Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'add-dce-rpc-payloads' of https://github.com/ynadji/zeek

Browse source 
- Changed the new stub events to correctly check for existence of
  their associated handler before generating an event

- Added a test case for the new stub event

* 'add-dce-rpc-payloads' of https://github.com/ynadji/zeek:
  Add stub payload to dce_rpc_request and dce_rpc_response
This commit is contained in:
Jon Siwek 2020-09-25 14:37:58 -07:00
commit c1492942bb
7 changed files with 97 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -1,3 +1,10 @@
3.3.0-dev.350 | 2020-09-25 14:37:58 -0700
* Add dce_rpc_request_stub and dce_rpc_response_stub events (Yacin Nadji, Corelight)
* Fix namespace warning in fuzzer code (Tim Wojtulewicz, Corelight)
3.3.0-dev.346 | 2020-09-24 16:03:28 -0700 3.3.0-dev.346 | 2020-09-24 16:03:28 -0700
* Fix a Sphinx warning about misformatted packet analyzer comment (Jon Siwek, Corelight) * Fix a Sphinx warning about misformatted packet analyzer comment (Jon Siwek, Corelight)

3
NEWS
View file

@ -16,6 +16,9 @@ New Functionality
writing plugins to parse the various parts of a packet header separately, writing plugins to parse the various parts of a packet header separately,
chaining down into other plugins as needed. chaining down into other plugins as needed.
- Add ``dce_rpc_request_stub`` and ``dce_rpc_response_stub`` events for
accessing the contents of DCE-RPC request/response stub data.
Changed Functionality Changed Functionality
--------------------- ---------------------

2
VERSION
View file

@ -1 +1 @@
3.3.0-dev.346 3.3.0-dev.350

16
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -123,6 +123,14 @@ refine connection DCE_RPC_Conn += {
${req.stub}.length()); ${req.stub}.length());
} }
if ( dce_rpc_request_stub )
zeek::BifEvent::enqueue_dce_rpc_request_stub(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
binpac::to_stringval(${req.stub}));
set_cont_id_opnum_map(${req.context_id}, set_cont_id_opnum_map(${req.context_id},
${req.opnum}); ${req.opnum});
return true; return true;
@ -140,6 +148,14 @@ refine connection DCE_RPC_Conn += {
${resp.stub}.length()); ${resp.stub}.length());
} }
if ( dce_rpc_response_stub )
zeek::BifEvent::enqueue_dce_rpc_response_stub(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
binpac::to_stringval(${resp.stub}));
return true; return true;
%} %}

38
src/analyzer/protocol/dce-rpc/events.bif
View file

@ -95,7 +95,7 @@ event dce_rpc_alter_context_resp%(c: connection, fid: count%);
## ##
## stub_len: Length of the data for the request. ## stub_len: Length of the data for the request.
## ##
## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response ## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response dce_rpc_request_stub
event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message. ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
@ -112,5 +112,39 @@ event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, s
## ##
## stub_len: Length of the data for the response. ## stub_len: Length of the data for the response.
## ##
## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request ## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response_stub
event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
##
## c: The connection.
##
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
## not transported over a pipe.
##
## ctx_id: The context identifier of the data representation.
##
## opnum: Number of the RPC operation.
##
## stub: The data for the request.
##
## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response_stub dce_rpc_request
event dce_rpc_request_stub%(c: connection, fid: count, ctx_id: count, opnum: count, stub: string%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
##
## c: The connection.
##
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
## not transported over a pipe.
##
## ctx_id: The context identifier of the data representation.
###
## opnum: Number of the RPC operation.
##
## stub: The data for the response.
##
## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request_stub dce_rpc_response
event dce_rpc_response_stub%(c: connection, fid: count, ctx_id: count, opnum: count, stub: string%);

6
testing/btest/Baseline/scripts.base.protocols.dce-rpc.request-response-stub-events/out Normal file
View file

@ -0,0 +1,6 @@
dce_rpc_request , [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 144
dce_rpc_request_stub, [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 144
6b1ae0dd480552c8ea776ff61470f020fe55ccc3a3a8b4a9f09a7a03fe8ac77342df9323aadfce176f1b02143fa727496c8ae9308775f70a264ea627d2f1f1f514fb471650b2c2a69caa96fc2f885c31800820ea55852822d536ac0a71902aafd854d023cc6394a4d0861b991fd8a9e5e451c471a497eaf67e8652b8d107e8b80ba21a07763e67afcda009b18db916ab
dce_rpc_response , [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 64
dce_rpc_response_stub, [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 64
f79c0c2680ad63c2c48a2f2244450025ee5df82a8674cc448d085ac51a5c83950b8bc9d2fca2fc616fd88d28c12fd201c715d33d504d67b27179c7b145979ba2

28
testing/btest/scripts/base/protocols/dce-rpc/request-response-stub-events.zeek Normal file
View file

@ -0,0 +1,28 @@
# @TEST-EXEC: zeek -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT > out
# @TEST-EXEC: btest-diff out
@load base/protocols/dce-rpc
event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
{
print "dce_rpc_request ", c$id, fid, ctx_id, opnum, stub_len;
}
event dce_rpc_request_stub(c: connection, fid: count, ctx_id: count, opnum: count, stub: string)
{
print "dce_rpc_request_stub", c$id, fid, ctx_id, opnum, |stub|;
print bytestring_to_hexstr(stub);
}
event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
{
print "dce_rpc_response ", c$id, fid, ctx_id, opnum, stub_len;
}
event dce_rpc_response_stub(c: connection, fid: count, ctx_id: count, opnum: count, stub: string)
{
print "dce_rpc_response_stub", c$id, fid, ctx_id, opnum, |stub|;
print bytestring_to_hexstr(stub);
terminate();
}