Merge branch 'add-dce-rpc-payloads' of https://github.com/ynadji/zeek

- Changed the new stub events to correctly check for existence of their associated handler before generating an event - Added a test case for the new stub event * 'add-dce-rpc-payloads' of https://github.com/ynadji/zeek: Add stub payload to dce_rpc_request and dce_rpc_response
2025-10-09 01:58:20 +00:00 · 2020-09-25 14:37:58 -07:00 · 2020-09-25 14:37:58 -07:00 · c1492942bb
commit c1492942bb
parent cc5066632b fd58c724a5
7 changed files with 97 additions and 3 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+
+3.3.0-dev.350 | 2020-09-25 14:37:58 -0700
+
+  * Add dce_rpc_request_stub and dce_rpc_response_stub events (Yacin Nadji, Corelight)
+
+  * Fix namespace warning in fuzzer code (Tim Wojtulewicz, Corelight)
+
 3.3.0-dev.346 | 2020-09-24 16:03:28 -0700

  * Fix a Sphinx warning about misformatted packet analyzer comment (Jon Siwek, Corelight)
--- a/3
+++ b/3
@ -16,6 +16,9 @@ New Functionality
  writing plugins to parse the various parts of a packet header separately,
  chaining down into other plugins as needed.

+- Add ``dce_rpc_request_stub`` and ``dce_rpc_response_stub`` events for
+  accessing the contents of DCE-RPC request/response stub data.
+
 Changed Functionality
 ---------------------

--- a/2
+++ b/2
@ -1 +1 @@
-3.3.0-dev.346
+3.3.0-dev.350
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
@ -123,6 +123,14 @@ refine connection DCE_RPC_Conn += {
 			                                  ${req.stub}.length());
 			}

+		if ( dce_rpc_request_stub )
+			zeek::BifEvent::enqueue_dce_rpc_request_stub(zeek_analyzer(),
+			                                  zeek_analyzer()->Conn(),
+			                                  fid,
+			                                  ${req.context_id},
+			                                  ${req.opnum},
+			                                  binpac::to_stringval(${req.stub}));
+
 		set_cont_id_opnum_map(${req.context_id},
 		                      ${req.opnum});
 		return true;
@ -140,6 +148,14 @@ refine connection DCE_RPC_Conn += {
 			                                   ${resp.stub}.length());
 			}

+		if ( dce_rpc_response_stub )
+			zeek::BifEvent::enqueue_dce_rpc_response_stub(zeek_analyzer(),
+			                                   zeek_analyzer()->Conn(),
+			                                   fid,
+			                                   ${resp.context_id},
+			                                   get_cont_id_opnum_map(${resp.context_id}),
+			                                   binpac::to_stringval(${resp.stub}));
+
 		return true;
 		%}

--- a/src/analyzer/protocol/dce-rpc/events.bif
+++ b/src/analyzer/protocol/dce-rpc/events.bif
@ -95,7 +95,7 @@ event dce_rpc_alter_context_resp%(c: connection, fid: count%);
 ##
 ## stub_len: Length of the data for the request.
 ##
-## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response dce_rpc_request_stub
 event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);

 ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
@ -112,5 +112,39 @@ event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, s
 ##
 ## stub_len: Length of the data for the response.
 ##
-## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response_stub
 event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);
+
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
+##
+## c: The connection.
+##
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
+##
+## ctx_id: The context identifier of the data representation.
+##
+## opnum: Number of the RPC operation.
+##
+## stub: The data for the request.
+##
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response_stub dce_rpc_request
+event dce_rpc_request_stub%(c: connection, fid: count, ctx_id: count, opnum: count, stub: string%);
+
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
+##
+## c: The connection.
+##
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
+##
+## ctx_id: The context identifier of the data representation.
+###
+## opnum: Number of the RPC operation.
+##
+## stub: The data for the response.
+##
+## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request_stub dce_rpc_response
+event dce_rpc_response_stub%(c: connection, fid: count, ctx_id: count, opnum: count, stub: string%);
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.request-response-stub-events/out
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.request-response-stub-events/out
@ -0,0 +1,6 @@
+dce_rpc_request     , [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 144
+dce_rpc_request_stub, [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 144
+6b1ae0dd480552c8ea776ff61470f020fe55ccc3a3a8b4a9f09a7a03fe8ac77342df9323aadfce176f1b02143fa727496c8ae9308775f70a264ea627d2f1f1f514fb471650b2c2a69caa96fc2f885c31800820ea55852822d536ac0a71902aafd854d023cc6394a4d0861b991fd8a9e5e451c471a497eaf67e8652b8d107e8b80ba21a07763e67afcda009b18db916ab
+dce_rpc_response     , [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 64
+dce_rpc_response_stub, [orig_h=192.168.122.145, orig_p=55614/tcp, resp_h=192.168.122.3, resp_p=1024/tcp], 0, 0, 0, 64
+f79c0c2680ad63c2c48a2f2244450025ee5df82a8674cc448d085ac51a5c83950b8bc9d2fca2fc616fd88d28c12fd201c715d33d504d67b27179c7b145979ba2
--- a/testing/btest/scripts/base/protocols/dce-rpc/request-response-stub-events.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/request-response-stub-events.zeek
@ -0,0 +1,28 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT > out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/dce-rpc
+
+event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
+	{
+	print "dce_rpc_request     ", c$id, fid, ctx_id, opnum, stub_len;
+	}
+
+event dce_rpc_request_stub(c: connection, fid: count, ctx_id: count, opnum: count, stub: string)
+	{
+	print "dce_rpc_request_stub", c$id, fid, ctx_id, opnum, |stub|;
+	print bytestring_to_hexstr(stub);
+	}
+
+event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
+	{
+	print "dce_rpc_response     ", c$id, fid, ctx_id, opnum, stub_len;
+	}
+
+event dce_rpc_response_stub(c: connection, fid: count, ctx_id: count, opnum: count, stub: string)
+	{
+	print "dce_rpc_response_stub", c$id, fid, ctx_id, opnum, |stub|;
+	print bytestring_to_hexstr(stub);
+	terminate();
+	}
+