Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 12:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix a bug in the DCE/RPC log ignoring mechanism.

Browse source
This commit is contained in:
Seth Hall 2016-04-18 10:50:11 -04:00
parent 72f2c2ded2
commit b96fe860ea
1 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/dce-rpc/main.bro
View file

@ -26,7 +26,7 @@ export {
};
const ignored_operations: table[string] of set[string] = {
["winreg"] = set("BaseRegCloseKey", "BaseRegGetVersion", "BaseRegOpenKey", "OpenLocalMachine", "BaseRegEnumKey"),
["winreg"] = set("BaseRegCloseKey", "BaseRegGetVersion", "BaseRegOpenKey", "BaseRegQueryValue", "BaseRegDeleteKeyEx", "OpenLocalMachine", "BaseRegEnumKey"),
["spoolss"] = set("RpcSplOpenPrinter", "RpcClosePrinter"),
["wkssvc"] = set("NetrWkstaGetInfo"),
} &redef;
@ -155,10 +155,11 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
{
# If there is not an endpoint, there isn't much reason to log.
# This can happen if the request isn't seen.
if ( (c$dce_rpc?$endpoint && (c$dce_rpc$endpoint !in ignored_operations || |ignored_operations[c$dce_rpc$endpoint]| != 0))
||
if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
||
(c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
c$dce_rpc?$operation && c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint]) )
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
"*" !in ignored_operations[c$dce_rpc$endpoint]) )
{
Log::write(LOG, c$dce_rpc);
}
@ -189,10 +190,11 @@ event connection_state_remove(c: connection)
}
}
if ( (c$dce_rpc?$endpoint && |ignored_operations[c$dce_rpc$endpoint]| != 0)
||
if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
||
(c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
c$dce_rpc?$operation && c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint]) )
c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
"*" !in ignored_operations[c$dce_rpc$endpoint]) )
{
Log::write(LOG, c$dce_rpc);
}