From e69bb37cc79a684a8c66f1fef1b7376e2e973380 Mon Sep 17 00:00:00 2001 From: Julien Wallior Date: Tue, 14 Feb 2017 10:23:34 -0500 Subject: [PATCH] Expand parsing of RPC Call packets to add Uid, Gid, Stamp, MachineName and AuxGIDs --- scripts/base/init-bare.bro | 10 ++++++++++ src/analyzer/protocol/rpc/NFS.cc | 10 ++++++++++ src/analyzer/protocol/rpc/RPC.cc | 14 +++++++++++++- src/analyzer/protocol/rpc/RPC.h | 11 ++++++++++- 4 files changed, 43 insertions(+), 2 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b5bf5d298d..42f75f250c 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2142,6 +2142,16 @@ export { rep_dur: interval; ## The length in bytes of the reply. rep_len: count; + ## The user id of the reply. + rpc_uid: count; + ## The group id of the reply. + rpc_gid: count; + ## The stamp of the reply. + rpc_stamp: count; + ## The machine name of the reply. + rpc_machine_name: string; + ## The auxiliary ids of the reply. + rpc_auxgids: index_vec; }; ## NFS file attributes. Field names are based on RFC 1813. diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index a8434afb74..c4ab307364 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -1,6 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. #include +#include #include "bro-config.h" @@ -288,6 +289,10 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s // These are the first parameters for each nfs_* event ... val_list *vl = new val_list; vl->append(analyzer->BuildConnVal()); + VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType()); + for (size_t i = 0; i < c->AuxGIDs().size(); ++i) { + auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT)); + } RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t); info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status)); @@ -298,6 +303,11 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s info->Assign(5, new Val(rep_start_time, TYPE_TIME)); info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL)); info->Assign(7, new Val(reply_len, TYPE_COUNT)); + info->Assign(8, new Val(c->Uid(), TYPE_COUNT)); + info->Assign(9, new Val(c->Gid(), TYPE_COUNT)); + info->Assign(10, new Val(c->Stamp(), TYPE_COUNT)); + info->Assign(11, new StringVal(c->MachineName())); + info->Assign(12, auxgids); vl->append(info); return vl; diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index aff6bfefc0..8f1952587e 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -40,7 +40,19 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar prog = extract_XDR_uint32(buf, n); vers = extract_XDR_uint32(buf, n); proc = extract_XDR_uint32(buf, n); - cred_flavor = skip_XDR_opaque_auth(buf, n); + cred_flavor = extract_XDR_uint32(buf, n); + int cred_opaque_n, machinename_n; + const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n); + stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n); + const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n); + machinename = std::string(reinterpret_cast(tmp), machinename_n); + uid = extract_XDR_uint32(cred_opaque, cred_opaque_n); + gid = extract_XDR_uint32(cred_opaque, cred_opaque_n); + size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n); + for (u_int i=0 ; i& AuxGIDs() const { return auxgids; } double StartTime() const { return start_time; } void SetStartTime(double t) { start_time = t; } @@ -78,8 +83,12 @@ public: protected: uint32 xid, rpc_version, prog, vers, proc; - uint32 cred_flavor, verf_flavor; + uint32 cred_flavor, stamp; + uint32 uid, gid; + std::vector auxgids; + uint32 verf_flavor; u_char* call_buf; // copy of original call buffer + std::string machinename; double start_time; double last_time; int rpc_len; // size of the full RPC call, incl. xid and msg_type