diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index c38323a978..39e126f75b 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -55,9 +55,7 @@ export { ["423ec01e-2e35-11d2-b604-00104b703efd"] = "IWbemWCOSmartEnum interface", ["1c1c45ee-4395-11d2-b60b-00104b703efd"] = "IWbemFetchSmartEnum interface", ["541679AB-2E5F-11d3-B34E-00104BCC4B4A"] = "IWbemLoginHelper interface", - # KMS? ["51c82175-844e-4750-b0d8-ec255555bc06"] = "KMS", - ["50abc2a4-574d-40b3-9d66-ee4fd5fba076"] = "dnsserver", ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5"] = "AudioSrv", ["c386ca3e-9061-4a72-821e-498d83be188f"] = "AudioRpc", diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt index bfe2b8d11c..a206c3db13 100644 --- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt +++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt @@ -6,6 +6,11 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro DCE_RPC) bro_plugin_cc(DCE_RPC.cc Plugin.cc) bro_plugin_bif(types.bif events.bif) -bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) +bro_plugin_pac( + dce_rpc.pac + dce_rpc-protocol.pac + dce_rpc-analyzer.pac + endpoint-epmapper.pac + endpoint-atsvc.pac) bro_plugin_end() diff --git a/src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac b/src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac new file mode 100644 index 0000000000..aa894ff649 --- /dev/null +++ b/src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac @@ -0,0 +1,38 @@ +type ATSVC_Request(unicode: bool, opnum: uint8) = record { + empty: padding[1]; + op: case opnum of { + 0 -> add : ATSVC_NetrJobAdd(unicode); + default -> unknown : bytestring &restofdata; + }; +}; + +type ATSVC_String_Pointer(unicode: bool) = record { + referent_id : uint32; + max_count : uint32; + offset : uint32; + actual_count : uint32; + string : SMB_string(unicode, offsetof(string)); +}; + +type ATSVC_NetrJobAdd(unicode: bool) = record { + server : ATSVC_String_Pointer(unicode); + unknown : padding[2]; + job_time : uint32; + days_of_month : uint32; + days_of_week : uint8; + flags : uint8; + unknown2 : padding[2]; + command : ATSVC_String_Pointer(unicode); +}; + +type ATSVC_Reply(unicode: bool, opnum: uint16) = record { + op: case opnum of { + 0 -> add: ATSVC_JobID(unicode); + default -> unknown: bytestring &restofdata; + }; +}; + +type ATSVC_JobID(unicode: bool) = record { + id : uint32; + status : uint32; +}; diff --git a/src/analyzer/protocol/dce-rpc/epmapper.pac b/src/analyzer/protocol/dce-rpc/endpoint-epmapper.pac similarity index 100% rename from src/analyzer/protocol/dce-rpc/epmapper.pac rename to src/analyzer/protocol/dce-rpc/endpoint-epmapper.pac diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 305e1191f6..b95a77f924 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -29,6 +29,8 @@ bro_plugin_bif( smb2_com_close.bif smb2_com_create.bif + smb2_com_ioctl.bif + smb2_com_lock.bif smb2_com_negotiate.bif smb2_com_read.bif smb2_com_session_setup.bif @@ -72,6 +74,8 @@ bro_plugin_pac( smb2-protocol.pac smb2-com-close.pac smb2-com-create.pac + smb2-com-ioctl.pac + smb2-com-lock.pac smb2-com-negotiate.pac smb2-com-read.pac smb2-com-session-setup.pac diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index 5cf79562a1..76fecc8679 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -33,6 +33,8 @@ #include "smb2_com_close.bif.h" #include "smb2_com_create.bif.h" +#include "smb2_com_ioctl.bif.h" +#include "smb2_com_lock.bif.h" #include "smb2_com_negotiate.bif.h" #include "smb2_com_read.bif.h" #include "smb2_com_session_setup.bif.h" @@ -86,6 +88,8 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) { # SMB2 Commands %include smb2-com-close.pac %include smb2-com-create.pac +%include smb2-com-ioctl.pac +%include smb2-com-lock.pac %include smb2-com-negotiate.pac %include smb2-com-read.pac %include smb2-com-session-setup.pac diff --git a/src/analyzer/protocol/smb/smb2-com-ioctl.pac b/src/analyzer/protocol/smb/smb2-com-ioctl.pac new file mode 100644 index 0000000000..59caf02ac2 --- /dev/null +++ b/src/analyzer/protocol/smb/smb2-com-ioctl.pac @@ -0,0 +1,45 @@ +refine connection SMB_Conn += { + +}; + +type SMB2_ioctl_request(header: SMB2_Header) = record { + structure_size : uint16; + reserved : uint16; + ctl_code : uint32; + file_id : SMB2_guid; + input_offset : uint32; + input_count : uint32; + max_input_resp : uint32; + output_offset : uint32; + output_count : uint32; + max_output_resp : uint32; + flags : uint32; + reserved2 : uint32; + pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset)); + input_buffer : bytestring &length=input_count; + pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset)); + output_buffer : bytestring &length=output_count; +} &let { + is_pipe: bool = ((ctl_code >> 16) == 0x11); + pipe_proc : bool = $context.connection.forward_dce_rpc(input_buffer, true) &if(is_pipe); +}; + +type SMB2_ioctl_response(header: SMB2_Header) = record { + structure_size : uint16; + reserved : uint16; + ctl_code : uint32; + file_id : SMB2_guid; + input_offset : uint32; + input_count : uint32; + output_offset : uint32; + output_count : uint32; + flags : uint32; + reserved2 : uint32; + pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset)); + input_buffer : bytestring &length=input_count; + pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset)); + output_buffer : bytestring &length=output_count; +} &let { + is_pipe: bool = ((ctl_code >> 16) == 0x11); + pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, false) &if(is_pipe); +}; \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb2-com-lock.pac b/src/analyzer/protocol/smb/smb2-com-lock.pac new file mode 100644 index 0000000000..69482e7900 --- /dev/null +++ b/src/analyzer/protocol/smb/smb2-com-lock.pac @@ -0,0 +1,23 @@ +refine connection SMB_Conn += { + +}; + +type SMB2_lock = record { + offset : uint64; + len : uint64; + flags : uint32; +}; + +type SMB2_lock_request(header: SMB2_Header) = record { + structure_size : uint16; + lock_count : uint16; + lock_seq : uint32; + file_id : SMB2_guid; + locks : SMB2_lock[lock_count]; +}; + +type SMB2_lock_response(header: SMB2_Header) = record { + structure_size : uint16; + reserved : uint16; # ignore +}; + diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index feecb328e5..d9386a8e86 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -216,11 +216,6 @@ type SMB2_guid = record { _volatile : uint64; }; -type SMB2_lock = record { - offset : uint64; - len : uint64; - flags : uint32; -}; type SMB2_File_Notify_Information = record { next_entry_offset : uint32; @@ -280,61 +275,6 @@ type SMB2_flush_response(header: SMB2_Header) = record { reserved1 : uint16; }; -type SMB2_lock_request(header: SMB2_Header) = record { - structure_size : uint16; - lock_count : uint16; - lock_seq : uint32; - file_id : SMB2_guid; - locks : SMB2_lock[lock_count]; -}; - -type SMB2_lock_response(header: SMB2_Header) = record { - structure_size : uint16; - reserved : uint16; # ignore -}; - -type SMB2_ioctl_request(header: SMB2_Header) = record { - structure_size : uint16; - reserved : uint16; - ctl_code : uint32; - file_id : SMB2_guid; - input_offset : uint32; - input_count : uint32; - max_input_resp : uint32; - output_offset : uint32; - output_count : uint32; - max_output_resp : uint32; - flags : uint32; - reserved2 : uint32; - pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset)); - input_buffer : bytestring &length=input_count; - pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset)); - output_buffer : bytestring &length=output_count; -} &let { - is_pipe: bool = ((ctl_code >> 16) == 0x11); - pipe_proc : bool = $context.connection.forward_dce_rpc(input_buffer, true) &if(is_pipe); -}; - -type SMB2_ioctl_response(header: SMB2_Header) = record { - structure_size : uint16; - reserved : uint16; - ctl_code : uint32; - file_id : SMB2_guid; - input_offset : uint32; - input_count : uint32; - output_offset : uint32; - output_count : uint32; - flags : uint32; - reserved2 : uint32; - pad1 : bytestring &transient &length=((input_offset == 0) ? 0 : (offsetof(pad1) + header.head_length - input_offset)); - input_buffer : bytestring &length=input_count; - pad2 : bytestring &transient &length=((output_offset == 0 || output_offset == input_offset) ? 0 : (offsetof(pad2) + header.head_length - output_offset)); - output_buffer : bytestring &length=output_count; -} &let { - is_pipe: bool = ((ctl_code >> 16) == 0x11); - pipe_proc : bool = $context.connection.forward_dce_rpc(output_buffer, false) &if(is_pipe); -}; - type SMB2_cancel_request(header: SMB2_Header) = record { structure_size : uint16; reserved : uint16; diff --git a/src/analyzer/protocol/smb/smb2_com_ioctl.bif b/src/analyzer/protocol/smb/smb2_com_ioctl.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocol/smb/smb2_com_lock.bif b/src/analyzer/protocol/smb/smb2_com_lock.bif new file mode 100644 index 0000000000..e69de29bb2