Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 13:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'topic/foxds/dcerpc_auth' of ssh://github.com/fox-ds/zeek

Browse source 
* 'topic/foxds/dcerpc_auth' of ssh://github.com/fox-ds/zeek:
  Fix protocol forwarding in dce_rpc-auth
  Fix protocol forwarding in dce_rpc-auth
This commit is contained in:
Robin Sommer 2021-09-23 17:48:13 +02:00
commit dd5d6e1756
11 changed files with 79 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

29
src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
View file

@ -6,11 +6,13 @@ refine connection DCE_RPC_Conn += {
%member{
zeek::analyzer::Analyzer *gssapi;
zeek::analyzer::Analyzer *ntlm;
zeek::analyzer::Analyzer *krb;
%}
%init{
ntlm = 0;
gssapi = 0;
krb = 0;
%}
%cleanup{
@ -24,24 +26,47 @@ refine connection DCE_RPC_Conn += {
ntlm->Done();
delete ntlm;
}
if ( krb )
{
krb->Done();
delete krb;
}
%}
function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool
%{
switch ( ${auth.type} )
switch ( ${auth.type} ) // https://social.msdn.microsoft.com/Forums/en-US/44212c32-a4f6-4960-8799-0e00821650f4/msrpc-and-dcerpc-security?forum=os_windowsprotocols
{
case 0x09:
if ( ! gssapi )
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", zeek_analyzer()->Conn());
if ( gssapi )
gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;
case 0x10:
if ( ! krb )
krb = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
if ( krb )
krb->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;
case 0x0a:
if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
if ( ntlm )
ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;
case 0x0e:
zeek_analyzer()->Weird("tls_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break;
case 0x44:
zeek_analyzer()->Weird("netlogon_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break;
default:
zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break;