From 2cc9152fc937ca1b72438636e949c9248dd1c02b Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 28 Jun 2022 15:52:04 +0200 Subject: [PATCH] rust/smb: log uuid of interface in dcerpc When doing a DCERPC request, we can use the context id to log the interface that is used. Doing that we can see in one single event what is the DCERPC interface and opnum that are used. This allows to have all the information needed to resolve the request to a function call. Feature #5413. --- etc/schema.json | 13 +++++++++++++ rust/src/smb/log.rs | 16 ++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/etc/schema.json b/etc/schema.json index 4fad4fc0dc..3bd70f8cea 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -3296,6 +3296,19 @@ "response": { "type": "string" }, + "interface": { + "type": "object", + "optional": true, + "properties": { + "uuid": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "additionalProperties": false + }, "interfaces": { "type": "array", "items": { diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs index d5d8aedecc..500a07c660 100644 --- a/rust/src/smb/log.rs +++ b/rust/src/smb/log.rs @@ -336,6 +336,22 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio jsb.set_uint("frag_cnt", x.frag_cnt_ts as u64)?; jsb.set_uint("stub_data_size", x.stub_data_ts.len() as u64)?; jsb.close()?; + match state.dcerpc_ifaces { + Some(ref ifaces) => { + for i in ifaces { + if i.context_id == x.context_id { + jsb.open_object("interface")?; + let ifstr = uuid::Uuid::from_slice(&i.uuid); + let ifstr = ifstr.map(|ifstr| ifstr.to_hyphenated().to_string()).unwrap(); + jsb.set_string("uuid", &ifstr)?; + let vstr = format!("{}.{}", i.ver, i.ver_min); + jsb.set_string("version", &vstr)?; + jsb.close()?; + } + } + }, + _ => {}, + } }, DCERPC_TYPE_BIND => { match state.dcerpc_ifaces {