Expand parsing of RPC Call packets to add Uid, Gid, Stamp, MachineName

and AuxGIDs

scripts/base/init-bare.bro

@@ -2142,6 +2142,16 @@ export {
 		rep_dur: interval;
 		## The length in bytes of the reply.
 		rep_len: count;
+		## The user id of the reply.
+		rpc_uid: count;
+		## The group id of the reply.
+		rpc_gid: count;
+		## The stamp of the reply.
+		rpc_stamp: count;
+		## The machine name of the reply.
+		rpc_machine_name: string;
+		## The auxiliary ids of the reply.
+		rpc_auxgids: index_vec;
 	};
 
 	## NFS file attributes. Field names are based on RFC 1813.

src/analyzer/protocol/rpc/NFS.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include <algorithm>
+#include <vector>
 
 #include "bro-config.h"
 
@@ -288,6 +289,10 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	// These are the first parameters for each nfs_* event ...
 	val_list *vl = new val_list;
 	vl->append(analyzer->BuildConnVal());
+	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	for (size_t i = 0; i < c->AuxGIDs().size(); ++i) {
+		auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT));
+	}
 
 	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
 	info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status));
@@ -298,6 +303,11 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	info->Assign(5, new Val(rep_start_time, TYPE_TIME));
 	info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL));
 	info->Assign(7, new Val(reply_len, TYPE_COUNT));
+	info->Assign(8, new Val(c->Uid(), TYPE_COUNT));
+	info->Assign(9, new Val(c->Gid(), TYPE_COUNT));
+	info->Assign(10, new Val(c->Stamp(), TYPE_COUNT));
+	info->Assign(11, new StringVal(c->MachineName()));
+	info->Assign(12, auxgids);
 
 	vl->append(info);
 	return vl;

src/analyzer/protocol/rpc/RPC.cc

@@ -40,7 +40,19 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar
 	prog = extract_XDR_uint32(buf, n);
 	vers = extract_XDR_uint32(buf, n);
 	proc = extract_XDR_uint32(buf, n);
-	cred_flavor = skip_XDR_opaque_auth(buf, n);
+	cred_flavor = extract_XDR_uint32(buf, n);
+	int cred_opaque_n, machinename_n;
+	const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n);
+	stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n);
+	machinename = std::string(reinterpret_cast<const char*>(tmp), machinename_n);
+	uid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	gid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	for (u_int i=0 ; i<number_of_gids ; ++i ){
+		auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n));
+	}
+
 	verf_flavor = skip_XDR_opaque_auth(buf, n);
 
 	header_len = call_n - n;

src/analyzer/protocol/rpc/RPC.h

@@ -62,6 +62,11 @@ public:
 	uint32 Program() const		{ return prog; }
 	uint32 Version() const		{ return vers; }
 	uint32 Proc() const		{ return proc; }
+	uint32 Uid() const { return uid; }
+	uint32 Gid() const { return gid; }
+	uint32 Stamp() const { return stamp; }
+	const std::string& MachineName() const { return machinename; }
+	const std::vector<int>& AuxGIDs() const { return auxgids; }
 
 	double StartTime() const	{ return start_time; }
 	void SetStartTime(double t)	{ start_time = t; }
@@ -78,8 +83,12 @@ public:
 
 protected:
 	uint32 xid, rpc_version, prog, vers, proc;
-	uint32 cred_flavor, verf_flavor;
+	uint32 cred_flavor, stamp;
+	uint32 uid, gid;
+	std::vector<int> auxgids;
+	uint32 verf_flavor;
 	u_char* call_buf;	// copy of original call buffer
+	std::string machinename;
 	double start_time;
 	double last_time;
 	int rpc_len;		// size of the full RPC call, incl. xid and msg_type