Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'topic/foxds/dcerpc_auth' of ssh://github.com/fox-ds/zeek

Browse source 
* 'topic/foxds/dcerpc_auth' of ssh://github.com/fox-ds/zeek:
  Fix protocol forwarding in dce_rpc-auth
  Fix protocol forwarding in dce_rpc-auth
This commit is contained in:
Robin Sommer 2021-09-23 17:48:13 +02:00
commit dd5d6e1756
11 changed files with 79 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,4 +1,9 @@
4.2.0-dev.208 | 2021-09-23 17:48:13 +0200
* Fix and extend protocol forwarding/logging in dce_rpc-auth.
(FOX-DS)
4.2.0-dev.205 | 2021-09-23 12:24:06 +0200 4.2.0-dev.205 | 2021-09-23 12:24:06 +0200
* Avoid allocation of duplicate zero-length strings for new * Avoid allocation of duplicate zero-length strings for new

2
VERSION
View file

@ -1 +1 @@
4.2.0-dev.205 4.2.0-dev.208

29
src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
View file

@ -6,11 +6,13 @@ refine connection DCE_RPC_Conn += {
%member{ %member{
zeek::analyzer::Analyzer *gssapi; zeek::analyzer::Analyzer *gssapi;
zeek::analyzer::Analyzer *ntlm; zeek::analyzer::Analyzer *ntlm;
zeek::analyzer::Analyzer *krb;
%} %}
%init{ %init{
ntlm = 0; ntlm = 0;
gssapi = 0; gssapi = 0;
krb = 0;
%} %}
%cleanup{ %cleanup{
@ -24,24 +26,47 @@ refine connection DCE_RPC_Conn += {
ntlm->Done(); ntlm->Done();
delete ntlm; delete ntlm;
} }
if ( krb )
{
krb->Done();
delete krb;
}
%} %}
function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool
%{ %{
switch ( ${auth.type} ) switch ( ${auth.type} ) // https://social.msdn.microsoft.com/Forums/en-US/44212c32-a4f6-4960-8799-0e00821650f4/msrpc-and-dcerpc-security?forum=os_windowsprotocols
{ {
case 0x09: case 0x09:
if ( ! gssapi ) if ( ! gssapi )
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn()); gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", zeek_analyzer()->Conn());
if ( gssapi ) if ( gssapi )
gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break; break;
case 0x10:
if ( ! krb )
krb = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
if ( krb )
krb->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;
case 0x0a: case 0x0a:
if ( ! ntlm ) if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn()); ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
if ( ntlm ) if ( ntlm )
ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break; break;
case 0x0e:
zeek_analyzer()->Weird("tls_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break;
case 0x44:
zeek_analyzer()->Weird("netlogon_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break;
default: default:
zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type})); zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break; break;

11
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dce_rpc
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p rtt named_pipe endpoint operation
#types time string addr port addr port interval string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.10.10.121 58774 10.10.10.100 49676 0.000758 49676 netlogon NetrLogonSamLogonWithFlags
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.10.10.121 58774 10.10.10.100 49676 netlogon_dce_rpc_auth_type 68 F zeek DCE_RPC
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ntlm
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username hostname domainname server_nb_computer_name server_dns_computer_name server_tree_name success
#types time string addr port addr port string string string string string string bool
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.10.10.121 58772 10.10.10.120 54784 - - - CBTH-WS-2 CBTH-WS-2.blackclover.local blackclover.local -
#close XXXX-XX-XX-XX-XX-XX

BIN
testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap Normal file
View file

Binary file not shown.

7
testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_netlogon.pcap %INPUT
# @TEST-EXEC: btest-diff weird.log
# @TEST-EXEC: btest-diff dce_rpc.log
@load base/protocols/dce-rpc
@load base/protocols/ntlm
@load base/frameworks/notice/weird

5
testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek Normal file
View file

@ -0,0 +1,5 @@
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_ntlm.pcap %INPUT
# @TEST-EXEC: btest-diff ntlm.log
@load base/protocols/dce-rpc
@load base/protocols/ntlm

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
44cc696ed070bf7569848437ab1368d557ace4e5 67f592e6a84d236aaf5cc08c91c71625a095e49a