From fd58c724a50672f1f42b11bdbca4d9449b934833 Mon Sep 17 00:00:00 2001 From: Yacin Nadji Date: Wed, 23 Sep 2020 13:28:41 -0400 Subject: [PATCH] Add stub payload to dce_rpc_request and dce_rpc_response --- .../protocol/dce-rpc/dce_rpc-analyzer.pac | 12 ++++++ src/analyzer/protocol/dce-rpc/events.bif | 38 ++++++++++++++++++- 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac index 4abbbdf009..f589628fa1 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac @@ -121,6 +121,12 @@ refine connection DCE_RPC_Conn += { ${req.context_id}, ${req.opnum}, ${req.stub}.length()); + zeek::BifEvent::enqueue_dce_rpc_request_stub(zeek_analyzer(), + zeek_analyzer()->Conn(), + fid, + ${req.context_id}, + ${req.opnum}, + binpac::to_stringval(${req.stub})); } set_cont_id_opnum_map(${req.context_id}, @@ -138,6 +144,12 @@ refine connection DCE_RPC_Conn += { ${resp.context_id}, get_cont_id_opnum_map(${resp.context_id}), ${resp.stub}.length()); + zeek::BifEvent::enqueue_dce_rpc_response_stub(zeek_analyzer(), + zeek_analyzer()->Conn(), + fid, + ${resp.context_id}, + get_cont_id_opnum_map(${resp.context_id}), + binpac::to_stringval(${resp.stub})); } return true; diff --git a/src/analyzer/protocol/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif index 1f2b61255c..bc9f252054 100644 --- a/src/analyzer/protocol/dce-rpc/events.bif +++ b/src/analyzer/protocol/dce-rpc/events.bif @@ -95,7 +95,7 @@ event dce_rpc_alter_context_resp%(c: connection, fid: count%); ## ## stub_len: Length of the data for the request. ## -## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response dce_rpc_request_stub event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message. @@ -112,5 +112,39 @@ event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, s ## ## stub_len: Length of the data for the response. ## -## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response_stub event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); + +## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message. +## +## c: The connection. +## +## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was +## not transported over a pipe. +## +## ctx_id: The context identifier of the data representation. +## +## opnum: Number of the RPC operation. +## +## stub: The data for the request. +## +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response_stub dce_rpc_request +event dce_rpc_request_stub%(c: connection, fid: count, ctx_id: count, opnum: count, stub: string%); + +## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message. +## +## c: The connection. +## +## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was +## not transported over a pipe. +## +## ctx_id: The context identifier of the data representation. +### +## opnum: Number of the RPC operation. +## +## stub: The data for the response. +## +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request_stub dce_rpc_response +event dce_rpc_response_stub%(c: connection, fid: count, ctx_id: count, opnum: count, stub: string%);