mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Add some more DCE_RPC endpoints.
This commit is contained in:
Seth Hall
parent
7b3ec047d0
commit
ebd064de17
6 changed files with 76 additions and 20 deletions
|
|
@ -1436,5 +1436,61 @@ export {
|
||||||
["a4f1db00-ca47-1067-b31f-00dd010662da",0x08] = "EcRNetGetDCName",
|
["a4f1db00-ca47-1067-b31f-00dd010662da",0x08] = "EcRNetGetDCName",
|
||||||
["a4f1db00-ca47-1067-b31f-00dd010662da",0x09] = "EcDoRpcExt",
|
["a4f1db00-ca47-1067-b31f-00dd010662da",0x09] = "EcDoRpcExt",
|
||||||
|
|
||||||
|
# drsuapi
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x00] = "DRSBind",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x01] = "DRSUnbind",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x02] = "DRSReplicaSync",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x03] = "DRSGetNCChanges",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x04] = "DRSUpdateRefs",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x05] = "DRSReplicaAdd",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x06] = "DRSReplicaDel",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x07] = "DRSReplicaModify",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x08] = "DRSVerifyNames",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x09] = "DRSGetMemberships",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0a] = "DRSInterDomainMove",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0b] = "DRSGetNT4ChangeLog",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0c] = "DRSCrackNames",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0d] = "DRSWriteSPN",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0e] = "DRSRemoveDsServer",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0f] = "DRSRemoveDsDomain",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x10] = "DRSDomainControllerInfo",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x11] = "DRSAddEntry",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x12] = "DRSExecuteKCC",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x13] = "DRSGetReplInfo",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x14] = "DRSAddSidHistory",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x15] = "DRSGetMemberships2",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x16] = "DRSReplicaVerifyObjects",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence",
|
||||||
|
["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x18] = "DRSQuerySitesByCost",
|
||||||
|
|
||||||
|
# winspipe
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x00] = "R_WinsRecordAction",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x01] = "R_WinsStatus",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x02] = "R_WinsTrigger",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x03] = "R_WinsDoStaticInit",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x04] = "R_WinsDoScavenging",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x05] = "R_WinsGetDbRecs",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x06] = "R_WinsTerm",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x07] = "R_WinsBackup",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x08] = "R_WinsDelDbRecs",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x09] = "R_WinsPullRange",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0a] = "R_WinsSetPriorityClass",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0b] = "R_WinsResetCounters",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0c] = "R_WinsWorkerThdUpd",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0d] = "R_WinsGetNameAndAdd",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0e] = "R_WinsGetBrowserNames_Old",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0f] = "R_WinsDeleteWins",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x10] = "R_WinsSetFlags",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x11] = "R_WinsGetDbRecsByName",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x12] = "R_WinsStatusWHdl",
|
||||||
|
["45f52c28-7f9f-101a-b52b-08002b2efabe",0x13] = "R_WinsDoScavengingNew",
|
||||||
|
|
||||||
|
# mgmt
|
||||||
|
["afa8bd80-7d8a-11c9-bef4-08002b102989",0x00] = "inq_if_ids",
|
||||||
|
["afa8bd80-7d8a-11c9-bef4-08002b102989",0x01] = "inq_stats",
|
||||||
|
["afa8bd80-7d8a-11c9-bef4-08002b102989",0x02] = "is_server_listening",
|
||||||
|
["afa8bd80-7d8a-11c9-bef4-08002b102989",0x03] = "stop_server_listening",
|
||||||
|
["afa8bd80-7d8a-11c9-bef4-08002b102989",0x04] = "inq_princ_name",
|
||||||
|
|
||||||
} &redef &default=function(uuid: string, i: count): string { return fmt("unknown-%d", i); };
|
} &redef &default=function(uuid: string, i: count): string { return fmt("unknown-%d", i); };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path dce_rpc
|
#path dce_rpc
|
||||||
#open 2016-04-01-18-48-44
|
#open 2016-08-05-15-39-00
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p rtt named_pipe endpoint operation
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p rtt named_pipe endpoint operation
|
||||||
#types time string addr port addr port interval string string string
|
#types time string addr port addr port interval string string string
|
||||||
1073392738.149799 CXWv6p3arKYeMETxOg 205.227.227.226 49467 205.227.227.243 445 0.002138 \\PIPE\\lsass dssetup DsRolerGetPrimaryDomainInformation
|
1073392738.149799 CHhAvVGS1DHFjwGM9 205.227.227.226 49467 205.227.227.243 445 0.002138 \\PIPE\\lsass dssetup DsRolerGetPrimaryDomainInformation
|
||||||
#close 2016-04-01-18-48-44
|
#close 2016-08-05-15-39-00
|
||||||
|
|
|
||||||
|
|
@ -3,10 +3,10 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path smb_files
|
#path smb_files
|
||||||
#open 2016-07-28-07-50-04
|
#open 2016-08-05-15-25-54
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed
|
||||||
#types time string addr port addr port string enum string string count string time time time time
|
#types time string addr port addr port string enum string string count string time time time time
|
||||||
1403194573.483536 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - <share_root> 0 - 1403193605.830790 1403193605.830790 1403193211.405449 1403193605.830790
|
1403194573.483536 CHhAvVGS1DHFjwGM9 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - <share_root> 0 - 1403193605.830790 1403193605.830790 1403193211.405449 1403193605.830790
|
||||||
1403194573.484701 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - Test 0 - 1403193632.973276 1403193632.973276 1403193604.628965 1403193632.973276
|
1403194573.484701 CHhAvVGS1DHFjwGM9 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - Test 0 - 1403193632.973276 1403193632.973276 1403193604.628965 1403193632.973276
|
||||||
1403194574.150293 CXWv6p3arKYeMETxOg 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - Test\\2009-12 Payroll.xlsx 25940 - 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276
|
1403194574.150293 CHhAvVGS1DHFjwGM9 192.168.1.78 55770 192.168.1.53 445 - SMB::FILE_OPEN - Test\\2009-12 Payroll.xlsx 25940 - 1403148950.000000 1403193623.046524 1403148950.000000 1403193632.973276
|
||||||
#close 2016-07-28-07-50-04
|
#close 2016-08-05-15-25-54
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path files
|
#path files
|
||||||
#open 2016-03-07-20-31-34
|
#open 2016-08-05-15-39-06
|
||||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
|
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
|
||||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string
|
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string
|
||||||
1323202695.515890 FUU9mc3Ub5uZdcqg1d 10.0.0.11 10.0.0.12 CXWv6p3arKYeMETxOg SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 T - - - - -
|
1323202695.515890 FUU9mc3Ub5uZdcqg1d 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 T - - - - -
|
||||||
#close 2016-03-07-20-31-34
|
#close 2016-08-05-15-39-06
|
||||||
|
|
|
||||||
|
|
@ -3,10 +3,10 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path smb_files
|
#path smb_files
|
||||||
#open 2016-07-28-07-50-22
|
#open 2016-08-05-15-39-05
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed
|
||||||
#types time string addr port addr port string enum string string count string time time time time
|
#types time string addr port addr port string enum string string count string time time time time
|
||||||
1323202695.377459 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 <share_root> 8192 - 1323202604.512058 1323202604.512058 1322343963.945297 1323202604.512058
|
1323202695.377459 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 <share_root> 8192 - 1323202604.512058 1323202604.512058 1322343963.945297 1323202604.512058
|
||||||
1323202695.432192 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 WP_SMBPlugin.pdf 0 - 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034
|
1323202695.432192 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 WP_SMBPlugin.pdf 0 - 1323202695.427034 1323202695.427034 1323202695.427034 1323202695.427034
|
||||||
1323202695.599914 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 <share_root> 8192 - 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
|
1323202695.599914 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 - SMB::FILE_OPEN \\\\10.0.0.12\\smb2 <share_root> 8192 - 1323202695.427034 1323202695.427034 1322343963.945297 1323202695.427034
|
||||||
#close 2016-07-28-07-50-22
|
#close 2016-08-05-15-39-06
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path smb_mapping
|
#path smb_mapping
|
||||||
#open 2016-03-07-20-31-34
|
#open 2016-08-05-15-39-05
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p path service native_file_system share_type
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p path service native_file_system share_type
|
||||||
#types time string addr port addr port string string string string
|
#types time string addr port addr port string string string string
|
||||||
1323202695.377084 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 \\\\10.0.0.12\\smb2 - - DISK
|
1323202695.377084 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 \\\\10.0.0.12\\smb2 - - DISK
|
||||||
1323202695.378188 CXWv6p3arKYeMETxOg 10.0.0.11 49208 10.0.0.12 445 \\\\10.0.0.12\\IPC$ - - PIPE
|
1323202695.378188 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 \\\\10.0.0.12\\IPC$ - - PIPE
|
||||||
#close 2016-03-07-20-31-34
|
#close 2016-08-05-15-39-06
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue