From caa28bc3c5645bbebf2e1073bd48c414ceeedd8c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 4 Apr 2016 15:20:33 -0400
Subject: [PATCH] More clean up and fixing for DCE_RPC.

---
 .../protocol/dce-rpc/dce_rpc-protocol.pac     |  2 +-
 src/analyzer/protocol/dce-rpc/dce_rpc.pac     |  5 +-
 src/analyzer/protocol/dce-rpc/events.bif      | 27 ++------
 src/analyzer/protocol/smb/smb-pipe.pac        | 61 +------------------
 src/analyzer/protocol/smb/smb2-com-ioctl.pac  |  6 +-
 5 files changed, 13 insertions(+), 88 deletions(-)

diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index 037adbf42c..fe04d1f0dd 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -60,7 +60,7 @@ type NDR_Format = record {
 	byteorder = (intchar >> 4) ? littleendian : bigendian;
 };
 
-#### There might be a endianness problem here: the frag_length
+# There might be a endianness problem here: the frag_length
 # causes problems despite the NDR_Format having a byteorder set.
 
 type DCE_RPC_Header(is_orig: bool) = record {
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc.pac b/src/analyzer/protocol/dce-rpc/dce_rpc.pac
index b36916635d..607ef58d07 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc.pac
@@ -2,8 +2,8 @@
 %include bro.pac
 
 %extern{
-	#include "types.bif.h"
-	#include "events.bif.h"
+#include "types.bif.h"
+#include "events.bif.h"
 %}
 
 analyzer DCE_RPC withcontext {
@@ -15,7 +15,6 @@ connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) {
 	upflow   = DCE_RPC_Flow(true);
 	downflow = DCE_RPC_Flow(false);
 };
-
 %include dce_rpc-protocol.pac
 
 # Now we define the flow:
diff --git a/src/analyzer/protocol/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif
index 0a8eb7ca4a..d89727ec70 100644
--- a/src/analyzer/protocol/dce-rpc/events.bif
+++ b/src/analyzer/protocol/dce-rpc/events.bif
@@ -1,32 +1,15 @@
-## TODO.
-##
-## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request
-##    dce_rpc_response rpc_timeout
+## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_message%(c: connection, is_orig: bool, ptype_id: count, ptype: DCE_RPC::PType%);
 
-## TODO.
-##
-## .. bro:see:: rpc_call rpc_dialogue rpc_reply  dce_rpc_message dce_rpc_request
-##    dce_rpc_response rpc_timeout
+## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_bind%(c: connection, uuid: string, ver_major: count, ver_minor: count%);
 
+## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
 event dce_rpc_bind_ack%(c: connection, sec_addr: string%);
 
-## TODO.
-##
-## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
-##    dce_rpc_response rpc_timeout
+## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
 event dce_rpc_request%(c: connection, opnum: count, stub_len: count%);
 
-## TODO.
-##
-## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
-##    dce_rpc_request  rpc_timeout
+## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
 event dce_rpc_response%(c: connection, opnum: count, stub_len: count%);
 
-## TODO.
-##
-## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
-##    dce_rpc_request dce_rpc_response rpc_timeout
-event epm_map_response%(c: connection, uuid: string, p: port, h: addr%);
-
diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac
index b7a64c1924..3ec7958ce8 100644
--- a/src/analyzer/protocol/smb/smb-pipe.pac
+++ b/src/analyzer/protocol/smb/smb-pipe.pac
@@ -24,63 +24,4 @@ refine connection SMB_Conn += {
 			dcerpc->DeliverStream(${pipe_data}.length(), ${pipe_data}.begin(), is_orig);
 		return true;
 		%}
-};
-
-
-#type SMB_Pipe_message(header: SMB_Header, byte_count: uint16) = record { 
-#	rpc_header : DCE_RPC_Header;
-#	rpc_body   : DCE_RPC_Body(rpc_header);
-#	pipe_type: case $context.connection.determine_pipe_msg_type(rpc, opnum) of {
-#		1       -> atsvc_request : AT_SVC_Request(unicode, opnum);
-#		2       -> atsvc_reply   : AT_SVC_Reply(unicode, opnum);
-#		default -> unknown       : bytestring &restofdata; 
-#	};
-#} &let {
-#	proc: bool = $context.connection.proc_smb_pipe_message(this, header);
-#} &byteorder = littleendian;
-#
-#type SMB_RAP_message(unicode: bool, byte_count: uint16) = record { 
-#	rap_code   : uint16;
-#	param_desc : SMB_string(unicode, offsetof(param_desc));
-#	data_desc  : SMB_string(unicode, offsetof(data_desc));
-#	data       : bytestring &restofdata; 
-#} &byteorder = littleendian;
-
-type AT_SVC_Request(unicode: bool, opnum: uint8) = record {
-	empty: padding[1];
-	op: case opnum of {
-		0       -> add     : AT_SVC_NetrJobAdd(unicode);
-		default -> unknown : bytestring &restofdata;
-	};
-};
-
-type AT_SVC_String_Pointer(unicode: bool) = record {
-	referent_id  : uint32;
-	max_count    : uint32;
-	offset       : uint32;
-	actual_count : uint32;
-	string       : SMB_string(unicode, offsetof(string));
-};
-
-type AT_SVC_NetrJobAdd(unicode: bool) = record {
-	server        : AT_SVC_String_Pointer(unicode);
-	unknown       : padding[2];
-	job_time      : uint32;
-	days_of_month : uint32;
-	days_of_week  : uint8;
-	flags         : uint8;
-	unknown2      : padding[2];
-	command       : AT_SVC_String_Pointer(unicode);
-};
-
-type AT_SVC_Reply(unicode: bool, opnum: uint16) = record {
-	op: case opnum of {
-		0       -> add:     AT_SVC_JobID(unicode);
-		default -> unknown: bytestring &restofdata;
-	};
-};
-
-type AT_SVC_JobID(unicode: bool) = record {
-	id     : uint32;
-	status : uint32;
-};
+};
\ No newline at end of file
diff --git a/src/analyzer/protocol/smb/smb2-com-ioctl.pac b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
index 59caf02ac2..8a54959097 100644
--- a/src/analyzer/protocol/smb/smb2-com-ioctl.pac
+++ b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
@@ -20,7 +20,8 @@ type SMB2_ioctl_request(header: SMB2_Header) = record {
 	pad2              : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
 	output_buffer     : bytestring &length=output_count;
 } &let {
-	is_pipe: bool = ((ctl_code >> 16) == 0x11);
+	# We only handle FSCTL_PIPE_TRANSCEIVE messages right now.
+	is_pipe: bool = (ctl_code == 0x0011C017);
 	pipe_proc : bool = $context.connection.forward_dce_rpc(input_buffer, true) &if(is_pipe);
 };
 
@@ -40,6 +41,7 @@ type SMB2_ioctl_response(header: SMB2_Header) = record {
 	pad2              : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
 	output_buffer     : bytestring &length=output_count;
 } &let {
-	is_pipe: bool = ((ctl_code >> 16) == 0x11);
+	# We only handle FSCTL_PIPE_TRANSCEIVE messages right now.
+	is_pipe: bool = (ctl_code == 0x0011C017);
 	pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, false) &if(is_pipe);
 };
\ No newline at end of file