Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Improve DCE_RPC logging reliability.

Browse source
This commit is contained in:
Seth Hall 2016-04-01 16:53:17 -04:00
parent 035fedd21d
commit dbb4404b7d
1 changed files with 14 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/dce-rpc/main.bro
View file

@ -31,12 +31,14 @@ export {
) &redef; ) &redef;
} }
redef record Info += { type State: record {
uuid : string &optional; uuid : string &optional;
named_pipe : string &optional;
}; };
redef record connection += { redef record connection += {
dce_rpc: Info &optional; dce_rpc: Info &optional;
dce_rpc_state: State &default=State();
}; };
const ports = { 135/tcp }; const ports = { 135/tcp };
@ -56,6 +58,11 @@ function set_session(c: connection)
$id=c$id, $id=c$id,
$uid=c$uid]; $uid=c$uid];
} }
if ( c$dce_rpc_state?$uuid )
c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid];
if ( c$dce_rpc_state?$named_pipe )
c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe;
} }
event dce_rpc_bind(c: connection, uuid: string, ver_major: count, ver_minor: count) &priority=5 event dce_rpc_bind(c: connection, uuid: string, ver_major: count, ver_minor: count) &priority=5
@ -66,7 +73,7 @@ event dce_rpc_bind(c: connection, uuid: string, ver_major: count, ver_minor: cou
if ( uuid_str in ignored_uuids ) if ( uuid_str in ignored_uuids )
return; return;
c$dce_rpc$uuid = uuid_str; c$dce_rpc_state$uuid = uuid_str;
c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str]; c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
} }
@ -75,8 +82,11 @@ event dce_rpc_bind_ack(c: connection, sec_addr: string) &priority=5
set_session(c); set_session(c);
if ( sec_addr != "" ) if ( sec_addr != "" )
{
c$dce_rpc_state$named_pipe = sec_addr;
c$dce_rpc$named_pipe = sec_addr; c$dce_rpc$named_pipe = sec_addr;
} }
}
event dce_rpc_request(c: connection, opnum: count, stub_len: count) &priority=5 event dce_rpc_request(c: connection, opnum: count, stub_len: count) &priority=5
{ {
@ -94,7 +104,7 @@ event dce_rpc_response(c: connection, opnum: count, stub_len: count) &priority=5
if ( c?$dce_rpc && c$dce_rpc?$endpoint ) if ( c?$dce_rpc && c$dce_rpc?$endpoint )
{ {
c$dce_rpc$operation = operations[c$dce_rpc$uuid, opnum]; c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
if ( c$dce_rpc$ts != network_time() ) if ( c$dce_rpc$ts != network_time() )
c$dce_rpc$rtt = network_time() - c$dce_rpc$ts; c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
} }