diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index 39e126f75b..dfaf5b8edc 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -90,6 +90,15 @@ export { ["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi", } &redef &default=function(uuid: string): string { return fmt("unknown-%s", uuid); }; + ## This table is to map pipe names to the most common + ## service used over that pipe. It helps in cases + ## where the pipe binding wasn't seen. + const pipe_name_to_common_uuid: table[string] of string = { + ["winreg"] = "338cd001-2244-31f1-aaaa-900038001003", + ["spoolss"] = "12345678-1234-abcd-ef00-0123456789ab", + ["srvsvc"] = "4b324fc8-1670-01d3-1278-5a47bf6ee188", + } &redef; + const operations: table[string,count] of string = { # atsvc ["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd", @@ -641,61 +650,61 @@ export { ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x0a] = "DsRolerAbortDownlevelServerUpgrade", # svcctl - ["367aeb81-9844-35f1-ad32-98f038001003",0x00] = "CloseServiceHandle", - ["367aeb81-9844-35f1-ad32-98f038001003",0x01] = "ControlService", - ["367aeb81-9844-35f1-ad32-98f038001003",0x02] = "DeleteService", - ["367aeb81-9844-35f1-ad32-98f038001003",0x03] = "LockServiceDatabase", - ["367aeb81-9844-35f1-ad32-98f038001003",0x04] = "QueryServiceObjectSecurity", - ["367aeb81-9844-35f1-ad32-98f038001003",0x05] = "SetServiceObjectSecurity", - ["367aeb81-9844-35f1-ad32-98f038001003",0x06] = "QueryServiceStatus", - ["367aeb81-9844-35f1-ad32-98f038001003",0x07] = "SetServiceStatus", - ["367aeb81-9844-35f1-ad32-98f038001003",0x08] = "UnlockServiceDatabase", - ["367aeb81-9844-35f1-ad32-98f038001003",0x09] = "NotifyBootConfigStatus", - ["367aeb81-9844-35f1-ad32-98f038001003",0x0a] = "ScSetServiceBitsW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x0b] = "ChangeServiceConfigW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x0c] = "CreateServiceW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x0d] = "EnumDependentServicesW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x0e] = "EnumServicesStatusW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x0f] = "OpenSCManagerW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x10] = "OpenServiceW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x11] = "QueryServiceConfigW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x12] = "QueryServiceLockStatusW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x13] = "StartServiceW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x14] = "GetServiceDisplayNameW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x15] = "GetServiceKeyNameW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x16] = "ScSetServiceBitsA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x17] = "ChangeServiceConfigA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x18] = "CreateServiceA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x19] = "EnumDependentServicesA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x1a] = "EnumServicesStatusA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x1b] = "OpenSCManagerA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x1c] = "OpenServiceA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x1d] = "QueryServiceConfigA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x1e] = "QueryServiceLockStatusA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x1f] = "StartServiceA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x20] = "GetServiceDisplayNameA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x21] = "GetServiceKeyNameA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x22] = "ScGetCurrentGroupStateW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x23] = "EnumServiceGroupW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x24] = "ChangeServiceConfig2A", - ["367aeb81-9844-35f1-ad32-98f038001003",0x25] = "ChangeServiceConfig2W", - ["367aeb81-9844-35f1-ad32-98f038001003",0x26] = "QueryServiceConfig2A", - ["367aeb81-9844-35f1-ad32-98f038001003",0x27] = "QueryServiceConfig2W", - ["367aeb81-9844-35f1-ad32-98f038001003",0x28] = "QueryServiceStatusEx", - ["367aeb81-9844-35f1-ad32-98f038001003",0x29] = "EnumServicesStatusExA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x2a] = "EnumServicesStatusExW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x2b] = "ScSendTSMessage", - ["367aeb81-9844-35f1-ad32-98f038001003",0x2c] = "CreateServiceWOW64A", - ["367aeb81-9844-35f1-ad32-98f038001003",0x2d] = "CreateServiceWOW64W", - ["367aeb81-9844-35f1-ad32-98f038001003",0x2e] = "ScQueryServiceTagInfo", - ["367aeb81-9844-35f1-ad32-98f038001003",0x2f] = "NotifyServiceStatusChange", - ["367aeb81-9844-35f1-ad32-98f038001003",0x30] = "GetNotifyResult", - ["367aeb81-9844-35f1-ad32-98f038001003",0x31] = "CloseNotifyHandle", - ["367aeb81-9844-35f1-ad32-98f038001003",0x32] = "ControlServiceExA", - ["367aeb81-9844-35f1-ad32-98f038001003",0x33] = "ControlServiceExW", - ["367aeb81-9844-35f1-ad32-98f038001003",0x34] = "ScSendPnPMessage", - ["367aeb81-9844-35f1-ad32-98f038001003",0x35] = "ScValidatePnPService", - ["367aeb81-9844-35f1-ad32-98f038001003",0x36] = "ScOpenServiceStatusHandle", + ["367abb81-9844-35f1-ad32-98f038001003",0x00] = "CloseServiceHandle", + ["367abb81-9844-35f1-ad32-98f038001003",0x01] = "ControlService", + ["367abb81-9844-35f1-ad32-98f038001003",0x02] = "DeleteService", + ["367abb81-9844-35f1-ad32-98f038001003",0x03] = "LockServiceDatabase", + ["367abb81-9844-35f1-ad32-98f038001003",0x04] = "QueryServiceObjectSecurity", + ["367abb81-9844-35f1-ad32-98f038001003",0x05] = "SetServiceObjectSecurity", + ["367abb81-9844-35f1-ad32-98f038001003",0x06] = "QueryServiceStatus", + ["367abb81-9844-35f1-ad32-98f038001003",0x07] = "SetServiceStatus", + ["367abb81-9844-35f1-ad32-98f038001003",0x08] = "UnlockServiceDatabase", + ["367abb81-9844-35f1-ad32-98f038001003",0x09] = "NotifyBootConfigStatus", + ["367abb81-9844-35f1-ad32-98f038001003",0x0a] = "ScSetServiceBitsW", + ["367abb81-9844-35f1-ad32-98f038001003",0x0b] = "ChangeServiceConfigW", + ["367abb81-9844-35f1-ad32-98f038001003",0x0c] = "CreateServiceW", + ["367abb81-9844-35f1-ad32-98f038001003",0x0d] = "EnumDependentServicesW", + ["367abb81-9844-35f1-ad32-98f038001003",0x0e] = "EnumServicesStatusW", + ["367abb81-9844-35f1-ad32-98f038001003",0x0f] = "OpenSCManagerW", + ["367abb81-9844-35f1-ad32-98f038001003",0x10] = "OpenServiceW", + ["367abb81-9844-35f1-ad32-98f038001003",0x11] = "QueryServiceConfigW", + ["367abb81-9844-35f1-ad32-98f038001003",0x12] = "QueryServiceLockStatusW", + ["367abb81-9844-35f1-ad32-98f038001003",0x13] = "StartServiceW", + ["367abb81-9844-35f1-ad32-98f038001003",0x14] = "GetServiceDisplayNameW", + ["367abb81-9844-35f1-ad32-98f038001003",0x15] = "GetServiceKeyNameW", + ["367abb81-9844-35f1-ad32-98f038001003",0x16] = "ScSetServiceBitsA", + ["367abb81-9844-35f1-ad32-98f038001003",0x17] = "ChangeServiceConfigA", + ["367abb81-9844-35f1-ad32-98f038001003",0x18] = "CreateServiceA", + ["367abb81-9844-35f1-ad32-98f038001003",0x19] = "EnumDependentServicesA", + ["367abb81-9844-35f1-ad32-98f038001003",0x1a] = "EnumServicesStatusA", + ["367abb81-9844-35f1-ad32-98f038001003",0x1b] = "OpenSCManagerA", + ["367abb81-9844-35f1-ad32-98f038001003",0x1c] = "OpenServiceA", + ["367abb81-9844-35f1-ad32-98f038001003",0x1d] = "QueryServiceConfigA", + ["367abb81-9844-35f1-ad32-98f038001003",0x1e] = "QueryServiceLockStatusA", + ["367abb81-9844-35f1-ad32-98f038001003",0x1f] = "StartServiceA", + ["367abb81-9844-35f1-ad32-98f038001003",0x20] = "GetServiceDisplayNameA", + ["367abb81-9844-35f1-ad32-98f038001003",0x21] = "GetServiceKeyNameA", + ["367abb81-9844-35f1-ad32-98f038001003",0x22] = "ScGetCurrentGroupStateW", + ["367abb81-9844-35f1-ad32-98f038001003",0x23] = "EnumServiceGroupW", + ["367abb81-9844-35f1-ad32-98f038001003",0x24] = "ChangeServiceConfig2A", + ["367abb81-9844-35f1-ad32-98f038001003",0x25] = "ChangeServiceConfig2W", + ["367abb81-9844-35f1-ad32-98f038001003",0x26] = "QueryServiceConfig2A", + ["367abb81-9844-35f1-ad32-98f038001003",0x27] = "QueryServiceConfig2W", + ["367abb81-9844-35f1-ad32-98f038001003",0x28] = "QueryServiceStatusEx", + ["367abb81-9844-35f1-ad32-98f038001003",0x29] = "EnumServicesStatusExA", + ["367abb81-9844-35f1-ad32-98f038001003",0x2a] = "EnumServicesStatusExW", + ["367abb81-9844-35f1-ad32-98f038001003",0x2b] = "ScSendTSMessage", + ["367abb81-9844-35f1-ad32-98f038001003",0x2c] = "CreateServiceWOW64A", + ["367abb81-9844-35f1-ad32-98f038001003",0x2d] = "CreateServiceWOW64W", + ["367abb81-9844-35f1-ad32-98f038001003",0x2e] = "ScQueryServiceTagInfo", + ["367abb81-9844-35f1-ad32-98f038001003",0x2f] = "NotifyServiceStatusChange", + ["367abb81-9844-35f1-ad32-98f038001003",0x30] = "GetNotifyResult", + ["367abb81-9844-35f1-ad32-98f038001003",0x31] = "CloseNotifyHandle", + ["367abb81-9844-35f1-ad32-98f038001003",0x32] = "ControlServiceExA", + ["367abb81-9844-35f1-ad32-98f038001003",0x33] = "ControlServiceExW", + ["367abb81-9844-35f1-ad32-98f038001003",0x34] = "ScSendPnPMessage", + ["367abb81-9844-35f1-ad32-98f038001003",0x35] = "ScValidatePnPService", + ["367abb81-9844-35f1-ad32-98f038001003",0x36] = "ScOpenServiceStatusHandle", # browser ["6bffd098-a112-3610-9833-012892020162",0x00] = "BrowserrServerEnum", diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro index 795f575605..35724865fc 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.bro @@ -36,7 +36,9 @@ type State: record { named_pipe : string &optional; }; -type Stuff: record { +# This is to store the log and state information +# for multiple DCE/RPC bindings over a single TCP connection (named pipes). +type BackingState: record { info: Info; state: State; }; @@ -44,7 +46,7 @@ type Stuff: record { redef record connection += { dce_rpc: Info &optional; dce_rpc_state: State &optional; - dce_rpc_state_x: table[count] of Stuff &optional; + dce_rpc_state_x: table[count] of BackingState &optional; }; const ports = { 135/tcp }; @@ -56,7 +58,16 @@ event bro_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports); } -function set_state(c: connection, state_x: Stuff) +function normalize_named_pipe_name(pn: string): string + { + local parts = split_string(pn, /\\[pP][iI][pP][eE]\\/); + if ( 1 in parts ) + return to_lower(parts[1]); + else + return to_lower(pn); + } + +function set_state(c: connection, state_x: BackingState) { c$dce_rpc = state_x$info; c$dce_rpc_state = state_x$state; @@ -76,7 +87,7 @@ function set_session(c: connection, fid: count) if ( fid !in c$dce_rpc_state_x ) { local info = Info($ts=network_time(),$id=c$id,$uid=c$uid); - c$dce_rpc_state_x[fid] = Stuff($info=info, $state=State()); + c$dce_rpc_state_x[fid] = BackingState($info=info, $state=State()); } local state_x = c$dce_rpc_state_x[fid]; @@ -120,6 +131,18 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) { set_session(c, fid); + # In the event that the binding wasn't seen, but the pipe + # name is known, go ahead and see if we have a pipe name to + # uuid mapping... + if ( ! c$dce_rpc?$endpoint && c$dce_rpc?$named_pipe ) + { + local npn = normalize_named_pipe_name(c$dce_rpc$named_pipe); + if ( npn in pipe_name_to_common_uuid ) + { + c$dce_rpc_state$uuid = pipe_name_to_common_uuid[npn]; + } + } + if ( c?$dce_rpc && c$dce_rpc?$endpoint ) { c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum]; @@ -134,7 +157,7 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) { # If there is not an endpoint, there isn't much reason to log. # This can happen if the request isn't seen. - if ( c$dce_rpc?$endpoint ) + if ( c$dce_rpc?$endpoint && c$dce_rpc?$operation ) Log::write(LOG, c$dce_rpc); delete c$dce_rpc; } @@ -150,7 +173,20 @@ event connection_state_remove(c: connection) { local x = c$dce_rpc_state_x[i]; set_state(c, x); - if ( c$dce_rpc?$endpoint ) + + # In the event that the binding wasn't seen, but the pipe + # name is known, go ahead and see if we have a pipe name to + # uuid mapping... + if ( ! c$dce_rpc?$endpoint && c$dce_rpc?$named_pipe ) + { + local npn = normalize_named_pipe_name(c$dce_rpc$named_pipe); + if ( npn in pipe_name_to_common_uuid ) + { + c$dce_rpc_state$uuid = pipe_name_to_common_uuid[npn]; + } + } + + if ( c$dce_rpc?$endpoint && c$dce_rpc?$operation ) Log::write(LOG, c$dce_rpc); } } \ No newline at end of file