aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rust/smb: log uuid of interface in dcerpc

Browse Source 
When doing a DCERPC request, we can use the context id to log the
interface that is used. Doing that we can see in one single event
what is the DCERPC interface and opnum that are used. This allows
to have all the information needed to resolve the request to a
function call.

Feature #5413.
pull/7767/head
Eric Leblond 3 years ago committed by Victor Julien
parent b6f1cf255c
commit 2cc9152fc9
2 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File

13
etc/schema.json
Unescape Escape View File

@ -3296,6 +3296,19 @@
"response": {
"type": "string"
},
"interface": {
"type": "object",
"optional": true,
"properties": {
"uuid": {
"type": "string"
},
"version": {
"type": "string"
}
},
"additionalProperties": false
},
"interfaces": {
"type": "array",
"items": {

16
rust/src/smb/log.rs
Unescape Escape View File

@ -336,6 +336,22 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
jsb.set_uint("frag_cnt", x.frag_cnt_ts as u64)?;
jsb.set_uint("stub_data_size", x.stub_data_ts.len() as u64)?;
jsb.close()?;
match state.dcerpc_ifaces {
Some(ref ifaces) => {
for i in ifaces {
if i.context_id == x.context_id {
jsb.open_object("interface")?;
let ifstr = uuid::Uuid::from_slice(&i.uuid);
let ifstr = ifstr.map(|ifstr| ifstr.to_hyphenated().to_string()).unwrap();
jsb.set_string("uuid", &ifstr)?;
let vstr = format!("{}.{}", i.ver, i.ver_min);
jsb.set_string("version", &vstr)?;
jsb.close()?;
}
}
},
_ => {},
}
},
DCERPC_TYPE_BIND => {
match state.dcerpc_ifaces {

Write Preview
Loading…
Cancel
Save