Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change failure in utf16_bytestring_to_utf8_val to be a conn weird.

Browse source 
Whenever we saw errors in UTF16->UTF8 conversion before, we would
get a reporter message with no connection information.  Now we
get a weird attached to a connection so that debugging these
problems will hopefully be a bit easier in the future.
This commit is contained in:
Seth Hall 2016-08-17 00:57:49 -04:00
parent cf548e9302
commit eebd896f63
5 changed files with 64 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -32,19 +32,19 @@ refine connection NTLM_Conn += {
switch ( ${val.pairs[i].id} ) switch ( ${val.pairs[i].id} )
{ {
case 1: case 1:
result->Assign(0, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_computer_name.data})); result->Assign(0, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
break; break;
case 2: case 2:
result->Assign(1, utf16_bytestring_to_utf8_val(${val.pairs[i].nb_domain_name.data})); result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data}));
break; break;
case 3: case 3:
result->Assign(2, utf16_bytestring_to_utf8_val(${val.pairs[i].dns_computer_name.data})); result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data}));
break; break;
case 4: case 4:
result->Assign(3, utf16_bytestring_to_utf8_val(${val.pairs[i].dns_domain_name.data})); result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data}));
break; break;
case 5: case 5:
result->Assign(4, utf16_bytestring_to_utf8_val(${val.pairs[i].dns_tree_name.data})); result->Assign(4, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break; break;
case 6: case 6:
result->Assign(5, new Val(${val.pairs[i].constrained_auth}, TYPE_BOOL)); result->Assign(5, new Val(${val.pairs[i].constrained_auth}, TYPE_BOOL));
@ -56,7 +56,7 @@ refine connection NTLM_Conn += {
result->Assign(7, new Val(${val.pairs[i].single_host.machine_id}, TYPE_COUNT)); result->Assign(7, new Val(${val.pairs[i].single_host.machine_id}, TYPE_COUNT));
break; break;
case 9: case 9:
result->Assign(8, utf16_bytestring_to_utf8_val(${val.pairs[i].target_name.data})); result->Assign(8, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
break; break;
} }
} }
@ -98,10 +98,10 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() ) if ( ${val}->has_domain_name() )
result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data})); result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_workstation() ) if ( ${val}->has_workstation() )
result->Assign(2, utf16_bytestring_to_utf8_val(${val.workstation.string.data})); result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version})); result->Assign(3, build_version_record(${val.version}));
@ -119,7 +119,7 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_target_name() ) if ( ${val}->has_target_name() )
result->Assign(1, utf16_bytestring_to_utf8_val(${val.target_name.string.data})); result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data}));
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(2, build_version_record(${val.version})); result->Assign(2, build_version_record(${val.version}));
@ -140,13 +140,13 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() > 0 ) if ( ${val}->has_domain_name() > 0 )
result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data})); result->Assign(1, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_user_name() > 0 ) if ( ${val}->has_user_name() > 0 )
result->Assign(2, utf16_bytestring_to_utf8_val(${val.user_name.string.data})); result->Assign(2, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data}));
if ( ${val}->has_workstation() > 0 ) if ( ${val}->has_workstation() > 0 )
result->Assign(3, utf16_bytestring_to_utf8_val(${val.workstation.string.data})); result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(4, build_version_record(${val.version})); result->Assign(4, build_version_record(${val.version}));

6
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -80,18 +80,18 @@ refine flow RDP_Flow += {
ccd->Assign(5, new Val(${ccore.sas_sequence}, TYPE_COUNT)); ccd->Assign(5, new Val(${ccore.sas_sequence}, TYPE_COUNT));
ccd->Assign(6, new Val(${ccore.keyboard_layout}, TYPE_COUNT)); ccd->Assign(6, new Val(${ccore.keyboard_layout}, TYPE_COUNT));
ccd->Assign(7, new Val(${ccore.client_build}, TYPE_COUNT)); ccd->Assign(7, new Val(${ccore.client_build}, TYPE_COUNT));
ccd->Assign(8, utf16_bytestring_to_utf8_val(${ccore.client_name})); ccd->Assign(8, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(9, new Val(${ccore.keyboard_type}, TYPE_COUNT)); ccd->Assign(9, new Val(${ccore.keyboard_type}, TYPE_COUNT));
ccd->Assign(10, new Val(${ccore.keyboard_sub}, TYPE_COUNT)); ccd->Assign(10, new Val(${ccore.keyboard_sub}, TYPE_COUNT));
ccd->Assign(11, new Val(${ccore.keyboard_function_key}, TYPE_COUNT)); ccd->Assign(11, new Val(${ccore.keyboard_function_key}, TYPE_COUNT));
ccd->Assign(12, utf16_bytestring_to_utf8_val(${ccore.ime_file_name})); ccd->Assign(12, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(13, new Val(${ccore.post_beta2_color_depth}, TYPE_COUNT)); ccd->Assign(13, new Val(${ccore.post_beta2_color_depth}, TYPE_COUNT));
ccd->Assign(14, new Val(${ccore.client_product_id}, TYPE_COUNT)); ccd->Assign(14, new Val(${ccore.client_product_id}, TYPE_COUNT));
ccd->Assign(15, new Val(${ccore.serial_number}, TYPE_COUNT)); ccd->Assign(15, new Val(${ccore.serial_number}, TYPE_COUNT));
ccd->Assign(16, new Val(${ccore.high_color_depth}, TYPE_COUNT)); ccd->Assign(16, new Val(${ccore.high_color_depth}, TYPE_COUNT));
ccd->Assign(17, new Val(${ccore.supported_color_depths}, TYPE_COUNT)); ccd->Assign(17, new Val(${ccore.supported_color_depths}, TYPE_COUNT));
ccd->Assign(18, ec_flags); ccd->Assign(18, ec_flags);
ccd->Assign(19, utf16_bytestring_to_utf8_val(${ccore.dig_product_id})); ccd->Assign(19, utf16_bytestring_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id}));
BifEvent::generate_rdp_client_core_data(connection()->bro_analyzer(), BifEvent::generate_rdp_client_core_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),

91
src/analyzer/protocol/smb/smb-strings.pac
View file

@ -1,48 +1,3 @@
function uint8s_to_stringval(data: uint8[]): StringVal
%{
int length = data->size();
uint8 buf[length];
for ( int i = 0; i < length; ++i)
buf[i] = (*data)[i];
const bytestring bs = bytestring(buf, length);
return utf16_bytestring_to_utf8_val(bs);
%}
function extract_string(s: SMB_string) : StringVal
%{
if ( s->unicode() == false )
{
int length = s->a()->size();
char buf[length];
for ( int i = 0; i < length; i++)
{
unsigned char t = (*(s->a()))[i];
buf[i] = t;
}
if ( length > 0 && buf[length-1] == 0x00 )
length--;
return new StringVal(length, buf);
}
else
{
return uint8s_to_stringval(s->u()->s());
}
%}
function smb_string2stringval(s: SMB_string) : StringVal
%{
return extract_string(s);
%}
function smb2_string2stringval(s: SMB2_string) : StringVal
%{
return uint8s_to_stringval(s->s());
%}
refine connection SMB_Conn += { refine connection SMB_Conn += {
%member{ %member{
@ -68,6 +23,52 @@ refine connection SMB_Conn += {
else else
return 0xFF; return 0xFF;
%} %}
function uint8s_to_stringval(data: uint8[]): StringVal
%{
int length = data->size();
uint8 buf[length];
for ( int i = 0; i < length; ++i)
buf[i] = (*data)[i];
const bytestring bs = bytestring(buf, length);
return utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), bs);
%}
function extract_string(s: SMB_string) : StringVal
%{
if ( s->unicode() == false )
{
int length = s->a()->size();
char buf[length];
for ( int i = 0; i < length; i++)
{
unsigned char t = (*(s->a()))[i];
buf[i] = t;
}
if ( length > 0 && buf[length-1] == 0x00 )
length--;
return new StringVal(length, buf);
}
else
{
return uint8s_to_stringval(s->u()->s());
}
%}
function smb_string2stringval(s: SMB_string) : StringVal
%{
return extract_string(s);
%}
function smb2_string2stringval(s: SMB2_string) : StringVal
%{
return uint8s_to_stringval(s->s());
%}
}; };
type SMB_ascii_string = uint8[] &until($element == 0x00); type SMB_ascii_string = uint8[] &until($element == 0x00);

4
src/binpac_bro-lib.pac
View file

@ -11,7 +11,7 @@ function network_time(): double
return ::network_time; return ::network_time;
%} %}
function utf16_bytestring_to_utf8_val(utf16: bytestring): StringVal function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal
%{ %{
std::string resultstring; std::string resultstring;
@ -46,7 +46,7 @@ function utf16_bytestring_to_utf8_val(utf16: bytestring): StringVal
lenientConversion); lenientConversion);
if ( res != conversionOK ) if ( res != conversionOK )
{ {
reporter->Info("utf16 conversion failed in utf16_bytestring_to_utf8_val"); reporter->Weird(conn, "utf16_conversion_failed", "utf16 conversion failed in utf16_bytestring_to_utf8_val");
// If the conversion didn't go well, return the original data. // If the conversion didn't go well, return the original data.
return bytestring_to_val(utf16); return bytestring_to_val(utf16);
} }

2
src/bro.pac
View file

@ -8,4 +8,4 @@ extern type BroPortVal;
extern type BroStringVal; extern type BroStringVal;
function network_time(): double; function network_time(): double;
function utf16_bytestring_to_utf8_val(utf16: bytestring): StringVal; function utf16_bytestring_to_utf8_val(conn: Connection, utf16: bytestring): StringVal;