Add some more DCE_RPC endpoints.

scripts/base/protocols/dce-rpc/consts.bro

@@ -1436,5 +1436,61 @@ export {
 		["a4f1db00-ca47-1067-b31f-00dd010662da",0x08] = "EcRNetGetDCName",
 		["a4f1db00-ca47-1067-b31f-00dd010662da",0x09] = "EcDoRpcExt",
 
+		# drsuapi
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x00] = "DRSBind",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x01] = "DRSUnbind",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x02] = "DRSReplicaSync",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x03] = "DRSGetNCChanges",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x04] = "DRSUpdateRefs",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x05] = "DRSReplicaAdd",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x06] = "DRSReplicaDel",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x07] = "DRSReplicaModify",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x08] = "DRSVerifyNames",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x09] = "DRSGetMemberships",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0a] = "DRSInterDomainMove",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0b] = "DRSGetNT4ChangeLog",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0c] = "DRSCrackNames",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0d] = "DRSWriteSPN",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0e] = "DRSRemoveDsServer",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x0f] = "DRSRemoveDsDomain",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x10] = "DRSDomainControllerInfo",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x11] = "DRSAddEntry",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x12] = "DRSExecuteKCC",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x13] = "DRSGetReplInfo",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x14] = "DRSAddSidHistory",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x15] = "DRSGetMemberships2",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x16] = "DRSReplicaVerifyObjects",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence", 
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x18] = "DRSQuerySitesByCost",
+
+		# winspipe
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x00] = "R_WinsRecordAction",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x01] = "R_WinsStatus",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x02] = "R_WinsTrigger",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x03] = "R_WinsDoStaticInit",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x04] = "R_WinsDoScavenging",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x05] = "R_WinsGetDbRecs",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x06] = "R_WinsTerm",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x07] = "R_WinsBackup",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x08] = "R_WinsDelDbRecs",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x09] = "R_WinsPullRange",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0a] = "R_WinsSetPriorityClass",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0b] = "R_WinsResetCounters",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0c] = "R_WinsWorkerThdUpd",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0d] = "R_WinsGetNameAndAdd",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0e] = "R_WinsGetBrowserNames_Old",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0f] = "R_WinsDeleteWins",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x10] = "R_WinsSetFlags",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x11] = "R_WinsGetDbRecsByName",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x12] = "R_WinsStatusWHdl",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x13] = "R_WinsDoScavengingNew",
+
+		# mgmt
+		["afa8bd80-7d8a-11c9-bef4-08002b102989",0x00] = "inq_if_ids",
+		["afa8bd80-7d8a-11c9-bef4-08002b102989",0x01] = "inq_stats",
+		["afa8bd80-7d8a-11c9-bef4-08002b102989",0x02] = "is_server_listening",
+		["afa8bd80-7d8a-11c9-bef4-08002b102989",0x03] = "stop_server_listening",
+		["afa8bd80-7d8a-11c9-bef4-08002b102989",0x04] = "inq_princ_name",
+
 	} &redef &default=function(uuid: string, i: count): string { return fmt("unknown-%d", i); };
 }

testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-dcerpc/dce_rpc.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dce_rpc
-#open	2016-04-01-18-48-44
+#open	2016-08-05-15-39-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	rtt	named_pipe	endpoint	operation
 #types	time	string	addr	port	addr	port	interval	string	string	string
-1073392738.149799	CXWv6p3arKYeMETxOg	205.227.227.226	49467	205.227.227.243	445	0.002138	\\PIPE\\lsass	dssetup	DsRolerGetPrimaryDomainInformation
-#close	2016-04-01-18-48-44
+1073392738.149799	CHhAvVGS1DHFjwGM9	205.227.227.226	49467	205.227.227.243	445	0.002138	\\PIPE\\lsass	dssetup	DsRolerGetPrimaryDomainInformation
+#close	2016-08-05-15-39-00

testing/btest/Baseline/scripts.base.protocols.smb.smb1/smb_files.log

@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smb_files
-#open	2016-07-28-07-50-04
+#open	2016-08-05-15-25-54
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed
 #types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
-1403194573.483536	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	<share_root>	0	-	1403193605.830790	1403193605.830790	1403193211.405449	1403193605.830790
-1403194573.484701	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test	0	-	1403193632.973276	1403193632.973276	1403193604.628965	1403193632.973276
-1403194574.150293	CXWv6p3arKYeMETxOg	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test\\2009-12 Payroll.xlsx	25940	-	1403148950.000000	1403193623.046524	1403148950.000000	1403193632.973276
-#close	2016-07-28-07-50-04
+1403194573.483536	CHhAvVGS1DHFjwGM9	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	<share_root>	0	-	1403193605.830790	1403193605.830790	1403193211.405449	1403193605.830790
+1403194573.484701	CHhAvVGS1DHFjwGM9	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test	0	-	1403193632.973276	1403193632.973276	1403193604.628965	1403193632.973276
+1403194574.150293	CHhAvVGS1DHFjwGM9	192.168.1.78	55770	192.168.1.53	445	-	SMB::FILE_OPEN	-	Test\\2009-12 Payroll.xlsx	25940	-	1403148950.000000	1403193623.046524	1403148950.000000	1403193632.973276
+#close	2016-08-05-15-25-54

testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2016-03-07-20-31-34
+#open	2016-08-05-15-39-06
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1323202695.515890	FUU9mc3Ub5uZdcqg1d	10.0.0.11	10.0.0.12	CXWv6p3arKYeMETxOg	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	-	T	1508939	-	0	0	T	-	-	-	-	-
-#close	2016-03-07-20-31-34
+1323202695.515890	FUU9mc3Ub5uZdcqg1d	10.0.0.11	10.0.0.12	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	-	T	1508939	-	0	0	T	-	-	-	-	-
+#close	2016-08-05-15-39-06

testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_files.log

@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smb_files
-#open	2016-07-28-07-50-22
+#open	2016-08-05-15-39-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed
 #types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
-1323202695.377459	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	-	1323202604.512058	1323202604.512058	1322343963.945297	1323202604.512058
-1323202695.432192	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	WP_SMBPlugin.pdf	0	-	1323202695.427034	1323202695.427034	1323202695.427034	1323202695.427034
-1323202695.599914	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	-	1323202695.427034	1323202695.427034	1322343963.945297	1323202695.427034
-#close	2016-07-28-07-50-22
+1323202695.377459	CHhAvVGS1DHFjwGM9	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	-	1323202604.512058	1323202604.512058	1322343963.945297	1323202604.512058
+1323202695.432192	CHhAvVGS1DHFjwGM9	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	WP_SMBPlugin.pdf	0	-	1323202695.427034	1323202695.427034	1323202695.427034	1323202695.427034
+1323202695.599914	CHhAvVGS1DHFjwGM9	10.0.0.11	49208	10.0.0.12	445	-	SMB::FILE_OPEN	\\\\10.0.0.12\\smb2	<share_root>	8192	-	1323202695.427034	1323202695.427034	1322343963.945297	1323202695.427034
+#close	2016-08-05-15-39-06

testing/btest/Baseline/scripts.base.protocols.smb.smb2/smb_mapping.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smb_mapping
-#open	2016-03-07-20-31-34
+#open	2016-08-05-15-39-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	path	service	native_file_system	share_type
 #types	time	string	addr	port	addr	port	string	string	string	string
-1323202695.377084	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	\\\\10.0.0.12\\smb2	-	-	DISK
-1323202695.378188	CXWv6p3arKYeMETxOg	10.0.0.11	49208	10.0.0.12	445	\\\\10.0.0.12\\IPC$	-	-	PIPE
-#close	2016-03-07-20-31-34
+1323202695.377084	CHhAvVGS1DHFjwGM9	10.0.0.11	49208	10.0.0.12	445	\\\\10.0.0.12\\smb2	-	-	DISK
+1323202695.378188	CHhAvVGS1DHFjwGM9	10.0.0.11	49208	10.0.0.12	445	\\\\10.0.0.12\\IPC$	-	-	PIPE
+#close	2016-08-05-15-39-06