mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Change failure in utf16_bytestring_to_utf8_val to be a conn weird.
Whenever we saw errors in UTF16->UTF8 conversion before, we would get a reporter message with no connection information. Now we get a weird attached to a connection so that debugging these problems will hopefully be a bit easier in the future.
This commit is contained in:
Seth Hall
parent
cf548e9302
commit
eebd896f63
5 changed files with 64 additions and 63 deletions
|
|
@ -32,19 +32,19 @@ refine connection NTLM_Conn += {
|
|||
switch ( ${val.pairs[i].id} )
|
||||
{
|
||||
case 1:
|
||||
result->Assign(0, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_computer_name.data}));
|
||||
result->Assign(0, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
|
||||
break;
|
||||
case 2:
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_domain_name.data}));
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data}));
|
||||
break;
|
||||
case 3:
|
||||
result->Assign(2, utf16_bytestring_to_utf8_val(${val.pairs[i].dns_computer_name.data}));
|
||||
result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data}));
|
||||
break;
|
||||
case 4:
|
||||
result->Assign(3, utf16_bytestring_to_utf8_val(${val.pairs[i].dns_domain_name.data}));
|
||||
result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data}));
|
||||
break;
|
||||
case 5:
|
||||
result->Assign(4, utf16_bytestring_to_utf8_val(${val.pairs[i].dns_tree_name.data}));
|
||||
result->Assign(4, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
|
||||
break;
|
||||
case 6:
|
||||
result->Assign(5, new Val(${val.pairs[i].constrained_auth}, TYPE_BOOL));
|
||||
|
|
@ -56,7 +56,7 @@ refine connection NTLM_Conn += {
|
|||
result->Assign(7, new Val(${val.pairs[i].single_host.machine_id}, TYPE_COUNT));
|
||||
break;
|
||||
case 9:
|
||||
result->Assign(8, utf16_bytestring_to_utf8_val(${val.pairs[i].target_name.data}));
|
||||
result->Assign(8, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
|
@ -98,10 +98,10 @@ refine connection NTLM_Conn += {
|
|||
result->Assign(0, build_negotiate_flag_record(${val.flags}));
|
||||
|
||||
if ( ${val}->has_domain_name() )
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data}));
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
|
||||
|
||||
if ( ${val}->has_workstation() )
|
||||
result->Assign(2, utf16_bytestring_to_utf8_val(${val.workstation.string.data}));
|
||||
result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
|
||||
|
||||
if ( ${val}->has_version() )
|
||||
result->Assign(3, build_version_record(${val.version}));
|
||||
|
|
@ -119,7 +119,7 @@ refine connection NTLM_Conn += {
|
|||
result->Assign(0, build_negotiate_flag_record(${val.flags}));
|
||||
|
||||
if ( ${val}->has_target_name() )
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(${val.target_name.string.data}));
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data}));
|
||||
|
||||
if ( ${val}->has_version() )
|
||||
result->Assign(2, build_version_record(${val.version}));
|
||||
|
|
@ -140,13 +140,13 @@ refine connection NTLM_Conn += {
|
|||
result->Assign(0, build_negotiate_flag_record(${val.flags}));
|
||||
|
||||
if ( ${val}->has_domain_name() > 0 )
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data}));
|
||||
result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
|
||||
|
||||
if ( ${val}->has_user_name() > 0 )
|
||||
result->Assign(2, utf16_bytestring_to_utf8_val(${val.user_name.string.data}));
|
||||
result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data}));
|
||||
|
||||
if ( ${val}->has_workstation() > 0 )
|
||||
result->Assign(3, utf16_bytestring_to_utf8_val(${val.workstation.string.data}));
|
||||
result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
|
||||
|
||||
if ( ${val}->has_version() )
|
||||
result->Assign(4, build_version_record(${val.version}));
|
||||
|
|
|
|||
|
|
@ -80,18 +80,18 @@ refine flow RDP_Flow += {
|
|||
ccd->Assign(5, new Val(${ccore.sas_sequence}, TYPE_COUNT));
|
||||
ccd->Assign(6, new Val(${ccore.keyboard_layout}, TYPE_COUNT));
|
||||
ccd->Assign(7, new Val(${ccore.client_build}, TYPE_COUNT));
|
||||
ccd->Assign(8, utf16_bytestring_to_utf8_val(${ccore.client_name}));
|
||||
ccd->Assign(8, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name}));
|
||||
ccd->Assign(9, new Val(${ccore.keyboard_type}, TYPE_COUNT));
|
||||
ccd->Assign(10, new Val(${ccore.keyboard_sub}, TYPE_COUNT));
|
||||
ccd->Assign(11, new Val(${ccore.keyboard_function_key}, TYPE_COUNT));
|
||||
ccd->Assign(12, utf16_bytestring_to_utf8_val(${ccore.ime_file_name}));
|
||||
ccd->Assign(12, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name}));
|
||||
ccd->Assign(13, new Val(${ccore.post_beta2_color_depth}, TYPE_COUNT));
|
||||
ccd->Assign(14, new Val(${ccore.client_product_id}, TYPE_COUNT));
|
||||
ccd->Assign(15, new Val(${ccore.serial_number}, TYPE_COUNT));
|
||||
ccd->Assign(16, new Val(${ccore.high_color_depth}, TYPE_COUNT));
|
||||
ccd->Assign(17, new Val(${ccore.supported_color_depths}, TYPE_COUNT));
|
||||
ccd->Assign(18, ec_flags);
|
||||
ccd->Assign(19, utf16_bytestring_to_utf8_val(${ccore.dig_product_id}));
|
||||
ccd->Assign(19, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id}));
|
||||
|
||||
BifEvent::generate_rdp_client_core_data(connection()->bro_analyzer(),
|
||||
connection()->bro_analyzer()->Conn(),
|
||||
|
|
|
|||
|
|
@ -1,48 +1,3 @@
|
|||
function uint8s_to_stringval(data: uint8[]): StringVal
|
||||
%{
|
||||
int length = data->size();
|
||||
uint8 buf[length];
|
||||
|
||||
for ( int i = 0; i < length; ++i)
|
||||
buf[i] = (*data)[i];
|
||||
|
||||
const bytestring bs = bytestring(buf, length);
|
||||
return utf16_bytestring_to_utf8_val(bs);
|
||||
%}
|
||||
|
||||
function extract_string(s: SMB_string) : StringVal
|
||||
%{
|
||||
if ( s->unicode() == false )
|
||||
{
|
||||
int length = s->a()->size();
|
||||
char buf[length];
|
||||
|
||||
for ( int i = 0; i < length; i++)
|
||||
{
|
||||
unsigned char t = (*(s->a()))[i];
|
||||
buf[i] = t;
|
||||
}
|
||||
|
||||
if ( length > 0 && buf[length-1] == 0x00 )
|
||||
length--;
|
||||
|
||||
return new StringVal(length, buf);
|
||||
}
|
||||
else
|
||||
{
|
||||
return uint8s_to_stringval(s->u()->s());
|
||||
}
|
||||
%}
|
||||
|
||||
function smb_string2stringval(s: SMB_string) : StringVal
|
||||
%{
|
||||
return extract_string(s);
|
||||
%}
|
||||
|
||||
function smb2_string2stringval(s: SMB2_string) : StringVal
|
||||
%{
|
||||
return uint8s_to_stringval(s->s());
|
||||
%}
|
||||
|
||||
refine connection SMB_Conn += {
|
||||
%member{
|
||||
|
|
@ -68,6 +23,52 @@ refine connection SMB_Conn += {
|
|||
else
|
||||
return 0xFF;
|
||||
%}
|
||||
|
||||
function uint8s_to_stringval(data: uint8[]): StringVal
|
||||
%{
|
||||
int length = data->size();
|
||||
uint8 buf[length];
|
||||
|
||||
for ( int i = 0; i < length; ++i)
|
||||
buf[i] = (*data)[i];
|
||||
|
||||
const bytestring bs = bytestring(buf, length);
|
||||
return utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), bs);
|
||||
%}
|
||||
|
||||
function extract_string(s: SMB_string) : StringVal
|
||||
%{
|
||||
if ( s->unicode() == false )
|
||||
{
|
||||
int length = s->a()->size();
|
||||
char buf[length];
|
||||
|
||||
for ( int i = 0; i < length; i++)
|
||||
{
|
||||
unsigned char t = (*(s->a()))[i];
|
||||
buf[i] = t;
|
||||
}
|
||||
|
||||
if ( length > 0 && buf[length-1] == 0x00 )
|
||||
length--;
|
||||
|
||||
return new StringVal(length, buf);
|
||||
}
|
||||
else
|
||||
{
|
||||
return uint8s_to_stringval(s->u()->s());
|
||||
}
|
||||
%}
|
||||
|
||||
function smb_string2stringval(s: SMB_string) : StringVal
|
||||
%{
|
||||
return extract_string(s);
|
||||
%}
|
||||
|
||||
function smb2_string2stringval(s: SMB2_string) : StringVal
|
||||
%{
|
||||
return uint8s_to_stringval(s->s());
|
||||
%}
|
||||
};
|
||||
|
||||
type SMB_ascii_string = uint8[] &until($element == 0x00);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ function network_time(): double
|
|||
return ::network_time;
|
||||
%}
|
||||
|
||||
function utf16_bytestring_to_utf8_val(utf16: bytestring): StringVal
|
||||
function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal
|
||||
%{
|
||||
std::string resultstring;
|
||||
|
||||
|
|
@ -46,7 +46,7 @@ function utf16_bytestring_to_utf8_val(utf16: bytestring): StringVal
|
|||
lenientConversion);
|
||||
if ( res != conversionOK )
|
||||
{
|
||||
reporter->Info("utf16 conversion failed in utf16_bytestring_to_utf8_val");
|
||||
reporter->Weird(conn, "utf16_conversion_failed", "utf16 conversion failed in utf16_bytestring_to_utf8_val");
|
||||
// If the conversion didn't go well, return the original data.
|
||||
return bytestring_to_val(utf16);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,4 +8,4 @@ extern type BroPortVal;
|
|||
extern type BroStringVal;
|
||||
|
||||
function network_time(): double;
|
||||
function utf16_bytestring_to_utf8_val(utf16: bytestring): StringVal;
|
||||
function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue