_smb1_transaction_setup(header: SMB_Header, val: SMB1_transaction_setup): bool
|
||||
%{
|
||||
if ( smb1_transaction_setup )
|
||||
BifEvent::generate_smb1_transaction_setup(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), \
|
||||
${val.op_code}, ${val.file_id});
|
||||
return true;
|
||||
%}
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
|
@ -27,12 +36,19 @@ type SMB1_transaction_data(header: SMB_Header, count: uint16, sub_cmd: uint16,
|
|||
trans_type: TransactionType ) = case trans_type of {
|
||||
# SMB_MAILSLOT_BROWSE -> mailslot : SMB_MailSlot_message(header.unicode, count);
|
||||
# SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(header.unicode, count);
|
||||
# SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count, sub_cmd);
|
||||
SMB_PIPE -> pipe : SMB_Pipe_message(header.unicode, count, sub_cmd);
|
||||
# SMB_RAP -> rap : SMB_Pipe_message(header.unicode, count);
|
||||
SMB_PIPE -> pipe : SMB_Pipe_message(header, count);
|
||||
SMB_UNKNOWN -> unknown : bytestring &restofdata;
|
||||
# default -> data : bytestring &restofdata;
|
||||
};
|
||||
|
||||
type SMB1_transaction_setup(header: SMB_Header) = record {
|
||||
op_code : uint16;
|
||||
file_id : uint16;
|
||||
} &let {
|
||||
proc: bool = $context.connection.proc_smb1_transaction_setup(header, this);
|
||||
}
|
||||
|
||||
type SMB1_transaction_request(header: SMB_Header) = record {
|
||||
word_count : uint8;
|
||||
total_param_count : uint16;
|
||||
|
|
@ -50,7 +66,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
|
|||
data_offset : uint16;
|
||||
setup_count : uint8;
|
||||
reserved3 : uint8;
|
||||
setup : uint16[setup_count];
|
||||
setup : SMB1_transaction_setup(header);
|
||||
|
||||
byte_count : uint16;
|
||||
name : SMB_string(header.unicode, offsetof(name));
|
||||
|
|
@ -59,7 +75,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
|
|||
pad2 : padding to data_offset - SMB_Header_length;
|
||||
data : SMB1_transaction_data(header, data_count, sub_cmd, determine_transaction_type(setup_count, name));
|
||||
} &let {
|
||||
sub_cmd : uint16 = setup_count ? setup[0] : 0;
|
||||
sub_cmd : uint16 = setup_count ? setup.op_code : 0;
|
||||
proc : bool = $context.connection.proc_smb1_transaction_request(header, this);
|
||||
};
|
||||
|
||||
|
|
@ -83,7 +99,7 @@ type SMB1_transaction_response(header: SMB_Header) = record {
|
|||
pad0 : padding to param_offset - SMB_Header_length;
|
||||
parameters : bytestring &length = param_count;
|
||||
pad1 : padding to data_offset - SMB_Header_length;
|
||||
handle_response : case $context.connection.isATSVC() of {
|
||||
handle_response : case $context.connection.get_tree_is_pipe(header.tid) of {
|
||||
true -> pipe_data : SMB1_transaction_data(header, data_count, 0, SMB_PIPE);
|
||||
false -> unk_data : SMB1_transaction_data(header, data_count, 0, SMB_UNKNOWN);
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue