Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Small improvements to DCE/RPC handling.

Browse source 
- Fix an issue with svcctl uuid -> operation mapping.
 - Add a heuristic to fill out the endpoint name in
   case the original dce/rpc binding wasn't seen.
 - Improve naming and code structure in the dce/rpc scripts.
This commit is contained in:
Seth Hall 2016-04-13 12:10:51 -04:00
parent 5d33ac773b
commit dcb8dee3eb
2 changed files with 106 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

119
scripts/base/protocols/dce-rpc/consts.bro
View file

@ -90,6 +90,15 @@ export {
["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi", ["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi",
} &redef &default=function(uuid: string): string { return fmt("unknown-%s", uuid); }; } &redef &default=function(uuid: string): string { return fmt("unknown-%s", uuid); };
## This table is to map pipe names to the most common
## service used over that pipe. It helps in cases
## where the pipe binding wasn't seen.
const pipe_name_to_common_uuid: table[string] of string = {
["winreg"] = "338cd001-2244-31f1-aaaa-900038001003",
["spoolss"] = "12345678-1234-abcd-ef00-0123456789ab",
["srvsvc"] = "4b324fc8-1670-01d3-1278-5a47bf6ee188",
} &redef;
const operations: table[string,count] of string = { const operations: table[string,count] of string = {
# atsvc # atsvc
["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd", ["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd",
@ -641,61 +650,61 @@ export {
["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x0a] = "DsRolerAbortDownlevelServerUpgrade", ["3919286a-b10c-11d0-9ba8-00c04fd92ef5",0x0a] = "DsRolerAbortDownlevelServerUpgrade",
# svcctl # svcctl
["367aeb81-9844-35f1-ad32-98f038001003",0x00] = "CloseServiceHandle", ["367abb81-9844-35f1-ad32-98f038001003",0x00] = "CloseServiceHandle",
["367aeb81-9844-35f1-ad32-98f038001003",0x01] = "ControlService", ["367abb81-9844-35f1-ad32-98f038001003",0x01] = "ControlService",
["367aeb81-9844-35f1-ad32-98f038001003",0x02] = "DeleteService", ["367abb81-9844-35f1-ad32-98f038001003",0x02] = "DeleteService",
["367aeb81-9844-35f1-ad32-98f038001003",0x03] = "LockServiceDatabase", ["367abb81-9844-35f1-ad32-98f038001003",0x03] = "LockServiceDatabase",
["367aeb81-9844-35f1-ad32-98f038001003",0x04] = "QueryServiceObjectSecurity", ["367abb81-9844-35f1-ad32-98f038001003",0x04] = "QueryServiceObjectSecurity",
["367aeb81-9844-35f1-ad32-98f038001003",0x05] = "SetServiceObjectSecurity", ["367abb81-9844-35f1-ad32-98f038001003",0x05] = "SetServiceObjectSecurity",
["367aeb81-9844-35f1-ad32-98f038001003",0x06] = "QueryServiceStatus", ["367abb81-9844-35f1-ad32-98f038001003",0x06] = "QueryServiceStatus",
["367aeb81-9844-35f1-ad32-98f038001003",0x07] = "SetServiceStatus", ["367abb81-9844-35f1-ad32-98f038001003",0x07] = "SetServiceStatus",
["367aeb81-9844-35f1-ad32-98f038001003",0x08] = "UnlockServiceDatabase", ["367abb81-9844-35f1-ad32-98f038001003",0x08] = "UnlockServiceDatabase",
["367aeb81-9844-35f1-ad32-98f038001003",0x09] = "NotifyBootConfigStatus", ["367abb81-9844-35f1-ad32-98f038001003",0x09] = "NotifyBootConfigStatus",
["367aeb81-9844-35f1-ad32-98f038001003",0x0a] = "ScSetServiceBitsW", ["367abb81-9844-35f1-ad32-98f038001003",0x0a] = "ScSetServiceBitsW",
["367aeb81-9844-35f1-ad32-98f038001003",0x0b] = "ChangeServiceConfigW", ["367abb81-9844-35f1-ad32-98f038001003",0x0b] = "ChangeServiceConfigW",
["367aeb81-9844-35f1-ad32-98f038001003",0x0c] = "CreateServiceW", ["367abb81-9844-35f1-ad32-98f038001003",0x0c] = "CreateServiceW",
["367aeb81-9844-35f1-ad32-98f038001003",0x0d] = "EnumDependentServicesW", ["367abb81-9844-35f1-ad32-98f038001003",0x0d] = "EnumDependentServicesW",
["367aeb81-9844-35f1-ad32-98f038001003",0x0e] = "EnumServicesStatusW", ["367abb81-9844-35f1-ad32-98f038001003",0x0e] = "EnumServicesStatusW",
["367aeb81-9844-35f1-ad32-98f038001003",0x0f] = "OpenSCManagerW", ["367abb81-9844-35f1-ad32-98f038001003",0x0f] = "OpenSCManagerW",
["367aeb81-9844-35f1-ad32-98f038001003",0x10] = "OpenServiceW", ["367abb81-9844-35f1-ad32-98f038001003",0x10] = "OpenServiceW",
["367aeb81-9844-35f1-ad32-98f038001003",0x11] = "QueryServiceConfigW", ["367abb81-9844-35f1-ad32-98f038001003",0x11] = "QueryServiceConfigW",
["367aeb81-9844-35f1-ad32-98f038001003",0x12] = "QueryServiceLockStatusW", ["367abb81-9844-35f1-ad32-98f038001003",0x12] = "QueryServiceLockStatusW",
["367aeb81-9844-35f1-ad32-98f038001003",0x13] = "StartServiceW", ["367abb81-9844-35f1-ad32-98f038001003",0x13] = "StartServiceW",
["367aeb81-9844-35f1-ad32-98f038001003",0x14] = "GetServiceDisplayNameW", ["367abb81-9844-35f1-ad32-98f038001003",0x14] = "GetServiceDisplayNameW",
["367aeb81-9844-35f1-ad32-98f038001003",0x15] = "GetServiceKeyNameW", ["367abb81-9844-35f1-ad32-98f038001003",0x15] = "GetServiceKeyNameW",
["367aeb81-9844-35f1-ad32-98f038001003",0x16] = "ScSetServiceBitsA", ["367abb81-9844-35f1-ad32-98f038001003",0x16] = "ScSetServiceBitsA",
["367aeb81-9844-35f1-ad32-98f038001003",0x17] = "ChangeServiceConfigA", ["367abb81-9844-35f1-ad32-98f038001003",0x17] = "ChangeServiceConfigA",
["367aeb81-9844-35f1-ad32-98f038001003",0x18] = "CreateServiceA", ["367abb81-9844-35f1-ad32-98f038001003",0x18] = "CreateServiceA",
["367aeb81-9844-35f1-ad32-98f038001003",0x19] = "EnumDependentServicesA", ["367abb81-9844-35f1-ad32-98f038001003",0x19] = "EnumDependentServicesA",
["367aeb81-9844-35f1-ad32-98f038001003",0x1a] = "EnumServicesStatusA", ["367abb81-9844-35f1-ad32-98f038001003",0x1a] = "EnumServicesStatusA",
["367aeb81-9844-35f1-ad32-98f038001003",0x1b] = "OpenSCManagerA", ["367abb81-9844-35f1-ad32-98f038001003",0x1b] = "OpenSCManagerA",
["367aeb81-9844-35f1-ad32-98f038001003",0x1c] = "OpenServiceA", ["367abb81-9844-35f1-ad32-98f038001003",0x1c] = "OpenServiceA",
["367aeb81-9844-35f1-ad32-98f038001003",0x1d] = "QueryServiceConfigA", ["367abb81-9844-35f1-ad32-98f038001003",0x1d] = "QueryServiceConfigA",
["367aeb81-9844-35f1-ad32-98f038001003",0x1e] = "QueryServiceLockStatusA", ["367abb81-9844-35f1-ad32-98f038001003",0x1e] = "QueryServiceLockStatusA",
["367aeb81-9844-35f1-ad32-98f038001003",0x1f] = "StartServiceA", ["367abb81-9844-35f1-ad32-98f038001003",0x1f] = "StartServiceA",
["367aeb81-9844-35f1-ad32-98f038001003",0x20] = "GetServiceDisplayNameA", ["367abb81-9844-35f1-ad32-98f038001003",0x20] = "GetServiceDisplayNameA",
["367aeb81-9844-35f1-ad32-98f038001003",0x21] = "GetServiceKeyNameA", ["367abb81-9844-35f1-ad32-98f038001003",0x21] = "GetServiceKeyNameA",
["367aeb81-9844-35f1-ad32-98f038001003",0x22] = "ScGetCurrentGroupStateW", ["367abb81-9844-35f1-ad32-98f038001003",0x22] = "ScGetCurrentGroupStateW",
["367aeb81-9844-35f1-ad32-98f038001003",0x23] = "EnumServiceGroupW", ["367abb81-9844-35f1-ad32-98f038001003",0x23] = "EnumServiceGroupW",
["367aeb81-9844-35f1-ad32-98f038001003",0x24] = "ChangeServiceConfig2A", ["367abb81-9844-35f1-ad32-98f038001003",0x24] = "ChangeServiceConfig2A",
["367aeb81-9844-35f1-ad32-98f038001003",0x25] = "ChangeServiceConfig2W", ["367abb81-9844-35f1-ad32-98f038001003",0x25] = "ChangeServiceConfig2W",
["367aeb81-9844-35f1-ad32-98f038001003",0x26] = "QueryServiceConfig2A", ["367abb81-9844-35f1-ad32-98f038001003",0x26] = "QueryServiceConfig2A",
["367aeb81-9844-35f1-ad32-98f038001003",0x27] = "QueryServiceConfig2W", ["367abb81-9844-35f1-ad32-98f038001003",0x27] = "QueryServiceConfig2W",
["367aeb81-9844-35f1-ad32-98f038001003",0x28] = "QueryServiceStatusEx", ["367abb81-9844-35f1-ad32-98f038001003",0x28] = "QueryServiceStatusEx",
["367aeb81-9844-35f1-ad32-98f038001003",0x29] = "EnumServicesStatusExA", ["367abb81-9844-35f1-ad32-98f038001003",0x29] = "EnumServicesStatusExA",
["367aeb81-9844-35f1-ad32-98f038001003",0x2a] = "EnumServicesStatusExW", ["367abb81-9844-35f1-ad32-98f038001003",0x2a] = "EnumServicesStatusExW",
["367aeb81-9844-35f1-ad32-98f038001003",0x2b] = "ScSendTSMessage", ["367abb81-9844-35f1-ad32-98f038001003",0x2b] = "ScSendTSMessage",
["367aeb81-9844-35f1-ad32-98f038001003",0x2c] = "CreateServiceWOW64A", ["367abb81-9844-35f1-ad32-98f038001003",0x2c] = "CreateServiceWOW64A",
["367aeb81-9844-35f1-ad32-98f038001003",0x2d] = "CreateServiceWOW64W", ["367abb81-9844-35f1-ad32-98f038001003",0x2d] = "CreateServiceWOW64W",
["367aeb81-9844-35f1-ad32-98f038001003",0x2e] = "ScQueryServiceTagInfo", ["367abb81-9844-35f1-ad32-98f038001003",0x2e] = "ScQueryServiceTagInfo",
["367aeb81-9844-35f1-ad32-98f038001003",0x2f] = "NotifyServiceStatusChange", ["367abb81-9844-35f1-ad32-98f038001003",0x2f] = "NotifyServiceStatusChange",
["367aeb81-9844-35f1-ad32-98f038001003",0x30] = "GetNotifyResult", ["367abb81-9844-35f1-ad32-98f038001003",0x30] = "GetNotifyResult",
["367aeb81-9844-35f1-ad32-98f038001003",0x31] = "CloseNotifyHandle", ["367abb81-9844-35f1-ad32-98f038001003",0x31] = "CloseNotifyHandle",
["367aeb81-9844-35f1-ad32-98f038001003",0x32] = "ControlServiceExA", ["367abb81-9844-35f1-ad32-98f038001003",0x32] = "ControlServiceExA",
["367aeb81-9844-35f1-ad32-98f038001003",0x33] = "ControlServiceExW", ["367abb81-9844-35f1-ad32-98f038001003",0x33] = "ControlServiceExW",
["367aeb81-9844-35f1-ad32-98f038001003",0x34] = "ScSendPnPMessage", ["367abb81-9844-35f1-ad32-98f038001003",0x34] = "ScSendPnPMessage",
["367aeb81-9844-35f1-ad32-98f038001003",0x35] = "ScValidatePnPService", ["367abb81-9844-35f1-ad32-98f038001003",0x35] = "ScValidatePnPService",
["367aeb81-9844-35f1-ad32-98f038001003",0x36] = "ScOpenServiceStatusHandle", ["367abb81-9844-35f1-ad32-98f038001003",0x36] = "ScOpenServiceStatusHandle",
# browser # browser
["6bffd098-a112-3610-9833-012892020162",0x00] = "BrowserrServerEnum", ["6bffd098-a112-3610-9833-012892020162",0x00] = "BrowserrServerEnum",

48
scripts/base/protocols/dce-rpc/main.bro
View file

@ -36,7 +36,9 @@ type State: record {
named_pipe : string &optional; named_pipe : string &optional;
}; };
type Stuff: record { # This is to store the log and state information
# for multiple DCE/RPC bindings over a single TCP connection (named pipes).
type BackingState: record {
info: Info; info: Info;
state: State; state: State;
}; };
@ -44,7 +46,7 @@ type Stuff: record {
redef record connection += { redef record connection += {
dce_rpc: Info &optional; dce_rpc: Info &optional;
dce_rpc_state: State &optional; dce_rpc_state: State &optional;
dce_rpc_state_x: table[count] of Stuff &optional; dce_rpc_state_x: table[count] of BackingState &optional;
}; };
const ports = { 135/tcp }; const ports = { 135/tcp };
@ -56,7 +58,16 @@ event bro_init() &priority=5
Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports);
} }
function set_state(c: connection, state_x: Stuff) function normalize_named_pipe_name(pn: string): string
{
local parts = split_string(pn, /\\[pP][iI][pP][eE]\\/);
if ( 1 in parts )
return to_lower(parts[1]);
else
return to_lower(pn);
}
function set_state(c: connection, state_x: BackingState)
{ {
c$dce_rpc = state_x$info; c$dce_rpc = state_x$info;
c$dce_rpc_state = state_x$state; c$dce_rpc_state = state_x$state;
@ -76,7 +87,7 @@ function set_session(c: connection, fid: count)
if ( fid !in c$dce_rpc_state_x ) if ( fid !in c$dce_rpc_state_x )
{ {
local info = Info($ts=network_time(),$id=c$id,$uid=c$uid); local info = Info($ts=network_time(),$id=c$id,$uid=c$uid);
c$dce_rpc_state_x[fid] = Stuff($info=info, $state=State()); c$dce_rpc_state_x[fid] = BackingState($info=info, $state=State());
} }
local state_x = c$dce_rpc_state_x[fid]; local state_x = c$dce_rpc_state_x[fid];
@ -120,6 +131,18 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
{ {
set_session(c, fid); set_session(c, fid);
# In the event that the binding wasn't seen, but the pipe
# name is known, go ahead and see if we have a pipe name to
# uuid mapping...
if ( ! c$dce_rpc?$endpoint && c$dce_rpc?$named_pipe )
{
local npn = normalize_named_pipe_name(c$dce_rpc$named_pipe);
if ( npn in pipe_name_to_common_uuid )
{
c$dce_rpc_state$uuid = pipe_name_to_common_uuid[npn];
}
}
if ( c?$dce_rpc && c$dce_rpc?$endpoint ) if ( c?$dce_rpc && c$dce_rpc?$endpoint )
{ {
c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum]; c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
@ -134,7 +157,7 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
{ {
# If there is not an endpoint, there isn't much reason to log. # If there is not an endpoint, there isn't much reason to log.
# This can happen if the request isn't seen. # This can happen if the request isn't seen.
if ( c$dce_rpc?$endpoint ) if ( c$dce_rpc?$endpoint && c$dce_rpc?$operation )
Log::write(LOG, c$dce_rpc); Log::write(LOG, c$dce_rpc);
delete c$dce_rpc; delete c$dce_rpc;
} }
@ -150,7 +173,20 @@ event connection_state_remove(c: connection)
{ {
local x = c$dce_rpc_state_x[i]; local x = c$dce_rpc_state_x[i];
set_state(c, x); set_state(c, x);
if ( c$dce_rpc?$endpoint )
# In the event that the binding wasn't seen, but the pipe
# name is known, go ahead and see if we have a pipe name to
# uuid mapping...
if ( ! c$dce_rpc?$endpoint && c$dce_rpc?$named_pipe )
{
local npn = normalize_named_pipe_name(c$dce_rpc$named_pipe);
if ( npn in pipe_name_to_common_uuid )
{
c$dce_rpc_state$uuid = pipe_name_to_common_uuid[npn];
}
}
if ( c$dce_rpc?$endpoint && c$dce_rpc?$operation )
Log::write(LOG, c$dce_rpc); Log::write(LOG, c$dce_rpc);
} }
} }