mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
More clean up and fixing for DCE_RPC.
This commit is contained in:
Seth Hall
parent
017fa13393
commit
caa28bc3c5
5 changed files with 13 additions and 88 deletions
|
|
@ -60,7 +60,7 @@ type NDR_Format = record {
|
|||
byteorder = (intchar >> 4) ? littleendian : bigendian;
|
||||
};
|
||||
|
||||
#### There might be a endianness problem here: the frag_length
|
||||
# There might be a endianness problem here: the frag_length
|
||||
# causes problems despite the NDR_Format having a byteorder set.
|
||||
|
||||
type DCE_RPC_Header(is_orig: bool) = record {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) {
|
|||
upflow = DCE_RPC_Flow(true);
|
||||
downflow = DCE_RPC_Flow(false);
|
||||
};
|
||||
|
||||
%include dce_rpc-protocol.pac
|
||||
|
||||
# Now we define the flow:
|
||||
|
|
|
|||
|
|
@ -1,32 +1,15 @@
|
|||
## TODO.
|
||||
##
|
||||
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request
|
||||
## dce_rpc_response rpc_timeout
|
||||
## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
|
||||
event dce_rpc_message%(c: connection, is_orig: bool, ptype_id: count, ptype: DCE_RPC::PType%);
|
||||
|
||||
## TODO.
|
||||
##
|
||||
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request
|
||||
## dce_rpc_response rpc_timeout
|
||||
## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
|
||||
event dce_rpc_bind%(c: connection, uuid: string, ver_major: count, ver_minor: count%);
|
||||
|
||||
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
|
||||
event dce_rpc_bind_ack%(c: connection, sec_addr: string%);
|
||||
|
||||
## TODO.
|
||||
##
|
||||
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
|
||||
## dce_rpc_response rpc_timeout
|
||||
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
|
||||
event dce_rpc_request%(c: connection, opnum: count, stub_len: count%);
|
||||
|
||||
## TODO.
|
||||
##
|
||||
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
|
||||
## dce_rpc_request rpc_timeout
|
||||
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
|
||||
event dce_rpc_response%(c: connection, opnum: count, stub_len: count%);
|
||||
|
||||
## TODO.
|
||||
##
|
||||
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
|
||||
## dce_rpc_request dce_rpc_response rpc_timeout
|
||||
event epm_map_response%(c: connection, uuid: string, p: port, h: addr%);
|
||||
|
||||
|
|
|
|||
|
|
@ -25,62 +25,3 @@ refine connection SMB_Conn += {
|
|||
return true;
|
||||
%}
|
||||
};
|
||||
|
||||
|
||||
#type SMB_Pipe_message(header: SMB_Header, byte_count: uint16) = record {
|
||||
# rpc_header : DCE_RPC_Header;
|
||||
# rpc_body : DCE_RPC_Body(rpc_header);
|
||||
# pipe_type: case $context.connection.determine_pipe_msg_type(rpc, opnum) of {
|
||||
# 1 -> atsvc_request : AT_SVC_Request(unicode, opnum);
|
||||
# 2 -> atsvc_reply : AT_SVC_Reply(unicode, opnum);
|
||||
# default -> unknown : bytestring &restofdata;
|
||||
# };
|
||||
#} &let {
|
||||
# proc: bool = $context.connection.proc_smb_pipe_message(this, header);
|
||||
#} &byteorder = littleendian;
|
||||
#
|
||||
#type SMB_RAP_message(unicode: bool, byte_count: uint16) = record {
|
||||
# rap_code : uint16;
|
||||
# param_desc : SMB_string(unicode, offsetof(param_desc));
|
||||
# data_desc : SMB_string(unicode, offsetof(data_desc));
|
||||
# data : bytestring &restofdata;
|
||||
#} &byteorder = littleendian;
|
||||
|
||||
type AT_SVC_Request(unicode: bool, opnum: uint8) = record {
|
||||
empty: padding[1];
|
||||
op: case opnum of {
|
||||
0 -> add : AT_SVC_NetrJobAdd(unicode);
|
||||
default -> unknown : bytestring &restofdata;
|
||||
};
|
||||
};
|
||||
|
||||
type AT_SVC_String_Pointer(unicode: bool) = record {
|
||||
referent_id : uint32;
|
||||
max_count : uint32;
|
||||
offset : uint32;
|
||||
actual_count : uint32;
|
||||
string : SMB_string(unicode, offsetof(string));
|
||||
};
|
||||
|
||||
type AT_SVC_NetrJobAdd(unicode: bool) = record {
|
||||
server : AT_SVC_String_Pointer(unicode);
|
||||
unknown : padding[2];
|
||||
job_time : uint32;
|
||||
days_of_month : uint32;
|
||||
days_of_week : uint8;
|
||||
flags : uint8;
|
||||
unknown2 : padding[2];
|
||||
command : AT_SVC_String_Pointer(unicode);
|
||||
};
|
||||
|
||||
type AT_SVC_Reply(unicode: bool, opnum: uint16) = record {
|
||||
op: case opnum of {
|
||||
0 -> add: AT_SVC_JobID(unicode);
|
||||
default -> unknown: bytestring &restofdata;
|
||||
};
|
||||
};
|
||||
|
||||
type AT_SVC_JobID(unicode: bool) = record {
|
||||
id : uint32;
|
||||
status : uint32;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -20,7 +20,8 @@ type SMB2_ioctl_request(header: SMB2_Header) = record {
|
|||
pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
|
||||
output_buffer : bytestring &length=output_count;
|
||||
} &let {
|
||||
is_pipe: bool = ((ctl_code >> 16) == 0x11);
|
||||
# We only handle FSCTL_PIPE_TRANSCEIVE messages right now.
|
||||
is_pipe: bool = (ctl_code == 0x0011C017);
|
||||
pipe_proc : bool = $context.connection.forward_dce_rpc(input_buffer, true) &if(is_pipe);
|
||||
};
|
||||
|
||||
|
|
@ -40,6 +41,7 @@ type SMB2_ioctl_response(header: SMB2_Header) = record {
|
|||
pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset));
|
||||
output_buffer : bytestring &length=output_count;
|
||||
} &let {
|
||||
is_pipe: bool = ((ctl_code >> 16) == 0x11);
|
||||
# We only handle FSCTL_PIPE_TRANSCEIVE messages right now.
|
||||
is_pipe: bool = (ctl_code == 0x0011C017);
|
||||
pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, false) &if(is_pipe);
|
||||
};
|
||||
Loading…
Add table
Add a link
Reference in a new issue